The aim of this bulletin is to analyze the draft regulation respecting the anonymization of personal information using a comparative law approach. It is divided into four main themes: the concept of anonymization, the anonymization procedure under the draft regulation, European law, and the associated sanctions.

Background

On December 20, 2023, the draft Regulation respecting the anonymization of personal information was officially published.1 This regulation will apply to all private enterprises, 2 public bodies and professional orders in Québec.3 It aligns with the concept of "anonymization" introduced into Québec law through Law 25.4 Note that, according to the Commission d'accès à l'information du Québec (the "Commission"), Québec organizations may only anonymize data in accordance with the criteria and terms set out in the draft regulation.5 In other words, the Commission contends that it is impossible to anonymize personal information until such time as the draft regulation is adopted in its final form (the "Regulation"). This is why the new legislative text, which will be examined in this bulletin, is so important.

1. Anonymization, Depersonalization, Pseudonymization—What?

In Québec, as of September 2023, information concerning a natural person is considered to be anonymized "if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly."6

The use of the phrase "at all times" along with the qualifier "irreversibly" in the new law may seem paradoxical or even debatable. In fact, the proliferation of publicly available information online, combined with increasingly powerful computing capabilities, raises reasonable doubts as to how long techniques that are initially considered foolproof will be effective. In particular, as some cases have demonstrated in the past, 7 if the synthetic data replacing direct identifiers in a dataset is assigned by a predetermined algorithm rather than pure chance, it is possible (even probable) that the resulting data could be re-identified in the future.

The Draft Regulation recognizes this multi-facted reality and, in some respects, even seems to contradict the most radically worded parts of the existing legislation. In the European Union in 2014, 8 the advisory body recognized that "no technique is devoid of shortcomings per se" 9 and advocated an approach based on the risk of re-identification.

If a dataset fails the anonymity test (discussed below), it can at best be considered depersonalized (or pseudonymized, in European terminology), 10 that is, it will always be possible to indirectly identify the individual concerned by linking the data to other available information, by inference, or by using other methods, as discussed further below.11 Unlike anonymization, depersonalization is therefore reversible. For organizations, this distinction is paramount: unlike depersonalization, anonymization frees the outgoing data from legal restrictions on personal information, as discussed in the next section. It should also be noted that, even before the coming into force of the relevant amendments, the Commission already determined that information disclosing attributes related to a natural person and rendering them indirectly distinguishable from among a group of individuals using a unique number, constitutes personal information.12

In the European Union, under the General Data Protection Regulation ("GDPR"), pseudonymization is "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person."13 Pseudonymization, like depersonalization in Québec, allows data to be processed without directly identifying the individuals concerned and is more akin to a security measure 14 rather than a means of avoiding application of the law.

2. What to Do: The Anonymization Procedure Under the Draft Regulation

Where, and more importantly, how is the line drawn between anonymity and pseudonymity?

The Draft Regulation aims to address this issue by setting out a protocol and guidelines to be followed by organizations before, during and after anonymization processes are performed. The procedure in the draft regulation can be divided into four steps:

I. Preparatory phase: Designating a person in charge and validating the intended purposes for the data resulting from anonymization

Any organization that wishes to properly anonymize personal information must first designate someone to oversee the process. The Draft Regulation specifically states that anonymization "must be carried out under the supervision of a person qualified in the field."15 Unlike privacy impact assessments (a "PIA") and other mandatory procedures under the laws, the role of "supervisor" does not refer to the new role of Privacy Officer ("PO"). As such, any potential employee or consultant with skills that are more technical than the PO may be suitable.

