Privacy Law Updates: Ontario and Quebec

Privacy Law Updates: Ontario and Quebec

Quebec Publishes Final Anonymization Regulation

On May 15, 2024, the government of Quebec published the final version of the Regulation respecting the anonymization of personal information  (Anonymization Regulation), which establishes requirements for organizations subject to Quebec’s Law 25, that amends Quebec’s Act respecting the protection of personal information in the private sector (Quebec Privacy Act).

Background

Section 23 of the Quebec Privacy Act states: “Where the purposes for which personal information was collected or used are achieved, the person carrying on an enterprise must destroy the information, or anonymize it to use it for serious and legitimate purposes, subject to any preservation period provided for by an Act.”

Information is anonymized under the Act if it is reasonably foreseeable in the circumstances that it irreversibly no longer allows an individual to be identified directly or indirectly. Information must be anonymized “according to generally accepted best practices and according to the criteria and terms determined by regulation.“

In the absence of any regulation, there was little clarity on how personal information could be anonymized in a compliant manner. Moreover, the Commission d’accès à l’information du Québec (CAI), Quebec’s privacy regulator, had published guidance stating that organizations would not be able to anonymize personal information until regulations came into force.

The publication of the Anonymization Regulation now provides organizations with a clearer framework for anonymizing personal information in compliance with the Quebec Privacy Act.

Anonymization Process

The process set out in the final regulation is based on analyzing the risks of re-identification with a focus on three criteria: (1) correlation, meaning the inability to connect datasets concerning the same person; (2) individualization, meaning the inability to isolate or distinguish a person within a dataset; and (3) inference, meaning the inability to infer personal information from other available information. The required process is essentially as follows:

  1. Prior to anonymizing personal information, the organization must establish purposes for which it intends to use the anonymized information, and these purposes must be consistent with the Quebec Privacy Act.
  2. The organization must then remove all personal information that allows the individual to be directly identified from the information it intends to anonymize.
  3. A preliminary analysis of the re-identification risks, considering the individualization, correlation and inference criteria must follow.
  4. Based on this analysis, the organization must then establish the anonymization techniques to be used, which must be consistent with generally accepted best practices. The organization must also establish reasonable protection and security measures to reduce re-identification risks.
  5. The organization must regularly evaluate the information it has anonymized to ensure it remains anonymized. The organization must also record certain prescribed information in a register, including a summary of the results of the re-identification risk analysis.

Although it is not necessary to demonstrate that zero risk of re-identification exists, the risk must be “very low,” taking into account the purposes for which the anonymized information will be used, the nature of the information, and the individualization, correlation, and inference criteria.

Where are we Now?

The Anonymization Regulation came into force on May 30, 2024. Organizations contemplating anonymizing, rather than destroying, personal information that is no longer needed should evaluate their overall personal information handling practices and consider establishing, updating, and implementing policies and procedures that address compliance with these new requirements.

Ontario Introduces the Enhancing Digital Security and Trust Act for the Public Sector

On May 13, 2024, the Government of Ontario tabled Bill 194, which introduced the Enhancing Digital Security and Trust Act, 2024 (the EDST Act) and amendments to Ontario’s long-standing public sector privacy law, the Freedom of Information and Protection of Privacy Act  (FIPPA). Bill 194 will align FIPPA with more modern privacy legislation and formalize the IPC’s powers and create entirely new law that governs cyber security, artificial intelligence and children’s privacy.

Analysis

The EDST Act will apply across the provincial and municipal public sectors, including to school boards, school authorities, children’s aid societies, colleges, universities and hospitals.

Cybersecurity

The EDST Act will give the government the ability to enact regulations that require public sector entities to have cybersecurity programs that include elements relating to the assignment of internal responsibility, education awareness, incident response and program oversight. It will also give the Minister of Public and Business Service Delivery the ability to establish technical standards and issue cyber security directives. Standards and directives may be issued without notice and without consultation.

AI regulation

The EDST Act will introduce artificial intelligence (AI) regulation, imposing obligations that apply to the use of “artificial intelligence systems” in circumstances that will be prescribed by regulation. The definition of AI, likely to be scrutinized to see how it lines up with definitions in other laws, is as follows: “a machine-based system that, for explicit or implicit objectives, infers from the input it receives in order to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual.”

For such systems:

  • Public sector entities will be required to publish information about their use;
  • Public sector entities will be required to develop and implement an accountability framework; and
  • Public sector entities will be required to manage risks associated with their use of an AI system.

Regulation of technology affecting minors

Finally, the EDST Act will also give the government the power to enact regulation governing the processing of minors’ information by children’s aid societies and school boards. These regulations will:

  • Govern how “prescribed digital information” relating to minors is collected, used, and disclosed by children’s aid societies and school boards;
  • Require children’s aid societies and school boards to file reports regarding their collection, use, and disclosure of prescribed digital information relating to minors
  • Prohibit the collection, use, and disclosure of certain prescribed digital information relating to minors.

Changes to FIPPA

Bill 194, if passed, introduces new breach reporting obligations (with the ‘real risk of significant harm’ threshold familiar to the private sector), as well as privacy impact assessment and information security requirements into FIPPA. It will also formalize the power of the Information and Privacy Commissioner of Ontario (the IPC) to investigate privacy compliance, granting the IPC new order making powers.

Where are we Now?

The comment period for Bill 194 is open until June 11, 2024. Bill 194 will have a significant impact on institutions across the provincial and municipal public sectors, by aligning FIPPA with more modern privacy legislation and formalize the IPC’s powers and creating entirely new and creating entirely new obligations relating to cyber security, artificial intelligence and children’s privacy.

Despite its significance, it is important to keep in mind that the substance of the EDST Act (that will be in regulations and directives) is yet to be seen.

Contact PRIVATECH for Canadian privacy law training options to ensure your privacy team keeps a pulse on new legal and regulatory developments across the provinces!