Background
On December 20, 2023, the proposed Regulation respecting the anonymization of personal information ( “Draft Regulation”) was published, providing insight into the requirements that organizations will likely need to meet in order to lawfully anonymize personal information in accordance with the recently amended Act respecting the protection of personal information in the private sector (“Act”). The Draft Regulation is subject to a 45-day public consultation period.
The majority of the amendments to the Act came into force on September 22, 2023, including provisions that require organizations destroy personal information at the end of its lifecycle or anonymize it in order to use it for “serious and legitimate purposes”:
23. Where the purposes for which personal information was collected or used are achieved, the person carrying on an enterprise must destroy the information, or anonymize it to use it for serious and legitimate purposes, subject to any preservation period provided for by an Act.
For the purposes of this Act, information concerning a natural person is anonymized if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly.
Information anonymized under this Act must be anonymized according to generally accepted best practices and in accordance with criteria and procedures prescribed by regulation.
However, businesses were left with little information as to how anonymization could be achieved, and in what circumstances. They were only provided with the definition of anonymous information that is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly – and that the anonymization could only be done (emphasis added) “according to generally accepted best practices and according to the criteria and terms determined by regulation.”
Québec’s privacy regulator, the Commission d’accès à l’information (“CAI“), issued updated guidance in May 2023 (Destruction and Anonymization) in which it stated that given technological advancements, it considered it almost impossible that anonymized information could not eventually be re-identified. In light of this, the CAI advised organizations that they would be prohibited from anonymizing personal information until such time as regulations specifying a process for anonymization came into force (more on this topic in our post from October 2023). This created concern that anonymization would forbidden indefinitely, but with the draft regulations, that prohibition may soon be at an end.
The Draft Regulation: What is required?
According to the Act, organizations that have fulfilled the purposes for which personal information was collected have two options: i) to destroy the information or ii) to anonymize it in order to use it for “serious and legitimate purposes”. The Draft Regulations specify a process for the second approach.
There is clear emphasis in the preamble to the Draft Regulation that their purpose is to reduce the re-identification risks associated with anonymization. It is worth noting that there is no mention of the importance that anonymized datasets have for businesses, especially in a time where this data often forms the core of the potential for technologies using artificial intelligence. This will likely mean there will be no attempts at “balancing” the impacts of the Draft Regulation and strict adherence will be expected.
The Draft Regulation divides the obligations on businesses into three stages: activities that must be done prior to anonymization, the process of anonymization itself, and activities that must be done subsequent to the process of anonymization.
Stage I: Activities that must be done prior to anonymization
Step 1: Prior to anonymization, the organization is required to identify the intended purposes for the anonymized data.
Step 2: The organization must then determine if the purposes are consistent with section 23 of the Act – that the purposes are “serious and legitimate”. If the organization wishes the use the anonymized dataset for other purposes than those identified early on, the organization must determine if the new purposes are consistent with section 23.
The initial step requires that an organization first identify the subset of personal information which is at the end of its lifecycle – in other words, that subset of personal information for which the purposes for its collection or use has been achieved. Note that it is only this end-of-life personal information which can be anonymized; this section of the Act does not expressly address the anonymization of personal information in active use (i.e., still fulfilling its purpose). Arguably, for personal information in active use, anonymization may be a “consistent use” for which no consent is required (as per the consent exceptions in s. 12 of the Act, and for which “de-identification” is required – anonymization is the quintessential de-identification). If true, anonymization of active personal information is permitted in the narrow circumstances under s. 12 but s. 12, requiring as it does that there be “a direct and relevant connection with the purposes for which the information was collected”, may not be broad enough to capture personal information at the end of its life.
General Note: The requirement of identifying purposes for personal information is consistent with foundational privacy principles and requirements under privacy legislation in Canada as well as globally. However, this requirement goes beyond this existing obligation, as the requirement under privacy legislation applies to personal information – under most privacy laws, anonymized information falls outside the scope of the law, and as a result, there is generally no obligation to identify purposes for information that is already anonymized.
In this way, the Draft Regulation also creates a Catch-22 situation – having now identified the purpose for which the personal information is to be identified, the personal information is now no longer at end-of life since there is now a purpose identified. Arguably, it is the purposes identified at the time of collection or use – but if organizations identify “anonymization” as one of the purpose of their collection, they may never hit the end-of-life for that personal information, and never be able to permissibly use it for the very thing they said the would.
