Québec’s New Data Portability Law: Key Features You Must Know
Québec’s New Data Portability Law: Key Features You Must Know
Starting on September 22, 2024, Québec’s new data portability law will take effect, introducing additional obligations on companies subject to the Act respecting the protection of personal information in the private sector (“Quebec Privacy Act”).
This data portability law was introduced by the Act to modernize legislative provisions respecting the protection of personal information (commonly known as “Law 25”), amending the Quebec Privacy Act.
Law 25 introduced various amendments to the Quebec Privacy Act slated to take effect in three phases. As of September 22, 2022, the first phase of the obligations set out under Law 25 took effect followed by a second phase on September 22, 2023. This year, starting on September 22, 2024, the third and final phase of the amendments to the Quebec Privacy Act, as provided by Law 25, will take effect, namely the data portability law.
In this article, we will provide you with an overview of the new data portability law requirements in the private sector under the Quebec Privacy Act, allowing you to take the proper compliance measures.
Let’s get started.
1. What is the legal basis for the new data portability law in the private sector?
The legal basis for the new portability law in the private sector is the new Article 27 of the Quebec Privacy Act, which reads as follows:
Every person carrying on an enterprise who holds personal information on another person must, at the request of the person concerned, confirm the existence of the personal information, communicate it to the person and allow him to obtain a copy of it.
At the applicant’s request, computerized personal information must be communicated in the form of a written and intelligible transcript.
Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant, and not created or inferred using personal information concerning him, must, at his request, be communicated to him in a structured, commonly used technological format. The information must also be communicated, at the applicant’s request, to any person or body authorized by law to collect such information.
If the person concerned is handicapped, reasonable accommodation must be provided on request to enable the person to exercise the right of access provided for in this division.
Now, let’s break it down in detail.
2. Who is subject to the portability law?
The new portability law applies to “every person carrying on an enterprise” who holds personal information on another person. The notion of “every person carrying on an enterprise” is defined broadly under Quebec laws. In essence, Article 1525 of the Civil Code of Quebec states that the “carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service, constitutes the operation of an enterprise.” In other words, if you do business in Quebec or engage in activities, commercial in nature or not, and hold personal information on an individual, you will need to comply with the new portability law.
3. What is the right to data portability?
The right to data portability means that any individual can request that an organization:
- confirm the existence of their personal information; and,
- require that their personal information be communicated to them; or,
- allow them to obtain a copy of their personal information.
With the right to data portability, individuals are put in the driver’s seat with respect to the control of their personal information, allowing them to request and receive the communication of their personal information.
4. Are third parties authorized to receive the communication of personal information?
Article 27 of the Quebec Privacy Act states that an individual’s personal information must be communicated, at the individual’s request, “to any person or body authorized by law to collect such information.” Consequently, we could broadly interpret the authorized data recipient to include third parties such as an individual’s spouse, relative, or other persons designated by the individual, any governmental body or agency authorized by law to collect the individual’s personal information.
5. What type of personal information is subject to data portability rights?
The new portability law specifically states that “computerized personal information” that is “collected from the applicant” and which is “not created or inferred using personal information” of the individual is subject to portability rights.
Let’s break down each of the required elements.
a) Computerized personal information
The first element to consider here is that portability rights concern “computerized personal information.” In other words, we can consider that personal information relating to an individual held on information technology systems is targeted by the portability obligation. Also, since the law specifically uses the term “computerized” to refer to the medium where the information is held, we could consider that other media may be excluded, such as personal information contained in “paper” format or handwritten documents.
b) Personal information collected from the applicant
The second element to consider is that the computerized personal information must have been collected “from the applicant.” This means that an individual can make a data portability request with respect to computerized personal information that they provided to the organization, either manually or through automated means.
c) Information that is created or inferred by the organization
The third element to consider is that information that was “created or inferred” by the organization using personal information is specifically excluded. In other words, an individual can only request that an organization provide their computerized personal information in its original condition. This legal exclusion is intended to protect companies from having to share information that may be considered their business confidential information, trade secrets, or more broadly, their intellectual property.
5. How must an organization communicate the personal information to an individual?
The new Article 27 of the Quebec Privacy Act states that an organization must communicate an individual’s computerized personal information in “the form of a written and intelligible transcript”.
Although the notion of a written and intelligible transcript is not specifically defined in the Quebec Privacy Act, we can look at Articles 19 and 23 of the Act to establish a legal framework for information technology in an attempt to better interpret these terms. We could consider that the term “written” refers to information that is accessible by means of a written document, and the term “intelligible” refers to information that a person can understand.
