- As of September 22, 2024, the last chapter of a significant shift in data privacy will unfold in Quebec. The right to data portability takes effect under the newly amended Quebec Act respecting the protection of personal information in the private sector (“Quebec Act”). This represents a major development in privacy legislation, aligning closely with the European General Data Protection Regulation (GDPR). Section 27 of the Act establishes the right to data portability.
1. This is What You Need to Know:
1.1. What is the Right to Data Portability?
- Access and control. The right to data portability is an extension of the right to access. It allows individuals to obtain their personal information from an organization and transfer it to another. This right aims to empower individuals by giving them greater control over their personal information and enhancing competition by simplifying the switch between service providers.
1.2. Key Features of the Quebec Act
- Scope of the data portability right. The right pertains to computerized personal information collected from the individual. This excludes information that was created or inferred by the organization, to protect commercial interest of businesses. Further, the right to data portability does not apply to information otherwise exempted by the right of access, like information that would reveal personal information from a third party.
- Transfer. Computerized personal information collected from an individual is, at their request, communicated to them or to any person or organization authorized by law to collect such information, at the applicant’s request.
- Format. Organizations must provide the data in a structured, commonly used and technological format. Following the European example[1], “a structured, commonly used and technological format” should be understood as the means to comply with minimal requirements facilitating interoperability of the data format provided.
- Fees. The Quebec Act does not explicitly prohibit charging fees, contrary to the GDPR.
- Destruction. An individual’s exercise of the right to portability does not entail the destruction of the information transferred, which must be kept by organizations to meet their legal or contractual obligations.
2. This is What You Need to Do
2.1. Practical Implications for Organizations
- As organizations prepare to comply with the new requirements under the Quebec Act, several issues remain outstanding. Further guidance will be required to fully grasp compliance requirements in Quebec. Yet, the following steps are to be considered.
- Update policies. Ensure your privacy policies clearly inform individuals of their right to data portability and how they can exercise it.
- Train and raise awareness. Train employees on the new obligations and how to handle requests under the Act. Ensure that your processes are designed to handle these requests efficiently and in compliance with the new regulations.
- Implement transfer mechanisms. Develop processes and tools for secure and efficient transfers of information. This might include adopting interoperable formats or utilizing secure messaging systems.
- Consider technological solutions. Explore tools and technologies that can facilitate data portability, such as data transfer APIs (Application Programming Interfaces), developing or enabling personal data access points or other personal data management systems.
[1]Guidelines on the right to data portability of the Article 29 Working Party, predecessor of the European Data Protection Board (https://ec.europa.eu/newsroom/article29/items/611233/en)