ARTICLE
18 June 2024

Quebec Adopts The Regulation On Anonymization Of Personal Information

MT
McCarthy Tétrault LLP

Contributor

McCarthy Tétrault LLP logo
McCarthy Tétrault LLP provides a broad range of legal services, advising on large and complex assignments for Canadian and international interests. The firm has substantial presence in Canada’s major commercial centres and in New York City, US and London, UK.
Explore
This article is part of our Law 25 Blog Series, which provides readers with a 360° view on Law 25 (formerly known as Bill 64)...
Canada Privacy
Photo of TechLex Blog
Photo of Charles Morgan
Photo of Eugen Miscoi
Photo of Jonathan Jacob Adessky
Photo of Narain Yucel
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

This article is part of our Law 25 Blog Series, which provides readers with a 360° view on Law 25 (formerly known as Bill 64) and its sweeping amendments to Quebec's Act respecting the protection of personal information in the private sector (the "Act"). To view other blog posts in the series, please visit thispage. We have also put together a comprehensive toolkit for organizations looking for resources to understand and ensure that they are compliant with Law 25. This toolkit can be found here.

On May 15, 2024, the regulation for the anonymization of personal information (the "Regulation") was published in the Gazette officielle du Québec. An English version of the Regulation is available here, and a French version is available here. The Regulation provides organizations with details regarding the requirements that must be respected to lawfully anonymize personal information ("PI"). Our prior summary addressed the preliminary draft of the Regulation. This article serves as an update and draws attention to the changes from the draft Regulation.

  1. Overview of the Anonymization Framework Set Out in the Act

As of September 22, 2023, organizations operating in Quebec or handling the PI of Quebec residents have been subject to a host of new obligations (we have summarized these obligations in a previous article). Among these new obligations are rules governing the retention, destruction and anonymization of PI set out at section 23 of the Act.

23. Where the purposes for which personal information was collected or used are achieved, the person carrying on an enterprise must destroy the information, or anonymize it to use it for serious and legitimate purposes, subject to any preservation period provided for by an Act.

For the purposes of this Act, information concerning a natural person is anonymized if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly.

Information anonymized under this Act must be anonymized according to generally accepted best practices and according to the criteria and terms determined by regulation.

Once the purposes for which PI was collected or used are achieved and subject to any retention period provided by law, organizations must either destroy the information or, if the criteria set out in section 23 are met, anonymize it.

There are multiple layers to the criteria that would permit anonymization of PI in lieu of its deletion, including the following:

  • Pre-anonymization Process: The organization must have in mind a serious and legitimate purpose for anonymizing PI.
  • Anonymization Process: The Act points to components of a lawful anonymization process.
    • First, the process must follow "generally accepted best practices". Without much guidance on what this means, we imagine that this could entail retaining the services of a reputable service provider who offers technical commitments that the anonymization process will yield the legally required anonymization results (as set out below). This might also include abiding by internationally recognized standards, such as ISO/IEC 27559/2022 – Information security, cybersecurity and privacy protection – Privacy enhancing data de-identification framework (note that despite the term "de-identification" in the standard, it has been drafted in a manner to be essentially agnostic as regards more nuanced legal distinctions between "de-identification" and "anonymization").
    • Second, and most significantly for the purposes of this article, the process must respect the criteria and terms set out in regulation; being the recently published Regulation.
  • Anonymization Results: For PI to be anonymized, it must at all times be reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly. This differentiates anonymization from de-identification, which is a softer process which excludes the irreversibility factor and indirect re-identification risk (see section 12 of the Act). De-identified PI is still considered to be PI.
  1. The Regulation

The Regulation provides a process to manage the life-cycle of PI anonymization. It begins by reinforcing the pre-anonymization process of determining serious and legitimate purposes for the anonymization. Should the purposes change, the organization must assess the seriousness and legitimacy of the new purposes.

The Regulation's main focus is on the actual anonymization process. Here is a summary of the requirements.