Furthermore, most laws require that organization have policies and procedures in place regarding their processing of personal information. In this case, the CAI expressly states in its guidance that the mandatory governance policies required under section 3.2 of the Act should also provide information on the practices with respect to the anonymization of personal information.
Implementation Considerations: In reality, organizations may not consider all of the purposes for the anonymized data at the outset of the process, which means that these requirements may cause some delays in implementation and in making anonymized datasets available for businesses to use for new purposes. However, the impact of the requirements is unlikely to much difficulty if the datasets remain within the organization.
There is likely to be greater difficulty when the datasets – either in identifiable or anonymized form – leave the organization in order to be handled by service providers. Provided this information is at the end of its lifecycle, it appears to be open to service providers to also anonymize personal information transferred to them for processing. Organizations wishing to prevent this, will now need to specifically prohibit it in their contracts.
Stage II: The process of Anonymization
Step 3: The process of anonymization must be carried out under the supervision of “a person qualified in the field”
General Note: It is unclear what will make someone “qualified” to supervise the process. Organizations which choose to perform anonymization internally will likely need to upskill their privacy officer, IT staff, and/or data scientists. Organizations that choose to use a service provider to do this for them will need to insert appropriate provisions into their contracts, including robust liability, indemnity and warranty clauses.
Step 4: The organization removes information that allows the person concerned to be directly identified from the dataset (also known as “masking”).
General Note: The remaining dataset appears to be “de-identified information”, according to the definition under section 12 of the Act. Under the Act, if its use is necessary for study or research purposes or for the production of statistics, de-identified information may be used without consent.
Step 5: The organization must then complete a preliminary assessment of the re-identification risk. In the assessment, the organization must specifically consider the following criteria:
- individualization – the inability to isolate or distinguish a person within the dataset. For example, individualization would consist of being able to single out a person after getting access to a database with physical addresses;
- correlation – the inability to connect datasets concerning the same person. For example, correlation would include being able to determine the identity of a person by linking their access badge number to entry logs to a building;
- inference – the inability to infer personal information from other available information. For example, one could infer someone’s salary information based on an employee’s seniority; and
- any other information, private or public, that could be used to, directly or indirectly, identify the person in question.
General Note: It is unclear how an organization is to achieve an assessment of item (iv). Is an organization to consider information that may be available on the Dark Web or otherwise released by threat actors? Does this impose a positive obligation on organizations to monitor the Dark Web? Does “other information” include data sets in the hands of other entities?
General Note: The CAI states in its guidance that some personal information is so distinctive by nature that it is impossible to anonymize it – for example, such information includes genetic information, biometric information or geolocation information.
Step 6: Based on the risks identified during the assessment, the organization must then establish anonymization techniques to be used, which must be consistent with “generally accepted best practices”.
Implementation Consideration: It remains unclear what is meant by “generally accepted best practices”. One could assume that these include ISO, NIST standards and other similar standards, regulatory guidance from privacy regulators in Canada and around the world and findings in caselaw related to the matter. The standard should be specified in any contract with a third-party retained to provide anonymization services.
Step 7: The organization must also establish the measures to be implemented for the protection and the security of the information in order to prevent re-identification.
General Note: At this stage, while the information may be de-identified, it is still considered as personal information (some pieces of legislation, such the GDPR, would consider information as “pseudonymized”). As such, the obligation to ensure the information is protected with appropriate safeguards to ensure its security is consistent with safeguarding obligations under privacy legislation in Canada and globally.
Stage III: Activities that must be done subsequent to the process of anonymization
Step 8: Following the anonymization, the organization is required to complete an analysis of the re-identification risks.
This analysis must show that the dataset is now anonymous — that it is, at all times, reasonably foreseeable in the circumstances that the information produced further to a process of anonymization irreversibly no longer allows the person to be identified directly or indirectly.
The analysis must consider the following elements:
- The circumstances related to the anonymization of personal information, in particular the purposes for which the information are intended to be used.
