Recent amendments to Québec’s privacy legislation have introduced significant new obligations for businesses regarding the portability of personal information in Québec. These changes, brought by the Act to modernize legislative provisions respecting the protection of personal information (the Québec Privacy Act), are part of Québec’s last phase of ongoing efforts to enhance privacy protections. Among the revisions are those related to right to data portability, particularly the obligations businesses now have when handling computerized personal information.
Key amendments
Section 27 of the Québec Privacy Act sets out how businesses must handle requests from individuals seeking access to their personal information. Now in force since September 22, 2024, section 27 with its amendment reads as follows:
“Every person carrying on an enterprise who holds personal information on another person must, at the request of the person concerned, confirm the existence of the personal information, communicate it to the person and allow him to obtain a copy of it.
At the applicant’s request, computerized personal information must be communicated in the form of a written and intelligible transcript.
Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant, and not created or inferred using personal information concerning him, must, at his request, be communicated to him in a structured, commonly used technological format. The information must also be communicated, at the applicant’s request, to any person or body authorized by law to collect such information.”
If the person concerned is handicapped, reasonable accommodation must be provided on request to enable the person to exercise the right of access provided for in this division..”
As previously required, when information is computerized, businesses must provide it in a written and intelligible transcript. The amendment now obliges organizations to provide computerized personal data in a structured and commonly used format allowing the data to be shared with other organizations or individuals, if requested by the person concerned and doing so does not raise serious practical risks. A person may also request information to be communicated to any person or body authorized by law to collect such information.
This amendment facilitates interoperability by requiring organizations to transfer the data in “structured, commonly used technological format,” thereby empowering individuals by giving them greater control over their data and making it easier to transfer their personal information.
We discuss some key considerations below.
1. Applicability and limits of the data portability right
The right to data portability is not absolute. For the new portability obligations to apply, requests must be made with respect to personal information that is:
- Computerized;
- About the individual; and
- Collected directly from the individual.
The amendment explicitly excludes personal information that is “created or inferred” by the organization, thus placing certain limitations on the types of information subject to portability. This exclusion likely serves to protect intellectual property or proprietary insights generated by businesses. For instance, profiles of customers created by an organization would not be subject to the portability right, whereas the underlying data making up that profile may well be. Anonymous information (information anonymized in accordance with the Regulation under the Privacy Act) will not be subject to the portability right.
The amendment’s scope is further limited by the provision that allows an organization to decline a request if fulfilling it presents “serious practical difficulties.” This provides some flexibility for businesses to assess and manage requests on a case-by-case basis. The Québec Privacy Act does not elaborate on what constitutes “serious practical difficulties” and it remains open to interpretation, though typically involving high costs or technical complexities. Should the requester disagree and complain to the regulator, the organization has the onus of demonstrating the nature of the serious practical difficulty, and the impact it would have on the organization
2. Understanding the obligation to provide data in a “Structured, Commonly Used Technological Format”
The core of the new data portability requirement lies in the provision of data in a “structured, commonly used technological format.” Similar amendments have been made to Québec’s Act respecting access to documents held by public bodies and the protection of personal information. As a result, the Québec public sector is now also required to release computerized personal data in a “structured, commonly used format,” unless doing so presents significant difficulties.
This further aligns public sector obligations with those of the private sector, reinforcing the principle of interoperability and ease of data transfer. Although this expression is not explicitly described, the Government of Québec has published guidance on the matter, encouraging the use formats that are recognized and easy to process by commonly used software applications, such as CSV, XML, or JSON. Formats like PDFs or proprietary formats requiring specialized software are not considered compliant.[1]
This mirrors the data portability principles in article 20 of the European Union’s General Data Protection Regulation (GDPR), which provides data subjects the right to receive their personal data in a structured, commonly used and machine-readable format. Under the GDPR, although the expression “structured data” is not specifically defined, guidance from the UK’s Information Commissioner’s Office (ICO) and France’s Commission Nationale de l’Informatique et des Libertés (CNIL) provide clarity on its meaning. In particular, “structured data” allows for easier transfer and improved usability, as it is organized in a way that enables software to readily extract specific elements. The ICO further defines structured data as information where the relationships between data elements are clearly defined and stored on a computer disk in such a way that these relationships are explicit. This structure ensures that data can be easily processed and used across different systems. Additionally, CNIL highlights that data formats must be adapted to the type of data concerned, giving preference to open, interoperable formats.
Organizations must consider the data portability right when implementing systems and processes. For instance, where the implementation of a new system that processes personal information is being contemplated, the privacy impact assessment should include an evaluation of the ability of that system to process and store information in one of the “structured, commonly used technological formats.” This could mean that systems using proprietary formats, or otherwise processing data in a manner that renders it inaccessible, may put the organization out of compliance.
3. Communication to a third party
Another key aspect of the right to data portability is the data subject’s ability to request that their personal information be shared with any person or organization “authorized by law” to collect such data. When transferring personal information to a third party, organizations must verify that the recipient has the legal authority to collect it. In Québec, privacy regulations outline specific legal requirements that the recipient must meet, as highlighted by the Government of Québec’s guidance on the right to portability.[2]
For instance, under the public sector Privacy Act (the Act respecting Access to documents held by public bodies and the Protection of personal information (Access Act)), public bodies can only collect personal information if it is necessary for carrying out their functions or implementing a program under their management. An organization contemplating honouring a portability request directing that the information be provided to a public sector entity will need to keep this in mind (as will any public sector entities).