Putting all of this together, the Quebec Privacy Act requires that the organization communicate an individual’s personal information in written form and in a manner that the individual can understand.
6. In what format will the organization need to communicate an individual’s personal information?
According to the Quebec Privacy Act, companies must communicate an individual’s personal information in a “structured” and “commonly used technological format.” The notions of “structured” and “commonly used” along with “technological format” are not specifically defined. As such, we could turn to comparable privacy legislation to interpret their meaning.
Here is what the United Kingdom’s Information Commissioner’s Office says:
“Where no specific format is in common use within your industry or sector, you should provide personal data using open formats such as CSV, XML and JSON. You may also find that these formats are the easiest for you to use when answering data portability requests.”[1]
As such, companies could use CSV, XML, and JSON as generally accessible formats to communicate an individual’s personal information.
The notion of “structured” could refer to information that is easily accessed and processed by individuals where data elements are clearly defined and separated.
The notion of a “commonly used” format could refer to a file format that is easily accessible to the public, widely adopted, and would not require specialized tools to access. We could also get inspiration from the notion of a “machine-readable format” used under the General Data Protection Regulation in Europe referring to a format that can be easily parsed by a computer and is interoperable with other technological systems.
Putting all of this together, we could say that an organization must communicate an individual’s personal information using a file format that is easily accessible to the general public, where the data elements are structured, and that individuals can access their personal information without needing to use specialized software or tools.
7. Can organizations refuse to communicate personal information further to a data portability request?
In certain circumstances, organizations may refuse to comply with an individual’s data portability request, particularly when doing so “raises serious practical difficulties.” This means that if an organization would incur significant costs or have to deal with significant complexities to communicate the individual’s personal information in a structured and commonly used technological format, then they could refuse to comply with the data portability request. However, in the event of a complaint, organizations will bear the burden to demonstrate that the costs or complexities adequately justified their decision to refuse an individual’s data portability request.
Organizations could also rely on any exceptions applicable to an individual’s right to access their information. For example, an organization could refuse access to information where disclosure of the information would be likely to reveal the identity of a third party who has not consented to it, cause serious harm to the same, affect ongoing legal proceedings, or when the request is manifestly unfounded, excessive, or abusive.
8. Are there restrictions that may apply to portability rights?
We could reasonably identify a couple of instances where there may be restrictions applicable to an individual’s exercise of data portability rights, particularly when it relates to anonymous data and information that falls in the realm of a company’s proprietary information.
With respect to anonymous data, since the information can no longer allow the identification of an individual or an identifiable individual, then that information will no longer be portable. Also, information that has been significantly transformed or created in a way that involves intellectual property rights, may be excluded from portability to protect the company’s rights.
Organizations should exercise care in ensuring that they balance their privacy obligations and the protection of their proprietary interests, bearing in mind that the existence of intellectual property rights might not serve as a “blanket” argument to deny an individual’s portability rights. The law specifically exempts organizations from communicating information that was “created” or “inferred” using an individual’s personal information. However, the exclusion does not necessarily extend to the personal information underlying the created or inferred information.
Conclusion
In conclusion, Quebec’s new data portability law marks an important shift in how personal information is handled within the province. By empowering individuals with the right to access and transfer their data, the Quebec Privacy Act reinforces the importance of transparency and control over personal information. For businesses, this law brings new obligations that must not be overlooked.
Ensuring compliance with these regulations is not just a legal necessity but a crucial step in building trust with your customers. Organizations operating in Quebec or subject to the Quebec Privacy Act should take the time to understand their new data portability obligations and update their data management practices accordingly. Doing so will not only allow them to meet their statutory obligations, but also strengthen their privacy posture as responsible custodians of personal information.
[1] Right to data portability, online (accessed on August 30, 2024)
A Cautionary Note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2024
Insights (5 Posts)View More
Back to School Homework – Key Highlights and Takeaways from the 2024 OSC Registration, Inspections and Examinations Division Summary Report
Providing insights on the OSC Staff Notice 33-756 – Summary Report for Dealers, Advisers and Investment Fund Managers.
Conference – Expropriation 2.0: Navigating the New Rules
Take a practical look at the recent changes to Quebec's expropriation rules.
Deadlines Approaching: Government of Canada Launches Series of Consultations on Canada’s Trade Future
The Government has launched an unprecedented series of public consultations on trade policy covering economic security, certain products from China, and CUSMA.
The United States Challenges Canada’s Digital Services Tax
On August 30, 2024, the United States challenged Canada’s Digital Services Tax under CUSMA. The dispute implicates billions of dollars in Canada-US trade.
Get updates delivered right to your inbox. You can unsubscribe at any time.