Next, the organization's purposes for using the anonymized information must be identified and validated.16 Under the Act respecting the protection of personal information in the private sector, "[w]here the purposes for which personal information was collected or used are achieved, the person carrying on an enterprise must destroy the information, or anonymize it to use it for serious and legitimate purposes, subject to any preservation period provided for by an Act."17 In the Act respecting Access to documents held by public bodies and the Protection of personal information, the concept of "serious and legitimate purposes" is replaced by "public interest purposes."18

Note that both the Act respecting the protection of personal information in the private sector 19 and the Civil Code of Québec 20 already provide that the collection of personal information and the establishment of a file on an individual (as the case may be) must be for a "serious and legitimate reason." In this regard, the case law has shown that the use of the qualifier "legitimate" in relation to the serious reason required by the law implies that the purpose must not be unlawful.21 In our view, it is strange that the legislator has extended the scope of application of these laws to the handling of anonymized data when this data is no longer characterized as personal information and therefore would no longer be subject to such laws.22

At this preliminary stage, it is not clear whether a PIA is required before initiating an anonymization process. In this regard, the laws provide that a PIA is required ahead of "any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information."

Anonymization is distinguished from destruction 23 and use 24 operations under Québec legislation, so there is some doubt as to whether the requirement to conduct the PIA would be triggered before starting an anonymization project.

II. Preliminary analysis phase: Filtering direct identifiers, analyzing the risk of re-identification and determining the appropriate techniques

a. Filtering direct identifiers

Once the preliminary phase is complete, organizations must purge the database 25 of any direct identifiers (e.g., email addresses, full names, social insurance numbers, etc.).26 However, indirect identifiers or quasi-identifiers 27 might still remain and will be the subject of the risk analysis described below.

b. Preliminary analysis of re-identification risks

Next, the dataset composed of indirect and quasi-identifiers must undergo a preliminary analysis of the re-identification risks based on the following criteria, derived from the European interpretation:28

  • Individualization ("singling out"): The inability to isolate or distinguish a person within a dataset. For example, a dataset showing the residential address and date of birth of the individuals concerned makes it simple to trace their identities individually.
  • Correlation ("linkability"): The inability to link datasets concerning the same person. For example, two separate datasets associated with the same unique reference or identification number can be combined.
  • Inference: The inability to infer personal information from other available information. For example, a database containing the jobs and cities of residence of individuals would make it possible to easily trace the identity of a particular individual where there is only one person with that job in that particular city.

Lastly, the risk that other available information, 29 particularly in the public domain, will be used to directly or indirectly identify an individual must also be analyzed during this preliminary phase.30 We feel that this fourth factor will be very complicated to implement, as large public databases are becoming more common.31 How can it be proven that, of all the existing databases in the world, none can be used to draw an inference about an individual?

c. Determining the appropriate anonymization techniques

The appropriate anonymization techniques and protective and security measures will need to be determined by each organization in order to meet the re-identification risk analysis criteria identified in the previous phase.32 Subject to the results of the preliminary analysis and the recommendations of a technical expert, the techniques can be grouped into two categories:

  1. Those related to randomization (for example, the addition of noise, permutation, and differential privacy); and
  2. Those considered to be generalization techniques (such as aggregation and k-anonymity).33

Other new techniques, such as data synthesis, 34 may also be considered.

III. Implementation phase: A deeper analysis of the re-identification risks

Following the implementation of the anonymization techniques identified, the organization must thoroughly analyze the re-identification risks using the resulting data. This analysis must demonstrate that "it is, at all times, reasonably foreseeable in the circumstances that the information produced further to a process of anonymization irreversibly no longer allows the person to be identified directly or indirectly."35

Although the risk of re-identification does not have to be zero, it must be very low, taking the following criteria into account:

  • the circumstances related to the anonymization of personal information, in particular the purposes for which it is to be used, as well as the means of disseminating the resulting data (private dissemination governed by an agreement with robust security requirements, versus a public sharing model where the public can access the resulting data);
  • the nature of the personal information;
  • the key criteria listed above (individualization, correlation and inference) and the risk that other available information, particularly in the public space (domain), will be used to directly or indirectly identify an individual;
  • The measures required to re-identify the persons, taking into account the efforts, resources and expertise required to implement those measures.36

IV. Final phase: Keeping a register and re-assessment of risks

Lastly, in addition to regularly updating 37 the analysis of re-identification risks, organizations will have to maintain a register on the anonymization of personal information.38

3. What About Elsewhere?

The proposed Québec legislation is largely based on European developments in this area, in particular Opinion 5/2014 on Anonymisation Techniques by the Article 29 Data Protection Working Party, the predecessor of the European Data Protection Board. 39 The authors examined the limitations and effectiveness of anonymization techniques and made recommendations in light of the risks of identification and the concepts of anonymization and pseudonymization previously introduced under Directive 95/46 and restated under the GDPR.40

At that time, the working party proposed the same three criteria 41 as the draft regulation to assess the effectiveness of anonymization techniques: individualization, correlation and inference. As long as the three criteria are met, a priori, the information is properly anonymized and does not infringe on the rights of the persons concerned.

