New Data Portability Right in Force in Quebec

On September 22, 2024, a new individual right to data portability came into force under Quebec’s privacy legislation applicable in the private sector (the Act respecting the protection of personal information in the private sector or Quebec Privacy Act) and the public sector (the Act respecting access to documents held by public bodies and the protection of personal information or Quebec Access Act).

The coming into force of this new right constitutes the final phase of Quebec’s privacy reform following the enactment of An Act to modernize legislative provisions as regards the protection of personal information (introduced as Bill 64 and sanctioned as Law 25) in 2021.

Scope

The data portability right is an extension of the existing right to access personal information under the Quebec Privacy Act and the Quebec Access Act. It enables individuals to require an organization to communicate certain personal information to an individual or to another person or organization. This new right aims to enhance individual control over personal information and promote business competition by making it easier for individuals to obtain services from another organization.

The data portability right is introduced through a new section 27(3) of the Quebec Privacy Act (as well as a nearly identical right under section 84(3) of the Access Act), which reads as follows:

“Unless it raises serious practical difficulties, computerized personal information collected from the applicant, and not created or deduced from personal information concerning him or her, is, at the applicant’s request, communicated to him or her in a structured and commonly used technological format. This information is also communicated, at the applicant’s request, to any person or organization authorized by law to collect such information.”

There are several limits on the scope of the data portability right. First, it only applies to “computerized personal information.” According to guidance published by the Commission d’accès à l’information du Québec (CAI), available in French only, this term refers to personal information that is organized and structured using information technology. For example, personal information stored in paper form does not fall within the scope of this new right.

Second, only personal information that is “collected from the applicant, and not created or deduced from personal information concerning him or her” is targeted. Based on the CAI’s guidance, this includes personal information that was collected directly or indirectly from the individual. Information collected indirectly is broad in scope and may include purchase history, driving habits or other information that may be generated by an individual’s activities. However, data created or inferred by an organization through analysis, observation or algorithms (for example, the level of risk associated with an individual as assessed by their insurance company) would be excluded. Computerized personal information that an organization obtains from a third party would also be excluded.

Third, organizations are not required to accommodate requests that raise “serious and practical difficulties.” Determining whether a request gives rise to serious and practical difficulties requires a case-by-case analysis; however, the CAI’s guidance suggests that requests that would lead an organization to incur high costs or that are highly complex due to the applicant’s choice of format may raise such difficulties.

Transfer Obligations

Where an organization is required to communicate computerized personal information pursuant to a data portability request, it must communicate the information to the applicant and any other person or organization authorized by law to collect that information in a “structured and commonly used technological format.” According to the CAI’s guidance, which refers to a separate publication of the Government of Quebec on this point, a format will be “structured and commonly used” where commonly used software applications can easily recognize and extract the information it contains.

Organizations are required to respond to a data portability request within the timelines generally applicable to access requests under each of the Quebec Privacy Act and the Quebec Access Act. For instance, under the Quebec Privacy Act, a response should be provided within 30 days and if an organization refuses the request, it must provide the reasons for the refusal and inform the individual of the remedies available to them under the Quebec Privacy Act.

Organizations receiving data through a portability request (that is, those identified by the applicant) are not obligated to accept the personal information. Since transferred information can only be used for the purposes for which it was collected, the receiving organization must not keep or handle data that is not required for these same purposes, unless it obtains consent from the individual for new purposes.

Conclusion

The coming into force of the data portability right aligns the Quebec Privacy Act more closely with the European Union’s General Data Protection Regulation (GDPR), which includes a similar right. While each framework is distinct, the CAI may take inspiration from the more detailed European Guidelines on the Right to Data Portability as it begins to enforce new data portability obligations in Quebec.

As these new obligations take effect, organizations operating in Quebec should ensure that they have policies and practices in place to handle data portability requests. This includes policies and practices to address requests related to computerized personal information they hold, as well as computerized personal information held by third parties processing information on their behalf.

For further information, please contact the authors of this bulletin or any other member of our Privacy & Data Protection group.