By Esther Shainblum and Cameron Axford

Quebec Releases Anonymization Regulations

On May 15, 2024, the government of Québec adopted a new Regulation respecting the anonymization of personal information (the “Regulation”). The Regulation establishes specific criteria and terms for the anonymization of personal information in Québec, making it the first regulation in Canada to provide a framework for data anonymization.

On September 22, 2023, the bulk of the provisions in Law 25 came into force, as discussed in the June 2023 Charity and NFP Law Update. Law 25 implemented both the Act respecting the protection of personal information in the private sector and the Act respecting Access to documents held by public bodies and the protection of personal information which permit organizations to anonymize personal information once the original purposes for its collection or use have been fulfilled. Organizations must follow “generally accepted best practices” and criteria set by regulation to ensure that the information is anonymized in a way that it can no longer be used to identify individuals, either directly or indirectly.

Prior to the recent publication of the Regulation, there was uncertainty about the specific criteria and terms for anonymizing personal information. The Commission d’accès à l’information (CAI), Québec’s privacy regulator, had stated that organizations could not anonymize personal information without government regulation. The new Regulation attempts to resolve these uncertainties with further guidelines on the matter.

The Anonymization Regulation applies to private enterprises, public bodies and professional orders in Québec (“Bodies” or “Body”) and requires Bodies to follow a detailed process before, during, and after anonymizing personal information.

Before starting the process of anonymization, the Body must determine the purposes for which it intends to use the anonymized information. Those purposes must be consistent with the purposes for which the personal information was originally collected or used and must be in the public interest or serious and legitimate. The process of anonymization itself must be supervised by a qualified person.

The first part of the process set out by the Regulation requires the Body to remove all personal information that would allow the person concerned to be directly identified. The Body must then carry out an analysis to consider the re-identification risks, including whether datasets can be connected to the same person, whether individuals can be isolated or distinguished within a dataset, and whether there is a risk that other “reasonably available” information in the public space could be used to identify a person, directly or indirectly. Next, based on this analysis, the Body must establish appropriate anonymization techniques, which must be consistent with generally accepted best practices, and the Body must also establish “reasonable protection and security measures” to reduce the risk of re-identification.

After this stage, the Body must again analyze the re-identification risks. The results of the second analysis must show that “that it is, at all times, reasonably foreseeable in the circumstances that the information produced further to a process of anonymization irreversibly no longer allows the person to be identified directly or indirectly”. 

While the  residual risks of re-identification  need not be zero, the residual risk must be "very low" taking into account: the purpose for which the Body intends to use the anonymized information, the nature of the anonymized information, whether there is a risk that other “reasonably available” public information could be used to identify a person, directly or indirectly, and what measures, efforts, resources and expertise would be required to re-identify the persons.

The Body must “periodically” update this analysis – the frequency of which will be based on the risks previously identified – to ensure that the information remains anonymized. These updates must take into account technological advancements that could allow the re-identification of a person.  If the results of the analysis updates are not consistent with the above “very low” risk of re-identification, the information is no longer considered anonymized.

Additionally, certain mandatory details about the anonymization process must be recorded in a register.

The Regulation came into force on May 30, 2024, with the requirement to record certain prescribed information in a register starting on January 1, 2025. It provides a clearer framework for anonymization than the Quebec Privacy Act and past CAI guidance but imposes onerous compliance and record-keeping obligations on Bodies operating in Québec. Bodies that operate in Québec should review their data handling practices and update policies and procedures to ensure that they comply with the new requirements. Organizations outside of Québec should expect to see similar guidances and/or regulations in the not-too-distant future.

​Read the June 2024 Charity & NFP Law Update