This right, part of an international trend to give individuals more control over their own data, compels businesses and public bodies to provide individuals with computerized personal data they hold on the person in a structured and commonly used technological format. Individuals may also request that their computerized personal information be disclosed to any person or body authorized by law to collect such information.
Antoine Guilmain, Gowling WLG
The right to data portability, integrated into both the Act respecting the protection of personal information in the private sector (Private Sector Act) and the Act respecting access to documents held by public bodies and the protection of personal information (Access Act), comes into effect on Sept. 22, marking the last phase of Law 25, a major legislative reform passed in late 2021 that has been described as Canada’s most consumer-friendly privacy law. Law 25, formerly known as Bill 64, applies to all organizations “carrying on an enterprise” in Quebec that collect, process, use or disclose personal information of individuals in Quebec.
The data portability right is largely modelled after the European Union’s General Data Protection Regulation (GDPR), noted Constantine Karbaliotis, an expert in global privacy compliance and privacy management with nNovation LLP. The idea behind data portability, added Karbaliotis, was to allow individuals to “migrate” their data from social media and cloud storage platforms to prevent vendor lock-in. “This is similar to what’s existed for the past six years in Europe under GDPR, so in one sense, it’s not new,” said Karbaliotis. “It’s just that the rest of the world is catching up on Europe in terms of the rights that it gives to individuals. It’s just one more component of data subject access rights, the right to know what a company knows about you, have it deleted, have it corrected.”
Some sectors, notably technology, telecommunications and finance thanks to open banking, are expected to be more affected by s. 27 (3) of the Private Sector Act, the section that introduces data portability, noted Guilmain. “Not all organizations will be affected in the same way,” said Guilmain. “The right to data portability will target certain organizations in more competitive sectors and with a large number of users or consumers.”
The right to data portability, however, only applies to computerized personal information provided directly by the individual making the request, noted privacy experts. It does not apply to personal information collected or stored in paper format nor to personal information collected from third parties such as business partners, service providers or public databases like the Quebec Enterprise Register. Also excluded is personal information created or inferred by the organization such as a consumer profile or credit score.
Antoine Rancourt
But weeks away from being in force, there are still grey zones over the scope and application of data portability rights and how they will be enforced by the province’s privacy regulator, Commission d’accès à l’information du Québec (CAI), assert privacy experts. “Perhaps we need more guidelines on the modalities of this right, because at the moment, the way it’s been conceived, it’s pretty minimalist,” said Guilmain.
It is widely expected that Quebec’s privacy watchdog will turn to guidance and jurisprudence issued by European regulators. Even though there are nuances between different privacy laws around the world, including Law 25 and the GDPR, there is a “fairly global drive” to harmonize data protection requirements and standards, said Guilmain. Karbaliotis also believes that CAI will “inevitably” heed guidance by European privacy regulators since “we’re looking at essentially the same requirements expressed globally, and Europe has six years’ lead time in terms of dealing with these issues.”
Organizations have to forward personal information held on a medium that uses information technology and provide it in a format that is technological, structured and commonly used. But the notion of “structured and commonly used technological format” is not explicitly defined by Law 25, said Rancourt. In Europe, the former Article 29 Working Party issued guidelines that stated that data should be “structured, commonly used and machine-readable” to facilitate interoperability. France’s data protection authority recommends open formats such as CSV, XML and JSON as they are best adapted to data portability and advises against using formats such as images or PDFs.
There are also questions about the exceptions that can be invoked by organizations to refuse a data portability request. In cases where the data portability request raises serious practical difficulties for the organization, it may be exempted. But what constitutes “serious practical difficulties” has yet to be defined, noted privacy lawyers. Moreover, organizations will have to determine whether they are faced with a request of data portability or right of access, an exercise that “may cause headaches for companies,” said Rancourt of Langlois Lawyers LLP. “These are rights that exist concurrently,” added Rancourt.
Guilmain asserts that organizations will have to look at restrictions under the right of access before determining the exceptions that apply to data portability rights. “It’s very different from the European approach where they have a separate law, which is much simpler,” said Guilmain. “We have a right that is integrated into a pre-existing right. That’s why it raises a few difficulties because we can’t just think of the right to portability on its own but the right of access in conjunction with the right of access to personal information.”
Operational challenges loom ahead for organizations, particularly small to medium-sized enterprises (SMEs). A fundamental issue facing many organizations, but above all SMEs, is poor information governance, said Karbaliotis. Many businesses do not know what data they have and do not know who they are sharing it, either inside or outside the organization. SMEs, who principally rely on software provided by big companies, must begin to be “more selective” about the software they use to make sure “they can press a button” and give individuals the information that they requested, said Karbaliotis.
Data portability represents “real operational challenges,” said Karbaliotis. “This is part of a bigger information governance problem that companies in general have, which is that they’re not very well-equipped to respond to data subject access requests of any kind,” added Karbaliotis. “Poor information governance leads to poor privacy.”