Skip to main content
This website uses cookies. By continuing to use this website you are agreeing to our use of cookies as described in our privacy policy.
Bulletin | Article

De-identify, Anonymize and De-index: New Verbs and New Obligations!

Fasken
Reading Time 7 minute read
Subscribe

Bulletin #11 | Special Series - Bill 64 & Act to modernize legislative provisions as regards the protection of personal information

Bill 64[1] contributes its share of novelties[2] by giving new rights to individuals and, as a correlation, imposing new obligations on organizations. In this bulletin for private sector companies, we will examine the obligations with respect to the length of retention period and the anonymization of personal information on the one hand, and the obligations resulting from de-indexing on the other.

The Retention Period for Personal Information: Issues Still Outstanding

Section 111 of Bill 64 creates a new s. 23 according to which:

"23. Where the purposes for which personal information was collected or used are achieved, the person carrying on an enterprise must destroy or anonymize the information, subject to any preservation period provided for by an Act.

For the purposes of this Act, information concerning a natural person is anonymized if it irreversibly no longer allows the person to be identified directly or indirectly.

Information anonymized under this Act must be anonymized according to generally accepted best practices."

Until now, the Act respecting the protection of personal information in the private sector[3] ("Private Sector Act") provides that personal information can only be retained for the time necessary for the purposes indicated (Private Sector Act, s. 10) or to allow the person concerned to exhaust the remedies provided by law (Private Sector Act, s. 36), it being specified that  "once the object of a file has been achieved, no information contained in it may be used otherwise than with the consent of the person concerned, subject to the time limit prescribed by law or by a retention schedule established by government regulation," (Private Sector Act, s. 12), a retention period schedule, referred to in s. 10 referred to above, that has never been established.

Bill 64 goes much further with respect to retention of personal information: once the purpose for which the information has been collected is achieved, and subject to a retention period provided by the law (still undefined), the information in question should be either destroyed or anonymized.

While the concept of destruction is not a problem in itself, anonymization may be a little harder to grasp.  That is why the new s. 23 introduced by Bill 64 provides criteria for it:

  • the anonymization process must be irreversible: "information concerning a natural person is anonymized if it irreversibly no longer allows the person to be identified directly or indirectly." [underlining added];
  • it must be impossible to directly or indirectly identify the person concerned:
    "information concerning a natural person is anonymized if it irreversibly no longer allows the person to be identified directly or indirectly" [underlining added].

This is how Bill 64 explains the distinction between "anonymization" and "de-identification". While anonymization is a process that does not allow an individual to be identified directly or indirectly, de-identification (to which the new s. 12) refers) is a process that "no longer allows the person concerned to be directly identified" and which, in particular, allows retaining information "(3) if its use is necessary for study or research purposes or for the production of statistics and if the information is de-identified."[4]. The term "indirectly" is thus at the heart of the distinction between anonymization and de-identification.

In any case, and as (3) of the new s. 23 makes clear, according to Bill 64, anonymization must be considered a better practice and applied more broadly.

In practice, this means that private sector companies must determine, in policies accessible to the public, retention times that are within the limits provided by law and the manner in which information will be destroyed, i.e. either anonymized or de-identified[5].

Companies that fail to comply with the rules for retention or use of personal information may be liable to fines[6] or face penal proceedings (Bill 64, new s. 91)[7], as the case and type of violation may be[8].

In this context, we strongly recommend that organizations prepare ahead of time by identifying the information collected, the applicable retention periods and the procedures that will be used to destroy or anonymize the information when that period expires.  A careful review of relevant policies is strong recommended as well.

A Real Right to Be Forgotten or a Simple Right of De-Indexation?

Bill 64 introduces a new right for individuals that is similar to a "right to be forgotten" (Bill  64, s. 113, creating a new s. 28.1). This is double right, since it allows a person to require an enterprise to (i) cease disseminating personal information or (ii) to de-index any hyperlink that provides access to this information when the following criteria are met:

  • dissemination of this information violates a law or a court order; or
  • dissemination of this information causes serious injury in relation to the person's right to the respect of their reputation or privacy.

