This website uses cookies for a range of purposes to help us understand your interests and improve the website. By using our website, you acknowledge the use of essential cookies and consent to the use of non-essential cookies, as described in our Cookie Policy. To understand more about how we use cookies or to change your preference and browser settings, please see our Cookie policy

Back toTechLex
Advanced
Filters

Quebec’s Draft Regulation on Anonymization of Personal Information

This article is part of our Law 25 Blog Series, which provides readers with a 360° view on Law 25 (formerly known as Bill 64) and its sweeping amendments to Quebec’s Act respecting the protection of personal information in the private sector (the “Act”). To view other blog posts in the series, please visit this page. We have also put together a comprehensive toolkit for organizations looking for resources to understand and ensure that they are compliant with Law 25. This toolkit can be found here.

On December 20, 2023, the draft regulation for the anonymization of personal information (the “Draft Regulation”) was published in the Gazette officielle du Québec. The Draft Regulation provides organizations with details regarding the requirements that must be respected to lawfully anonymize personal information (“PI”). This article provides an overview of the anonymization framework set out in the Act and then unpacks the new Draft Regulation. An English version of the Draft Regulation is available here, and a French version is available here.

1.            Overview of the anonymization framework set out in the Act

As of September 22, 2023, organizations operating in Quebec or handling the PI of Quebec residents are subject to a host of new obligations (we have summarized these obligations in a previous article). Among these new obligations are rules governing the retention, destruction and anonymization of PI set out under section 23 of the Act.

  1. Where the purposes for which personal information was collected or used are achieved, the person carrying on an enterprise must destroy the information, or anonymize it to use it for serious and legitimate purposes, subject to any preservation period provided for by an Act.

    For the purposes of this Act, information concerning a natural person is anonymized if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly. Information anonymized under this Act must be anonymized according to generally accepted best practices and according to the criteria and terms determined by regulation.

Once the purposes for which PI was collected or used are achieved and subject to any retention period provided by law, organizations must either destroy the information or, if the criteria set out in section 23 are met, anonymize it.

There are multiple layers to the criteria that would permit anonymization of PI in lieu of its deletion, including the following:

  1. Pre-anonymization process. The organization must have in mind serious and legitimate purpose for anonymizing PI.
  2. Anonymization process. The Act points to components of a lawful anonymization process.
    1. First, the process must follow “generally accepted best practices”. Without much guidance on what this means, we imagine that this could entail retaining the services of a reputable service provider who offers technical commitments that the anonymization process will yield the legally required anonymization results (as set out below). This might also include abiding by internationally recognized standards, such as ISO/IEC 27559/2022 – Information security, cybersecurity and privacy protection – Privacy enhancing data de-identification framework (note that despite the term “de-identification” in the standard, it has been drafted in a manner to be essentially agnostic as regards more nuanced legal distinctions between “de-identification” and “anonymization”).
    2. Second, the process must respect the criteria and terms set out in regulation; being the finalized version of the newly released Draft Regulation.
  3. Anonymization results. For PI to be anonymized, it must at all times be reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly. This differentiates anonymization from de-identification, which is a softer process which excludes the irreversibility factor and indirect re-identification risk (see section 12 of the Act). De-identified PI is still considered to be PI.

The Commission d’accès à l’information du Québec (Quebec’s privacy commissioner) has taken the position that organizations cannot rely on anonymization as an alternative to destruction until the government regulation on anonymization is finalized. On its Espace évolutif, the commissionner notes: “En l’absence de règlement du gouvernement, les organismes et les entreprises ne pourront pas anonymiser des renseignements personnels.” This informally translates to: “In the absence of regulation by the government, organizations and enterprises cannot anonymize personal information”. Thus, the Draft Regulation marks the opening of a crucial (and final) piece of the anonymization puzzle.

2.            The Draft Regulation

The Draft Regulation provides a process to manage the life-cycle of PI anonymization. It begins by reinforcing the pre-anonymization process of determining serious and legitimate purposes for the anonymization. Should the purposes change, the organization must assess the seriousness and legitimacy of the new purposes.

The Draft Regulation’s main focus is on the actual anonymization process. Here is a summary of the requirements.

Qualified personnel. The process must be supervised by a person qualified in the field.

Preliminary risk assessment. The organization removes from the dataset information allowing for direct identification of individuals, and then conducts a preliminary re-identification risk assessment. The risk assessment focuses on three criteria: the inability to connect datasets concerning the same person (correlation criterion); the inability to isolate or distinguish a person within a dataset (individualization criterion); and the inability to infer personal information from other available information (inference criterion). The assessment also considers “the risks of other information available, in particular in the public space, being used to identify a person directly or indirectly.”

Anonymization measures. The organization identifies appropriate anonymization techniques and protection measures in light of the risks uncovered during the preliminary risk assessment.

Subsequent risk assessment. The organization tests the efficacy of the anonymization measures. The results must show that that the risk of re-identification is very low (not necessarily zero risk). The degree of risk tolerance (which must always be very low), should take into account the following elements: “(1) the circumstances related to the anonymization of personal information, in particular the purposes for which the body intends to use the anonymized information; (2) the nature of the information; (3) the individualization criterion, the correlation criterion and the inference criterion; (4) the risks of other information available, in particular in the public space, being used to identify a person directly or indirectly; and (5) the measures required to re-identify the persons, taking into account the efforts, resources and expertise required to implement those measures.”

Periodic testing. The organization must conduct regular risk assessments to ensure that the information remains anonymized, taking into consideration technological advancements that might contribute to re-identification. No indication is given on what the expected frequency of such tests are.

Record keeping. The organization must maintain a register which records the following information: (1) a description of the anonymized PI; (2) the purposes for anonymization; (3) the anonymization measures used; (4) a summary of the results of the risk assessments; and (5) the date on which each risk assessment is completed.

3.            Conclusion

The Draft Regulation is subject to a 45-day public consultation period, which began on December 20, 2023. While the contents might change, the current draft provides some clarity as to what the government’s expectations are with respect to anonymization.

An organization that intends to anonymize PI must first take a step back and ensure that it has taken other critical compliance steps. Being able to comply with the anonymization requirements necessarily means that the organization has policies and procedures in place that set out clear roles and responsibilities with respect to the organization’s management of PI, an inventory of PI that it processes and a clear information retention program that establishes applicable legal retention periods.

The cost of not prioritizing compliance with the Act is significant, with penal fines as high as the greater of $25 million or 4% of worldwide turnover for the preceding fiscal year (which amounts can be doubled for repeat offences) and monetary administrative penalties of up to the greater of $10 million or 2% of worldwide turnover for the preceding fiscal year.

To learn more about how our Cyber/Data Group can help you navigate the cyber and data landscape, please contact our national co-leaders Charles Morgan and Daniel Glover.

For more details, you can also refer to McCarthy Tétrault’s Law 25 Compliance Toolkit.

Authors

Subscribe

Stay Connected

Get the latest posts from this blog

Please enter a valid email address