The final version of Québec's Anonymization Regulation has arrived, with most requirements coming into force on May 30, 2024. For an overview of the anonymization process, refer to our updated flow chart.
Coming into force
The Act Respecting the Protection of Personal Information in the Private Sector and the Act respecting Access to documents held by public bodies and the Protection of personal information as amended by the Act to modernise legislative provisions as regards the protection of personal information (together the "Québec Privacy Legislation"), govern the collection, use and communication of personal information in Québec.
Québec Privacy Legislation stipulates that organizations must destroy personal information once the purposes for which it was collected have been achieved unless its retention is required to comply with applicable laws. As an alternative to destruction, Québec Privacy Legislation allows organizations to anonymize personal information if it is used for serious and legitimate purposes.
On December 20, 2023, the draft Regulation respecting the anonymization of personal information ("Anonymization Regulation") was published. For an overview of the anonymization process defined by the draft Anonymization Regulation and our comments prepared for the Secrétariat à la réforme des institutions démocratiques, à l'accès à l'information et à la laïcité public consultation, please refer to our previous publication.
The final version of the Anonymization Regulation, which was published on May 15, 2024, in Gazette No. 20, came into force on May 30, 2024. Exceptionally, the obligation to maintain an anonymization register will come into force on January 1, 2025.
Summary of changes
The final version of the Anonymization Regulation is largely similar to the draft, but there are some key updates:
- The term "anonymized personal information", an oxymoron, has been revised to "anonymized information."
- A reasonableness standard has been included throughout the Anonymization Regulation, namely in the context of conducting reidentification risk assessments and regarding the establishment of security measures.
- To ensure information remains anonymized, "periodic" assessments (previously "regular") must be conducted at intervals based on residual risk.
- Summaries of reidentification analyses are no longer required in the anonymization registry.
Signals from the Commission d'accès à l'information
By law, the Québec Government is required to consult Québec's privacy commissioner, the Commission d'accès à l'information ("CAI"), before adopting any regulation regarding anonymization. While the CAI's recommendations on this matter were not widely adopted, they offer signals on how the commissioner may enforce anonymization requirements:
- Québec privacy legislation and the Anonymization Regulation only address anonymization as an alternative to destruction at the end of the personal information lifecycle. This raises the question: What guidelines apply to anonymizing personal information earlier in the data lifecycle (e.g., where identified as a purpose of collection, a compatible purpose, or with individual consent)? The CAI has expressed concern about the uncertainty caused by this lack of guidance. They suggested extending the Anonymization Regulation to cover all instances where organizations anonymize personal information. As a result, the CAI may look favourably upon organizations that follow the Anonymization Regulation's process when anonymizing personal information before the end of its lifecycle.
- Québec privacy legislation and the Anonymization Regulation specify that anonymized information may only be used for "serious and legitimate" purposes by enterprises or "public interest" purposes by public bodies. Since these terms are not defined in any law or regulation, their common meanings must be relied upon. However, the CAI has clarified that communicating anonymized information to third parties (except when necessary for lawful mandate or service contract) or selling anonymized information would not be considered "serious and legitimate" or "public interest" purposes.
- The Anonymization Regulation, even in its final form, lacks clear timelines for conducting assessments to ensure information remains anonymized. In their commentary, the CAI suggested conducting these assessments at least annually or whenever an event occurs that could affect reidentification risks.
- Québec Privacy Legislation defines anonymization as an irreversible process. The Anonymization Regulation, however, lowers this threshold to a "low risk of reidentification." The CAI noted in their commentary that the Anonymization Regulation lacks a method for assessing reidentification risk. The CAI insisted that potential consequences of reidentification should be the focus of such assessments.
It remains to be seen if the CAI will publish official guidance on this topic.
For an overview of the personal information anonymization process, as outlined in the new Anonymization Regulation, please see our updated flow chart.
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.