Canada: Technological And Legal Overview Of The Concepts Of "De-identified" And "Anonymized" Information Under Bill 64
Bulletin #15 | Special Series

Bulletin #15 | Special Series - Bill 64 & Act to modernize legislative provisions as regards the protection of personal information

Data processing is prevalent. Whether it is by governments collecting population statistics to better understand citizen needs or businesses conducting market studies or scientists analyzing health data for research purposes, personal information is now collected and used for a myriad of reasons. The new ways of analyzing "big data" that have emerged over the last few years, such as artificial intelligence, has served to reinforce this trend. However, the fundamental right of privacy is still important.

So how can one conciliate the desire for data and the principles governing the protection of personal information? In some cases, part of the solution lies in properly de-identifying personal information.

As such, Bill 64 aims to introduce into Quebec's personal information protection laws the concept that certain technology will now allow personal data sets to be modified in order to reduce the risks that an individual may be identified or so that these data sets no longer contain personal information, and are instead limited to non-identifiable information.

An Important Difference

Bill 64 proposes introducing two methods in order to reduce the "identifiable" character of personal information:

• "de-identification," which is any method that ensures that personal information "no longer allows the person concerned to be directly identified"¹; and
• "anonymization," which is any method that ensures that information about an individual "no longer allows the person to be identified directly or indirectly,"² in accordance with "generally accepted best practices."³

Our previous Bulletin examines more closely the key differences between these two techniques.

De-identification

The notion of de-indentified information is aligned with the characteristics of pseudo-anonymized data as defined under the General Data Protection Regulation: deleting all information variables with direct identifiers (e.g., email address, name, social insurance number), while keeping those with indirect identifiers (e.g., sex, age, date of birth).

Under Bill 64, the de-indentification of personal information allows public bodies and private businesses to use personal information already in their possession for study, research or statistical purposes without having to obtain the prior consent of the individuals affected, as long as this use is necessary for the purposes of conducting such study or research or producing statistics, as the case may be.⁴

However, other than this exemption, collecting, using, disclosing, holding and destroying de-identified personal information remains subject to Quebec's personal information protection laws. De-identification is also a security measure and would proactively facilitate the mitigation of certain risks concerning the protection of personal information. For example, the unauthorized access to a de-identified data set would be less likely to "present a risk of serious injury",⁵ therefore less likely to trigger the obligation to report this incident to the Commission d'accès à l'information and to the affected individuals.

More precisely, the de-identification of personal information would reduce the risk of certain data being associated with the original identity of a particular individual. The following techniques might eventually represent some of the de-identification techniques recognized under Bill 64:

• secret-key cryptography system
• cryptographic hashing
• tokenization⁶

Anonymization

Under Bill 64, a proper anonymization system must ensure that the resulting information may no longer, in any way whatsoever, allow the affected individual to be identified.⁷

Effect

The anonymization of information is introduced in Bill 64 as an alternative to destroying such information where the purposes for which it was collected or used are achieved, and therefore allows such information to be kept indefinitely.⁸ As such, according to the definition given to the notion of "personal information" under Quebec law,⁹ properly anonymized information would not be subject to such laws.

A similar approach is currently set out under the federal personal information protection law, which, under principle 4.5.3 of Schedule 1 thereof, allows subject entities to anonymize information instead of destroying it.¹⁰

How?

It should be noted that while the de-identification and anonymization of personal information is appropriate for certain processing activities that use personal information (e.g., medical research), the information may, depending on the context of its intended use, lose all value and usefulness after being anonymized. A preliminary analysis as to the necessity of using personal information identifiers in connection with the intended processing of information is therefore recommended prior to beginning any project to de-identify or anonymize data.¹¹

While the Information and Privacy Commissioner of Ontario as well as many authors claim that anonymizing data is never completely irreversible,¹² entities that wish to anonymize the information in their possession should instead adopt an approach based on the risk of re-identification. This risk of re-identification must be considered in light of, for example, the context or environment in which the data will be stored, used or disclosed after being anonymized, the number of direct identifiers in the data set, and the risk of any attempt to re-identify the data or any other similar attack. The anonymizing procedure must therefore mitigate this risk.¹³

Note that, like any highly technological procedure, anonymizing techniques are sure to quickly evolve over time and represent are a challenge for legislators who must try to stay abreast. As such, Bill 64 proposes a broadly stated requirement for entities to anonymize data based on "generally accepted best practices."¹⁴

In 2014, the Article 29 Data Protection Working Party, which was previously composed of European data protection authorities, published an Opinion on the main anonymization techniques and how to use them.¹⁵ The Opinion states that an anonymization solution must be determined on a case by case basis and adapted to the intended use, and it sets out three tests for evaluating the efficacy of a technique:

• "singling out" (is it still possible to isolate some or all variables about the same individual in a data set?);
• "linkability" (is it possible to make correlations between information in different data sets about the same individual?)
• "inference" (is it possible to deduce, with a high degree of probability, information about an individual from other data in a data set?).¹⁶

As such, according to this Opinion, a data set in which it is impossible to single out, link or infer information is prima facie anonymous, and a data set in which at least one of the three tests above is not met can only be considered anonymous after a detailed analysis of the risk of re-identification.¹⁷

Sanctions in Event of Re-identification

Lastly, personal information, even if de-identified or anonymized, may be subject to attacks or manipulations for the purposes of fully recovering their identifying variables. Given this unfortunate reality, under Bill 64, any entity that "identifies or attempts to identify a natural person using de-identified information without the authorization of the person holding the information or using anonymized" is liable to a fine of $15,000 to $25,000,000, or 4% of global revenue (if the latter is higher).¹⁸

Footnotes

1. Bill 64, sec. 102.

2. Bill 64, sec. 111.

3. Ibid.

4. Bill 64, sec. 102.

5. Bill 64, sec. 95.

6. Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, 10 April 2014, p. 22-23.

7. Bill 64, sec. 111.

8. Ibid.

9. "Personal information is any information which relates to a natural person and allows that person to be identified." (Act respecting the protection of personal information in the private sector, CQLR c P-39.1, sec 2).

10. Personal Information Protection and Electronic Documents, SC 2000, c 5, Schedule 1, Principle 4.5.3.

11. Information and Privacy Commissioner of Ontario, "De-identification Guidelines for Structured Data," June 2016, p. 1.

12. Ibid.

13. Ibid.

14. Bill 64, sec. 111.

15. Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, 10 April 2014, p. 23-24.

16. Ibid.

17. Ibid.

18. Bill 64, sec. 151.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.