ARTICLE
30 July 2024

Anonymization Of Personal Information In Québec: The Regulation Respecting The Anonymization Of Personal Information Is Coming Into Force

L,
Langlois Lawyers, LLP

Contributor

Langlois Lawyers, LLP logo
With more than 150 professionals working in the Montréal and Quebec City metropolitan areas, Langlois lawyers is one of the largest law firms in Quebec. Our team of over 300 employees offers a complete range of highly regarded legal services in a variety of areas.
Explore Firm Details
Lexpert Firm Profile
On May 15, 2024, the Regulation respecting the anonymization of personal information (the "Regulation")1 was published in the Gazette officielle du Québec. It comes into force on May 30, 2024.
Canada Quebec Privacy
Photo of Marc-Alexandre Hudon
Photo of Antoine Rancourt
Photo of Ilona Bois-Drivet
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Introduction

On May 15, 2024, the Regulation respecting the anonymization of personal information (the "Regulation")1 was published in the Gazette officielle du Québec. It comes into force on May 30, 2024.

The Regulation's implementation is highly anticipated, as anonymized information affords significant opportunities to businesses and public bodies, especially in the fields of business intelligence and generative artificial intelligence.

The Regulation sets out a standardized framework for the anonymization of personal information, which was introduced in Law 25 and clarified in the Act respecting the protection of personal information in the private sector2 (the "Private Sector Privacy Act") and the Act respecting Access to documents held by public bodies and the Protection of personal information3 (the "Access Act"). As of May 30, 2024, Quebec public bodies, persons carrying on an enterprise, and professional orders will be authorized to anonymize the personal information they hold. Anonymization offers an important alternative to the destruction of personal information after the purposes for which it was collected or used have been achieved (per section 23 of the Private Sector Privacy Act and section 73 of the Access Act).

Anonymizing personal information is a complex process. Here are a few guidelines for implementing the Regulation's terms.

Anonymization and De-Identification

Let's start by clarifying the difference between de-identified and anonymized information.

De-identified information is information that can no longer be directly connected to the person it concerns. For example, it may no longer have the person's name, address, or email attached to it. De-identified information may be subject to certain provisions of the Private Sector Privacy Act and the Access Act. However, de-identifying personal information is not an alternative to destroying it.

The Regulation provides that personal information is anonymized when "it is, at all times, reasonably foreseeable in the circumstances [in which the information is undergoing anonymization] that it irreversibly no longer allows the person to be identified directly or indirectly."4 Information that has been anonymized per the Regulation can thereafter be used, communicated, and kept without being subject to laws on the protection of personal information (provided such use is compliant with the Regulation).

To sum up, the main distinctions between de-identified and anonymized information are: 1) whether or not the process can be reversed such that the person may once again be directly or indirectly identified, and 2) whether the information was anonymized in keeping with the Regulation. Note that penalties may be levied against someone who "identifies or attempts to identify a natural person using de-identified information without the authorization of the person holding the information or using anonymized information."5

The Regulation's guidelines on anonymization

The Regulation prescribes the following steps for anonymizing personal information.

Preliminary steps

1. Qualified supervisor

The anonymization process must be delegated to someone qualified in the field.6 This may be someone other than the privacy officer if the latter is not qualified in anonymization technology.

2. Purpose

The organization must identify and evaluate what the anonymized information will be used for before initiating the anonymization process.7 The Private Sector Privacy Act and the Access Act state that bodies may keep anonymized information only if it will be used:

  • For serious and legitimate purposes8—that is, valid and justified reasons;
  • In the case of public bodies and professional orders, for public interest purposes9— that is, benefitting society as a whole.

These purposes are yet to be defined in practice, but we posit that research, business intelligence, and generative AI training could be among them.

If an organization wishes to use anonymized information for purposes other than these prior to beginning the process of anonymization, the organization must, before using that anonymized information, ensure their purposes are consistent with the Private Sector Privacy Act or the Access Act, as the case may be.10

Anonymization process

1. Removal of information that can directly identify a person

At the beginning of the anonymization process, all personal information that enables a person to be directly identified must be removed from the document or database being anonymized.11

2. Preliminary analysis of re-identification risks

The organization must then conduct a preliminary analysis of the re-identification risks.12 This evaluation must be completed with the following criteria in mind:

  • Individualization: the inability to isolate or distinguish a person within a dataset;
  • Correlation: the inability to connect datasets concerning the same person;
  • Inference: the inability to infer personal information from other available personal information;
  • Information available in the public space: the risk that other information available in the public space can be used to identify a person, directly or indirectly.

3. Appropriate anonymization methods

The organization must select the most appropriate anonymization method based on the re-identification risks.13 The method must be consistent with generally accepted best practices. Absent guidance from the Commission d'accès à l'information, bodies enjoy a degree of flexibility in interpreting this stipulation.

4. Safety measures

Finally, the organization must implement reasonable safety measures in order to reduce re-identification risks.

Re-identification risk analysis and periodic updates

1. Re-identification risk analysis

Once anonymization methods have been implemented, the organization must conduct an analysis of the re-identification risks.14

The analysis must show that it is, at all times, reasonably foreseeable that anonymized information no longer allows a person to be identified directly or indirectly, and that this anonymization is irreversible. Though it is not necessary to demonstrate that zero risk exists, the risk must nevertheless remain very low. The analysis must take the following elements into account:

  • The circumstances associated with the anonymization of personal information—for example, the purposes for which the anonymized information will be used;
  • The nature of the information;
  • The individualization, correlation, and inference criteria detailed above, plus the risks associated with other information available in the public space;
  • The measures required to re-identify the persons concerned.

2. Periodic updates

The re-identification risk analysis should be updated periodically, especially in the wake of technological advancements. How often to update the risk analysis should depend on the risks identified in the last analysis.15

Anonymization register

As of January 1, 2025,16 bodies that anonymize the personal information they hold must keep a register to record the following:

  • A description of the personal information that has been anonymized;
  • Its intended use;
  • The anonymization techniques used;
  • The security measures established;
  • The dates on which the re-identification risk analysis was completed and last updated.17

Next steps

As the Regulation comes into force, bodies should assess their anonymization needs and how they plan to conform with the Regulation's conditions. If anonymization seems like a strong alternative to destroying personal information, be sure to implement the steps outlined in the Regulation and in this article as you move forward.

Footnotes

1. Regulation respecting the anonymization of personal information, May 15, 2024, Vol. 156, No. 20, s. 10: This Regulation comes into force on 30 May 2024, except section 9 which comes into force on 1 January 2025.

2. Act respecting the protection of personal information in the private sector, CQLR c P-39.1.

3. Act respecting Access to documents held by public bodies and the Protection of personal information, CQLR c A-2.1.

4. Ibid.

5. Private Sector Privacy Act, s. 91.5.

6. Regulation respecting the anonymization of personal information, s. 4.

7. Ibid., s. 3.

8. Ibid., s. 3; Private Sector Privacy Act, s. 23; Access Act, s. 73.

9. Ibid., s. 3; Access Act, s. 73.

10. Ibid., s. 3, para. 2.

11. Ibid., s. 5.

12. Ibid., s. 2; s. 5, para. 2.

13. Ibid., s. 6.

14. Ibid., s. 7.

15. Ibid., s. 8.

16. Ibid., ss. 9 and 10.

17. Ibid., s. 9.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Marc-Alexandre Hudon
Marc-Alexandre Hudon
Photo of Antoine Rancourt
Antoine Rancourt
Photo of Ilona Bois-Drivet
Ilona Bois-Drivet
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More