The Québec privacy regulator, the Commission d’accès à l’information (“CAI”) appears to be taking the position that because true anonymization is not possible, businesses should not do it until the Québec government issues regulations specifying how acceptable anonymization can be done.
Recent amendments to the Act respecting the protection of personal information in the private sector, CQLR c P-39.1 (“Québec Privacy Law”) permitted anonymization as an acceptable alternative to the destruction at the end of the personal information lifecycle. Appropriately anonymized information could then be used for “serious and legitimate purposes”. This was a significant amendment for organizations which desired to anonymize information and use it to train machine learning applications, to use it in artificial intelligence tools, and to run data analytics.
The relevant section in the Québec Privacy Law is s. 23 – the italicized sections are the September 22, 2023 amendments made to the Québec Privacy Law:
23. Where the purposes for which personal information was collected or used are achieved, the person carrying on an enterprise must destroy the information, or anonymize it to use it for serious and legitimate purposes, subject to any preservation period provided for by an Act.
For the purposes of this Act, information concerning a natural person is anonymized if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly.
Information anonymized under this Act must be anonymized according to generally accepted best practices and in accordance with criteria and procedures prescribed by regulation.
Note that in the last paragraph, the language is “and” – not “or”. In other words, both conditions must be met.
Prohibition on anonymization
The CAI has created a “modernizing laws” section of its website, where it puts guidance documents and forms relevant to the amendments to the Québec Privacy Law. The following statement appears in French in respect of anonymization (unofficial English translation):
As of September 22, 2023, applicable laws provide for the possibility of anonymizing personal information, an alternative to its destruction. However, public bodies and businesses must be able to anonymize this information according to generally accepted best practices and according to the criteria and procedures determined by government regulation. In the absence of government regulations, organizations and businesses will not be able to anonymize personal information.
Learn more about the anonymization of personal information.
The link is to Destruction and Anonymization guidance (“Guidance”) which is dated May 24, 2023, but essentially says the same thing concluding that (unofficial translation to English): “In light of current and future technological advances, the Commission considers that it is almost impossible to certify that anonymized information could not potentially be re-identified.”
However, the position of the CAI on this point is unusual. Typically, where there are no regulations under an Act, it is generally interpreted as organizations/individuals being free to undertake the activity in accordance with the existing Act, and not as meaning that the activities are prohibited because there is no regulation saying how the activities are to be carried out. The more usual interpretation would be that until regulations are adopted, anonymization should be done in accordance with accepted best practices.
Section 90 seems to confirm the more usual interpretation, saying that the Government “may” make regulations…not “must” make regulations. If the CAI’s interpretation is correct, this could mean that if the government does not make regulations (or is much delayed in doing so) anonymization would be prohibited.
Finally, the CAI, in the last two paragraphs of its Guidance suggests that anonymization in the absence of regulation authorizing it could amount to a “confidentiality incident” (breach).
It also suggests that violation of the anonymization provisions could result in a fine (not just a monetary penalty) under s. 91(5) (though it’s a bit unclear whether the mere act of (purported) anonymization would meet the criteria under this section as it is aimed at those who re-identify or attempt to re-identify individuals).
Organizations subject to the Québec Privacy Law that are engaging in anonymization activities should proceed with caution. While the CAI’s Guidance does not have the force of law, it reflects the regulator’s interpretation of the law and organizations that choose not follow it may well be the subject of enforcement proceedings by that same regulator.