  • Pre-anonymization Process (Section 3 of the Regulation): Before starting the anonymization process, the organization must establish the purpose for its use of anonymized information. *Note: Originally, the text referred to 'anonymized personal information'. Efforts to distinguish between personal information and anonymized information is a new emphasis in the finalized Regulation.
  • Qualified Personnel (Section 4 of the Regulation): The process must be supervised by a person qualified in the field.
  • Preliminary risk assessment (Section 5 of the Regulation): The organization removes from the dataset information allowing for direct identification of individuals, and then conducts a preliminary re-identification risk assessment. The risk assessment focuses on three criteria: the inability to isolate or distinguish a person within a dataset (individualization criterion); the inability to connect datasets concerning the same person (correlation criterion); and the inability to infer personal information from other available information (inference criterion). The assessment also considers "the risks of other reasonably available information, in particular in the public space, being used to identify a person directly or indirectly." *Note: The reasonableness qualifier was added to 'other available information' in the final Regulation.
  • Anonymization Techniques and Measures (Section 6 of the Regulation): The organization identifies appropriate anonymization techniques and reasonable protection measures in light of the risks uncovered during the preliminary risk assessment. *Note: The reasonableness qualifier was added to 'protection measures' in the final Regulation.
  • Subsequent Risk Assessment (Section 7 of the Regulation): The organization tests the efficacy of the anonymization measures. The results must show that that the residual risks of re-identification are very low (not necessarily zero risk). The degree of risk tolerance (which must always be very low), should take into account the following elements: "(1) the circumstances related to the anonymization of personal information, in particular the purposes for which the body intends to use the anonymized information; (2) the nature of the information; (3) the individualization criterion, the correlation criterion and the inference criterion; (4) the risks of other reasonably available information, in particular in the public space, being used to identify a person directly or indirectly; and (5) the measures required to re-identify the persons, taking into account the efforts, resources and expertise required to implement those measures." *Note: The term "risk" has been pluralized and the reasonableness qualifier has been added to 'other available information' in the final Regulation.
  • Periodic Assessment (Section 8 of the Regulation): The organization must conduct periodic risk assessments to ensure that the information remains anonymized, taking into consideration technological advancements that might contribute to re-identification. To do so, the organization updates the last version of the assessment. The frequency at which organizations must assess that information remains anonymized is established based on residual risks identified in the most recent prior risk analysis. *Note: The most significant change from the draft version of the Regulation is additional clarity around periodic assessments. First, the assessment must be conducted 'periodically' as opposed to 'regularly', as initially worded in the draft. This appears to ease potential concern that the organization must be reassessing in a continuous manner, rather than at certain intervals of time. Second, the final Regulation makes clear that a period assessment is meant to update the last assessment (i.e. it is not a de novo assessment). Third, the Regulation attempts to provide some clarity regarding the intervals between assessments, indicating that there is no 'one-size-fits-all approach and that organizations must base each interval on residual risk of the prior assessment.
  • Record Keeping (Section 9 of the Regulation): The organization must maintain a register which records the following information: (1) a description of thePI that has been anonymized; (2) the purposes for anonymization; (3) the anonymization measures used; (4) the date on which each risk assessment is completed. *Note: Originally, the text referred to 'anonymized personal information'. The new phraseology seemingly aims to distinguish between personal information and anonymized information. While the rest of this Regulation took effect on May 30th, section 9 will come into force on January 1, 2025.
  1. Conclusion

The Regulation adds further clarity to the government's expectations with respect to anonymization since the release of the draft Regulation in December 2023. It goes slightly further in distancing notions of PI from anonymized information, inserts reasonableness as a consideration across the anonymization process and provides clarity regarding the frequency at which periodic risk assessments should be undertaken. As of May 30, 2024 most of the Regulation is in effect, with the record keeping obligations to follow January 1, 2025.

As Quebec cements its approach to anonymization, the term 'anonymize' is actively being discussed and fine-tuned at the federal level, as the Standing Committee on Industry and Technology ("the "INDU Committee") works through amendments to the proposed Consumer Privacy Protection Act (the "CPPA"). See the sessions from April 15 and April 17, 2024. The CPPA is one of three proposed acts housed in Bill C-27, and if passed, would replace the current federal private sector privacy act, the Personal Information Protection and Electronic Documents Act. Most recently, the INDU Committee qualified the risk of reidentification with reasonableness in the circumstances, mirroring the standard in the Act. Concurrently, the INDU Committee also decided against including a reference to "generally accepted best practice", indicating that this might be too broad of a standard. What is noteworthy is the clear and express willingness of the INDU Committee to reasonably align the anonymization standard under the CPPA with that under the Act in Quebec.

We also note that the CPPA (see s. 6(5)), and the GDPR (see paragraph 26 of preamble) both remove anonymized data from the scope of their respective privacy regimes. Meanwhile, the Regulation retains oversight over anonymized information. For instance, section 3 of the Regulation requires that the organization reassess whether the anonymization process remains consistent with the Act if the purposes for anonymization originally assessed change. Additionally, the organization must maintain records of the assessments (including subsequent, periodic assessments) for as long as it holds the anonymized information. The practical outcome of these differences results in more onerous obligations for organizations engaging in anonymization of PI in Quebec.

An organization that intends to anonymize PI must first take a step back and ensure that it has taken other critical compliance steps. Being able to comply with the anonymization requirements necessarily means that the organization has policies and procedures in place that set out clear roles and responsibilities with respect to the organization's management of PI, an inventory of PI that it processes and a clear information retention program that establishes applicable legal retention periods.

The cost of not prioritizing compliance with the Act is significant, with penal fines as high as the greater of $25 million or 4% of worldwide turnover for the preceding fiscal year (which amounts can be doubled for repeat offences) and monetary administrative penalties of up to the greater of $10 million or 2% of worldwide turnover for the preceding fiscal year.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of TechLex Blog
TechLex Blog
Photo of Charles Morgan
Charles Morgan
Photo of Eugen Miscoi
Eugen Miscoi
Photo of Jonathan Jacob Adessky
Jonathan Jacob Adessky
Photo of Narain Yucel
Narain Yucel
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More