Organizations (including private sector organizations) governed by the Québec Privacy Act must justify collection for a “serious and legitimate” reason and the data collected must be necessary for the purposes identified prior to collection. An organization considering honouring a portability request of this nature will need to satisfy itself that the recipient organization meets these criteria.
Additionally, organizations transferring personal information in response to a portability request must also consider the requirements of section 37 of the Civil Code of Québec, which emphasizes the need for a serious and legitimate interest in gathering personal information and restricts collection to only relevant data.
In practice, this means that before transferring personal information to a third party, the disclosing organization must confirm that the recipient has a legal right to collect the data. However, guidance from Québec’s Commission d’accès à l’information (the “Commission”) indicates that the responsibility to assess the necessity of the data collected rests primarily with the receiving organization.[3] This aspect remains ambiguous and has yet to be fully clarified by the relevant authorities.
4. Handling data portability requests
To effectively manage data portability requests, organizations must implement a structured and compliant process to ensure legal obligations are met and the privacy of individuals is respected. The procedure for responding to an individual’s request for access to his or her computerized personal information in a structured, commonly used technological format is the same as for any request for access or rectification. Among other things, the deadline for responding to such a request is also 30 days. A person who is dissatisfied with the response to his or her request may appeal to the Commission by filing a request for a review of the disagreement.
Below are key steps to follow when handling such requests:
Verify the identity of the requestor
Before processing any data portability request, it is critical to confirm the identity of the individual making the request. This ensures that personal data is only shared with the rightful data subject or an authorized party. Organizations should establish clear protocols for identity verification.
Determine feasibility and format
Next, organizations must determine whether fulfilling the request presents any serious practical difficulties, such as excessive costs or technical limitations. They must also determine which structured and commonly used format, such as CSV, XML, or JSON, or other acceptable format, is most appropriate in the circumstances, thereby ensuring the information can be easily shared with a designated recipient entity.
Implement security measures
Throughout the process, organizations must take steps to ensure the secure handling and transfer of personal data. Any potential security risks should be identified and mitigated to prevent unauthorized access to personal information.
5. Choice of format
In the context of data portability, an important question arises: can the requesting party demand the data in a format of their choice, or does the organization have the discretion to provide the information in a format that best suits its internal processes?
Under other Québec legislation, such as the Act to establish a legal framework for information technology and the Access Act, the party exercising their right of access to information is generally entitled to obtain a copy of the requested document in a format of their choice. In fact, section 23 of the Act to establish a legal framework for information technology essentially repeats the rule set out in section 10 of the Access Act, and acts in a suppletive manner where it adds that the wishes of the person having the right of access as to the medium or technology to be used must be taken into account, unless substantial practical difficulties would be involved, owing in particular to high cost or the information transfer required.
Although section 27 of the Québec Privacy Act is not exactly equivalent to the provisions described above with regard to the choice of medium on which an organization must transmit the documents in response to data portability requests and Québec courts have not yet positioned themselves completely on the matter, we believe it follows the same rules: The individual’s choice of format is limited to practical difficulties. This criterion has been established by lawmakers to prevent situations where the requested format could cause undue hardship for the organization.
Practical implications for businesses
For businesses operating in Québec, these changes underscore the importance of reviewing current data management practices and ensuring compliance with the new portability obligations. Key considerations include:
- Adopting pen formats: Businesses should prioritize using open and interoperable formats for data storage and transfer, such as CSV, XML, and JSON. Avoiding proprietary formats that require specialized software is critical.
- Inventory personal Ddata: Assess the types of personal data your organization collects, how it is stored, and whether it meets the criteria for data portability. This assessment will streamline your ability to respond promptly to portability requests.
- Assessing practical difficulties: While businesses can decline requests if they present serious practical difficulties, it is essential to document these challenges and ensure they are justifiable under the law.
- Meeting deadlines: As with other individual rights under Québec’s Privacy Act, businesses must respond to data portability requests within 30 days. Notably, there is no ability to extend this timeframe.
For more information on this topic, please contact Kirsten Thompson, Jaime Cardy or other members of the Dentons Privacy and Cybersecurity group. The authors would like to thank Charles Giroux, an articling student in the Montreal office, who made a substantial contribution to this post.
[1] Government of Québec (2024), Droit à la portabilité. [Online] : https://www.quebec.ca/gouvernement/travailler-gouvernement/travailler-fonction-publique/services-employes-etat/conformite/protection-des-renseignements-personnels/acces-aux-renseignements-personnels/droit-portabilite Consulted: September 3rd, 2024.
[2] Ibid.
[3] Commission d’accès à l’information, Responsabilité des entreprises : Communiquer des renseignements dans un format technologique, [Online] : https://www.cai.gouv.qc.ca/protection-renseignements-personnels/information-entreprises-privees/responsable-protection-renseignements-personnels-entreprise#portabilite. Consulted : September 3, 2024.