On May 15, 2024, the government of Quebec published the final version of the Regulation respecting the anonymization of personal information (Anonymization Regulation), which establishes the requirements that organizations subject to Quebec’s private sector privacy legislation must comply with when anonymizing personal information.
Background
The Anonymization Regulation builds on comprehensive amendments to Quebec’s Act respecting the protection of personal information in the private sector (Quebec Privacy Act) that were enacted through An Act to modernize legislative provisions as regards the protection of personal information (introduced as Bill 64 and sanctioned as Law 25). The bulk of these amendments came into force in September 2023. For more information on the new obligations prescribed by the Quebec Privacy Act as amended, please see our Blakes Bulletin: New Quebec Privacy Law Obligations Coming: Is Your Organization Ready?
As a result of these amendments, Section 23 of the Quebec Privacy Act prescribes requirements specific to the destruction or anonymization of personal information that is collected or used by an organization:
23. Where the purposes for which personal information was collected or used are achieved, the person carrying on an enterprise must destroy the information, or anonymize it to use it for serious and legitimate purposes, subject to any preservation period provided for by an Act.
For the purposes of this Act, information concerning a natural person is anonymized if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly.
Information anonymized under this Act must be anonymized according to generally accepted best practices and according to the criteria and terms determined by regulation.
(emphasis added)
In short, once the purposes for which personal information was collected or used are achieved, the Quebec Privacy Act provided organizations with two choices: destroy the personal information or anonymize it for use only in connection with “serious and legitimate purposes.” However, in the absence of any regulation, there was little clarity on how personal information could be anonymized in a compliant manner, since the Quebec Privacy Act specified that anonymization must be in accordance with both “generally accepted best practices” and “the criteria and terms determined by regulation.” Moreover, the Commission d’accès à l’information du Québec (CAI), Quebec’s privacy regulator, had published guidance stating that organizations would not be able to anonymize personal information until regulations came into force and that anonymization was nearly impossible in light of technological advancements.
The publication of the Anonymization Regulation now provides organizations with a clearer framework for anonymizing personal information in compliance with the Quebec Privacy Act.
Anonymization Process
The Anonymization Regulation sets out a process requiring organizations to take several steps before, during and after anonymizing personal information. The process, which is summarized below, is grounded in analyzing the risks of re-identification with a focus on three criteria: (1) correlation, meaning the inability to connect datasets concerning the same person; (2) individualization, meaning the inability to isolate or distinguish a person within a dataset; and (3) inference, meaning the inability to infer personal information from other available information.
- Before: Prior to anonymizing personal information, the organization must establish the purposes for which it intends to use the anonymized information; these purposes must be consistent with the Quebec Privacy Act.
- During: At the beginning of an anonymization process, an organization must remove all personal information that allows the individual to be directly identified from the information it intends to anonymize.
The organization must then conduct a preliminary analysis of the re-identification risks, considering the individualization, correlation and inference criteria. Based on this analysis, the organization must then establish the anonymization techniques to be used, which must be consistent with generally accepted best practices. The organization must also establish reasonable protection and security measures to reduce re-identification risks.
After implementing these techniques, the organization must conduct an analysis of the re-identification risks, showing that it is, at all times, reasonably foreseeable in the circumstances that the information produced further to a process of anonymization irreversibly no longer allows the person to be identified directly or indirectly. Although it is not necessary to demonstrate that zero risk of re-identification exists, the risks must be “very low,” taking into account certain prescribed elements, including the circumstances related to the anonymization (and in particular, the purposes for which the anonymized information will be used), the nature of the information, and the individualization, correlation and inference criteria.
- After: The organization must regularly evaluate the information it has anonymized to ensure it remains anonymized. The organization must also record certain prescribed information in a register.
Next Steps
The Anonymization Regulation comes into force on May 30, 2024, except in relation to the requirement to record certain prescribed information in a register, which comes into force on January 1, 2025. It provides a clearer framework for anonymization than what is set out in the Quebec Privacy Act and past CAI guidance but imposes several compliance and record-keeping obligations that organizations doing business in Quebec may need to contend with.
Organizations contemplating anonymizing, rather than destroying, personal information that is no longer needed should evaluate their overall personal information handling practices and consider establishing, updating and implementing policies and procedures that address compliance with these new requirements.
For further information, please contact:
or any other member of our Privacy & Data Protection group.
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2024 Blake, Cassels & Graydon LLP