Implementation Consideration: Various regulators specifically include the analysis of the recipients or audience getting access to the information as an important factor to consider. For example, this is especially relevant where the release model is for the public – which would represent an inherent challenge to anonymization – or in a non-public release, where the recipients are subject to NDAs, which may represent a mitigating factor.
- The nature of the information – presumably, the sensitivity of the information;
- Individualization, correlation and inference criteria;
- The risks of other information available, including in the public space, being used to identify the person directly or indirectly; and
- The measures required to re-identify the individuals, taking into account efforts, resources and expertise.
General Notes: The Draft Regulation specifies it is not necessary to demonstrate that zero risk exists, but instead, that the residual risk of re-identification is “very low”.It is surprising that the Draft Regulation does not go into detail about the identification of the acceptable re-identification risk threshold. Generally, this threshold would differ depending on several factors, such as the one listed above.
These obligations, specifically the analysis of the aforementioned factors in light of the lack of guidance and caselaw, pose obvious practical challenges for organizations. It remains unclear whether, according to the CAI, information is considered as anonymous for an organization, if a third party is able to determine the identity of the person concerned with a separate datasets that is not available to the organization.
For example, a service provider may consider a dataset to which it has access as anonymous, as it does not have any way to access to information that could identify the individuals concerned, for example a key to unlock the database as well as access to such database. However, the service provider’s customer may have a key to access the full dataset from which the anonymized dataset is derived.
Globally, the law appears to vary on this point depending on jurisdiction and the regulator; a conservative approach would be to consider the dataset as only de-identified when there is a way to identify the data (even if the information is protected and not available), whereas a more liberal approach may consider the dataset as anonymized, where there are mitigating factors such as in the absence of motive by the third party to re-identify the information.
Step 9: The organization is required to regularly re-assess the information that it has previously anonymized to ensure that it remains anonymized. This analysis, which is similar to the one completed at the end of the anonymization, must include, in addition to the factors listed in Step 7 above, any technological advancements that may contribute to the re-identification of any individual.
General Notes: The Draft Regulation states that if the result of a subsequent analysis reveals that the information is no longer, at all times, reasonably foreseeable in the circumstances that the information produced further to a process of anonymization irreversibly no longer allows the person to be identified directly or indirectly, the information will be deemed to be no longer anonymized and would therefore be considered as personal information under the Act.
There is some ambiguity regarding this obligation, for example, the frequency of these re-assessments, whether there are triggers to performing these periodic assessments, and whether a finding that the information is no longer anonymous will consist of a confidentiality incident that is reportable to the CAI.
Step 10: Finally, the Draft Regulation also requires that organizations keep a register which records:
- a description of the anonymized personal information;
- the purpose of use for this anonymized personal information;
- how and what techniques were used to anonymize the data, along with which security measures were established;
- a summary of the re-identification risk analysis; and
- the date on which the re-identification risk analysis was conducted (and when it may be updated).
The penalties related to failure to comply with obligations related to the anonymization process under the Act are important.
Re-identification (and attempts at re-identification) using de-identified information without authorization or using anonymized information is an an offence punishable with a fine of $5,000 to $100,000 in the case of a natural person and, in all other cases, of $15,000 to $25,000,000, or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year,
The other general penalties and fines in the Act also apply to destruction that is in contravention of the Act:
- Anyone who collects, uses, communicates, keeps or destroys personal information in contravention of the law, commits an offence and is liable to a fine of $5,000 to $100,000 in the case of a natural person and, in all other cases, of $15,000 to $25,000,000, or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year.
- A monetary administrative penalty of up to $10,000,000 or 2% of worldwide turnover may be imposed on anyone who collects, uses, communicates, keeps or destroys personal information in contravention of the law.
- It is an offence punishable with a fine of $5,000 to $100,000 in the case of a natural person and, in all other cases, of $15,000 to $25,000,000, or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year, for anyone to identify or attempt to identify a person using de-identified information without the authorization of the person holding the information or using anonymized information
In addition, individuals may claim punitive damages when an unlawful infringement of a right conferred by the Act causes an injury, provided the infringement is intentional or results from gross negligence.
For more information on privacy law, please contact Kirsten Thompson, Sasha Coutu or members of our Privacy and Cybersecurity team.
The authors would like to thank their co-author, Justin Morell, Articling Student, for his assistance in preparing this article.