In light of the new concepts of anonymization and depersonalization in Québec law, it is appropriate to examine European law to try to clarify the many questions that remain unanswered. Following the publication of the opinion on anonymization techniques, the supervisory authorities of EU member states have issued a number of opinions:

  • In 2015 42, the French supervisory authority (the CNIL) received a request for authorization concerning the automated processing of personal data to test a method for the quantitative estimation of the flow of pedestrians in a public area.43 The company concerned was doing this by means of Wi-Fi counting boxes installed on advertising furniture that recorded the MAC addresses 44 of mobile devices in the immediate environment. These were used to calculate traffic volumes, repetition rates and mobility patterns in the public area. While the company argued that it was implementing rigorous anonymization techniques, the CNIL concluded that it still allowed for correlation and inference from the resulting data and therefore did not meet the threshold required by the GDPR, so the data constituted personal information.
  • Most recently, in 2023, the Court of Justice of the EU (CJEU) was seized of a case involving a dispute between a vehicle manufacturer and an association of independent repair shops and distributors concerning access to vehicle information for repairs and maintenance, 45 in which it was asked to consider whether vehicle identification numbers constituted personal data within the meaning of the GDPR. The court concluded that they did, finding that repairers and distributors could reasonably have the means to connect a number to an individual. What's interesting about this case is the CJEU's reasoning in support of the subjective position that anonymization can be achieved by separating the data from the data required to permit re-identification. Specifically, it found that pseudonymized data does not constitute personal data where it is in the possession of a party that does not have reasonable access to data that would allow for re-identification. This subjective approach, which considers the perspective of the data recipient (its actual access to the identifying data), contrasted with the objective approach previously advocated.46

4. Reminder of Penalties—and Next Steps

It's important to note that Québec's privacy law reform introduced significant sanctioning powers to ensure legal and regulatory compliance . For example, under the Act respecting the protection of personal information in the private sector, anyone who "identifies or attempts to identify a natural person using de-identified information without the authorization of the person holding the information or using anonymized information" 47 is liable to a fine of up to $25,000,000 or the amount corresponding to 4% of worldwide turnover for the preceding fiscal year, whichever is greater.48

Pending the adoption of the final form of this legislation, private and public sector organizations should outline a process documenting the key elements discussed in this article: the designation of the person in charge, the identification of the purposes for which the resulting data will be used, the preliminary and deeper analysis of the individualization, correlation and inference criteria, and the assessment of the resulting re-identification risk.

This may be in addition to (or even overlap with) other similar federal regulations 49 as well as new or existing technical standards.

Footnotes

1. GAZETTE OFFICIELLE DU QUÉBEC, December 20, 2023, Vol. 155, No. 51, at 5877 ("Draft Regulation").

2. Act respecting the protection of personal information in the private sector, CQLR c P-39.1.

3. Draft Regulation, s 1.

4. Act to modernize legislative provisions as regards the protection of personal information, assented to on September 22, 2021.

5. COMMISSION D'ACCÈS À L'INFORMATION, "Anonymisation," [online]: https://www.cai.gouv.qc.ca/espace-evolutif-modernisation-lois/thematiques/anonymisation/. (Only available in French)

6. Act respecting the protection of personal information in the private sector, CQLR c P-39.1, s 23(2).

7. For example, this happened in 2014 when the New York City Taxi and Limousine Commission published a dataset on taxi trips made that year. Prior to publication, the agency attempted to clean up the data by replacing any unique identifiers such as vehicle numbers and driver's licence numbers with simulated data using an algorithm. Many people were able to reverse-engineer the algorithm used to modify the real numbers and thereby trace the identities of the individuals concerned (Simson Garfinkel, De-identification of Personal Information NATL INST. OF STANDARDS IR 8053 1, 6 (2015)).

8. Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, April 10, 2014, at 23-24.

9. Ibid at 13.

10. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), art 4(5).

11. Act respecting the protection of personal information in the private sector, s 12, para 4(2).

12. See Shiab c Régie de l'assurance maladie du Québec (RAMQ), 2023 QCCAI 30 (re: information on billing for medical services provided by healthcare professionals) and Enquête concernant le Centre de services scolaire du- Val- des- Cerfs (anciennement Commission scolaire du Val-des-Cerfs), CAI no. 1020040-S (re: information on students from which several direct identifiers had been removed). (Only available in French)

13. Supra at art 4(5).

14. See: GDPR, rec. 28.

15. Draft Regulation, s 4.

16. Ibid at s 3.

17. Act respecting the protection of personal information in the private sector, s 23.

18. Act respecting Access to documents held by public bodies and the Protection of personal information, s 73.

19. Act respecting the protection of personal information in the private sector, s 4.

20. Civil Code of Québec, CQLR c CCQ-1991, art 37.

21. For example, the Commission found that an enterprise failed to meet the serious and legitimate reason test when it collected personal information and linked it to UFO investigation activities when no consent had been obtained and no law expressly allowed it to do so (G.S. c Éditions Alain Duchesne Abducted Man [C.A.I., 2008-5-22], 2008 QCCAI 110).

22. We refer the reader to the very first section of the Act respecting the protection of personal information in the private sector, in particular the first paragraph, which seeks to define the scope of the statute.

23. Act respecting the protection of personal information in the private sector, s 23, Act respecting Access to documents held by public bodies and the Protection of personal information, s 73.

24. Act respecting the protection of personal information in the private sector, s 12, para 2(5); Act respecting Access to documents held by public bodies and the Protection of personal information, s. 65.1, para 2(4).

25. Draft Regulation, s 5, para 1.

26. Namely, information that directly identifies the individual. In this regard, see inter alia: Information and Privacy Commissioner of Ontario, De-identification Guidelines for Structured Data, June 8, 2016 at 4.

27. Ibid.

28. Draft Regulation, s 5, para 2.

29. The interpretation of the "availability" of the other information should, based on recent EU rulings (Case T-557/20 (Single Resolution Board v. European Data Protection Supervisor), April 26, 2023), be analyzed from the perspective of the recipient of the resulting data, and therefore the other data to which that person has access. We discuss the above decision in section 3 of this bulletin.

30. Ibid.

31. J. Joliij, Privacy and Anonymity in Public Sharing of High-Dimensional Datasets: Legal and Ethical Restrictions, 2017.

32. Draft Regulation, s 6.

33. Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, April 10, 2014 at 30-42.

34. In this regard, see inter alia: Iara Griffith, International: Is synthetic data the future of privacy?, February 2023.

35. Draft Regulation, s 7, para 2.

36. Ibid, s 7, para 3.

37. Ibid, s 8.

38. Ibid, s 9.

39. Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, April 10, 2014, at 30–42.

40. GDPR, rec. 26 and art 4(5).

41. Ibid at 23–24.

42. Commission Nationale de l'Informatique et des libertés, Délibération n° 2015-255 du 16 juillet 2015; confirmed on appeal by the Conseil d'État: Conseil d'État, n°393714, February 8, 2017. (Only available in French)

43. Ibid.

44. Sometimes called a physical address, it is a physical identifier stored in a network card or similar network interface, and is unique worldwide (Wikipedia).

45. Case C-319/22 (Gesamtverband Autoteile-Handel eV v. Scania CV AB), November 9, 2023.

46. This objective approach is reflected in the 2014 opinion. Also on this subject, see the CJEU decision in 2016: Case C-582/14 (Patrick Breyer v Bundesrepublik Deutschland), October 19, 2016.

47. Act respecting the protection of personal information in the private sector, s 91(5).

48. Ibid.

49. Regarding similar concepts proposed in Bill C-27 at the federal level, see a previous bulletin published by Fasken: Anonymization and De-identification Under Bill C-27: Implications for Data Analytics.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.