3

We are a Canadian company outside Quebec with a minority of customers in that province. We are trying to tighten up our compliance with Quebec's Law 25 on Privacy. The law says:

Personal information is any information which relates to a natural person and directly or indirectly allows that person to be identified.

It's the word "indirectly" that I'm not clear on. Suppose you store information about a person that, on its own, could not identify them uniquely because there are too many people in your customer base or community matching those attributes. E.g:

{ Hair: "Brown", Eyes: "Blue", Height: "188cm" }

Now suppose there is a second set of information not stored by your organization but existing somewhere out in the world that could, if combined with the first set stored by your organization, uniquely identify the person. E.g:

{ Birthdate: "1980-01-01", Hospital: "Mercy General", Sex: "Male" }

Neither sets of data could uniquely identify a person currently living, but together they probably could, with a little digging. So is the first set of data considered personal if stored by an organization by itself?

My guess is, no. The information is only personal if they store both sets of data.

What do you think?

If the answer were yes, it could lead to ridiculous situations where you would need consent to record the tiniest bit of information about a person because, theoretically, it could be combined with a large amount of other information and uniquely identify someone. For example, even the timestamp of a single visit to a website could uniquely identify someone if combined with hundreds of other timestamps of visits by the same person. Effectively, this interpretation would make it impossible to store any personal information without consent, even the most obscure and innocuous information, because there would always be the possibility of combining multiple data sets to uniquely identify someone.

P.S. We are actually storing much more boring data, nothing nearly as sensitive as birthdate, sex, hospital, etc. This is just an example to try to make the question clear.

Jordan Rieger
  • 289
  • 1
  • 8

2 Answers2

2

Revisiting this question to document my own research, I still believe the answer is "no."

If it were "yes", it would allow reductio ad absurdum where the smallest bit of data about a person, even a single digit of a single timestamp of their last access to your site, could theoretically be combined with other data not stored by the organization and be the "last piece of the puzzle" that identifies the person, and therefore each digit would have full privacy protection.

This article, from a GDPR perspective, outlines reasons why certain routine data collection, such as timestamps and IP addresses, do not require consent in all cases, provided they are handled and stored with care: https://www.termsfeed.com/blog/gdpr-log-data/. The article relies on the GDPR concept of "legitimate interest" to justify that.

Quebec Law 25 has a similar concept in section 12 which I believe would apply to many real-world cases that I envisioned when I asked this question. It says consent is not required to collect or use the information:

(3) if its use is necessary for the purpose of preventing and detecting fraud or of assessing and improving protection and security measures;

(4) if its use is necessary for the purpose of providing or delivering a product or providing a service requested by the person concerned;

(5) if its use is necessary for study or research purposes or for the production of statistics and if the information is de-identified.

There is also the concept of de-identified (anonymized) personal information:

For the purposes of this Act, personal information is (1) de-identified if it no longer allows the person concerned to be directly identified;

This doesn't specifically say whether information that is insufficient on its own to identify a person would be considered personal, but it does mean that such information doesn't have the same restrictions.

Jordan Rieger
  • 289
  • 1
  • 8
1

Yes

At least, based on court interpretation of the GDPR

Personal information is any information which could, in conjunction with other data, theoretically identify a person, even if you don’t hold that data. For example, an IP address is personal information even though your organisation has no ability to link that IP address to a person: an ISP somewhere can.

However, I would be surprised if the Quebec law only allowed consent in order to comply. The GDPR allows 7 bases for collecting personal information.

Dale M
  • 237,717
  • 18
  • 273
  • 546