This right of de-indexation therefore does not imply deletion of the on-line content  that is the object of a search but only suppression of the search results. However, it goes further because it allows forcing the private enterprise to cease disseminating this information.

Bill 64 provides strict controls over this new right:

  • the serious injury to the person concerned must be "clearly greater than the interest of the public in knowing the information or the interest of any person in expressing himself freely".

To assess whether the serious injury is clearly greater than the public interest, Bill 64 proposes taking into account the following criteria:

  • the fact that the person concerned is a public figure;
  • the fact that the person concerned is a minor;
  • the fact that the information is up to date and accurate;
  • the sensitivity of the information;
  • the context in which the information is disseminated;
  • the time elapsed between the dissemination of the information and the request for de-indexation;
  • where the information concerns a criminal or penal procedure, obtaining a pardon or applying for a restriction on the accessibility of records of the courts of justice;
  • the requested cessation of dissemination, re-indexation or de-indexation does not exceed what is necessary for preventing the perpetuation of the injury.

In any event, this new dual right is similar to the one, likewise with multiple aspects, provided by European Union law[9].

We should remember that the right to erasure provided by s. 17 (entitled "right of erasure" and sub-titled "right to be forgotten") of the General Data Protection Regulation ("GDPR")[10] consists first of all of the right of any person concerned to obtain from the entity that holds their personal information "the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay," when, in particular (i) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) the person withdraws consent; (iii) the person concerned objects to the processing and there are no overriding legitimate grounds for the processing; (iv) the personal data has been unlawfully processed; (v) the personal data must be erased to comply with a legal obligation.

It is present also, according to the jurisprudence of the Court of Justice of the European Union, in the "right of de-referencing" (similar to the right of de-indexation in Bill 64), by which the person concerned can ask anyone operating a research engine to delete all results of a search made with a person's name, an established right since 2014[11].  It is in this respect that Bill 64 tends to move closer to the GDPR.

In conclusion, with these new provisions, Bill 64 seems intended to close a loophole in the Private Sector Act and be part of a more general trend of harmonization with the GDPR.

BILL 64 RESOURCE CENTER Visit our Bill 64 Resource Center for all the information you need to help you to cope with the changes that might be made to the legislation.

FASKEN INSTITUTE - Register now to our training that will shed light on the main changes and impacts to be expected in the management of your businesses.

DISTRIBUTION LIST If you do not want to miss our next bulletins and any other relevant information on this subject, sign up now on our distribution list to receive all communications related to this new Bill. 


[1] Bill 64, An Act to modernize legislative provisions as regards the protection of personal information

[2] For other comments on various aspects of Bill 64, visit the Fasken Resource Centre on Bill 64 https.

[3] Act respecting the protection of personal information in the private sector, P-39.1.

[4] Bill 64, new s. 12 (3). See in particular J. Stoddart, J.-R. Champagne and A. Barbach, How Bill 64 Will Impact The Research Sector, Fasken Bulletin.

[5] Bill 64, new s. 3.2.

[6] Bill 64, new s. 90.12: the amount of the monetary administrative penalty could rise to $10,000,000 (or an amount corresponding to 2% of worldwide turnover for the preceding fiscal year, if greater).

[7] Bill 64, new s. 9: private companies could likewise be liable to a fine of up to $25,000,000 (or 4% of worldwide turnover for the preceding year if greater) if they collect, retain, communicate or use personal information in violation of the law.

[8] See in particular G. Pelegrin,  The Commission d'accès à l'information could issue penalties of up to $10 million based on administrative decisions, Fasken Bulletin.

[9] J. Uzan-Naulin, Bill 64: Mirroring the GDPR?, Bulletin Fasken

[10] General Data Protection Regulation, 2016/679, 27 April 2016. See in particular, with respect to the right to be forgotten: J. Uzan-Naulin, The (Extra) Territorial Scope of the GDPR: The Right to Be Forgotten,  Bulletin Fasken.

[11] CJUE, May 13, 2014, C-131/12, Google Spain SL et Google Inc. c. Agencia Española de Protección de Datos (AEPD) et Mario Costeja González.

    Subscribe

    Receive email updates from our team

    Subscribe