This article is an update of our article published on May 22, 2024.
On September 22, 2024, the right to portability came into force in Québec. This new right, integrated into the Act respecting the protection of personal information in the private sector (“Private sector act”) and the Act respecting Access to documents held by public bodies and the Protection of personal information (“Act respecting access”), allows the person concerned to request that their computerized personal information be communicated to them in a technological format. On September 5, the Commission d’accès à l’information (“Commission”) published information intended for citizens, businesses and public bodies regarding the new right to portability. This article takes the Commission’s position on this matter into account.
In concrete terms, what does this right mean?
- A person carrying on an enterprise and public bodies will have to provide the person who requests it with the computerized personal information they hold on that person, in a structured and commonly used technological format;
- At the request of the person concerned, the business or public body must disclose this personal information file to another enterprise or body designated by the person concerned.
This right thus aims to:
- Allow the person concerned to have better control over their computerized personal information;
- Facilitate the steps that must be taken by the persons concerned when they wish to do business with another company to obtain services;
- Promote competition between businesses.
Scope of the right to portability and exclusions
The right to portability only applies to computerized personal information collected directly or indirectly from the person concerned. According to the Commission, information collected indirectly includes information generated by the activities of the person concerned, such as their purchase history, travel, driving habits, etc.
In other words, this right does not apply to the following personal information:
- Personal information collected or stored in paper format;
- Personal information collected from third parties (for example if you use a third-party platform to obtain application files for positions within your business);
- Information created or inferred (for example, a user profile created from a business intelligence algorithm or the risk level attributed to an individual by their insurance firm).
Substantial practical difficulties
Exercising the right to portability should not create substantial practical difficulties for the business or public body. The Private sector act and the Act respecting access do not define the notion of “substantial practical difficulties”, and the Commission believes it should be analyzed on a case-by-case basis. For instance, the Commission states that it previously concluded that the significant costs of following up on a request or complexity of a transfer depending on the form chosen by the applicant can be considered “substantial practical difficulties”.
Prior verification
The communication of a computerized file containing personal information to the person concerned upon their request is likely to pose new security risks. These risks arise both for the person concerned by the personal information covered by the request, and for an enterprise and public bodies that are likely to reveal facets of their internal technological architecture.
Thus, before communicating a personal information file to the person concerned or to a third party identified by that person, the business or public body must verify the identity of the requester and verify that they are indeed entitled to make a request. Given the security risks involved, this validation should be rigorous and the process documented.
Particular caution may be necessary in the event that the portability request comes from a minor 14 years of age or older, as the law authorizes access to the personal information of these minors to both the holder of parental authority and the minor.
Use a structured and commonly used technology format
There is no definition or example accepted in the legislation as to what is a "structured and commonly used technological format”.
The essence of the right to portability is to allow the person concerned to obtain their personal information and to be able to reuse it with other companies or public bodies. The requirement relating to the technological format must therefore be read in this light. In accordance with the explanations provided by the Québec government, which the Commission endorses, a format is “structured and commonly used” when commonly-used software applications can easily recognize and extract the information they contain. In the public sector, the Québec government and the CNIL (in France) recommend formats such as CSV, XML, JSON, ODT and ODS and advise against using formats such as images or PDFs. In the private sector, the technology format may vary depending on the industry.
The concept of what qualifies as a "structured format" under the legislation remains to be defined. Eventually, it is possible that businesses, for which the structuring of data and personal information is rooted in their business intelligence and marketing strategies, may be tempted to develop specific practices in order to comply with the right to portability without compromising the confidentiality of their data architecture.
Moreover, the Commission provides that while there is no legal requirement for businesses to adopt and use interoperable systems, interoperability is crucial to supporting smooth transfers of personal information so that all persons concerned can fully enjoy the right to portability.
Response times
The person in charge of the protection of personal information must respond in writing within the time limit set out in the law, i.e. 30 days following the date of receipt of the request concerning the right to portability of personal information for an enterprise and 20 days (or 30 days if an additional 10 days is requested) for a public body. A person can file an application with the Commission if such person is unsatisfied with the response.
As with any other request, a public body or an enterprise may ask the Commission to authorize it “to disregard applications that are obviously improper by reason of their number or their repetitious or systematic nature or applications that, in the opinion of the Commission, are not consistent with the object of this Act.” Use of this exception could be considerably increased if the right to portability is misused (for example, as part of a concerted strategy by employees of a company seeking to know the structuring of data at a competitor).
Transmission of personal information file
The transmission of the file containing the personal information of the person concerned must be carried out in a secure manner, taking into account the sensitivity of the information transmitted.
In addition, the transmission must comply with the security requirements set out in applicable laws, regulations and directives, in particular the rules adopted by certain professional orders.
Projects to acquire, develop or overhaul an information system or electronic service delivery system
The law requires that the right to portability be taken into account in any project to acquire, develop or overhaul an information system or electronic service delivery system. Thus, it will be necessary to verify that the information systems concerned include a function allowing the extraction of personal information collected directly from the person concerned.
The practical modalities related to the implementation of the right to portability will also have to be considered and analyzed in the context of such projects.
Right of access vs. Right to portability
The right to portability does not have the effect of broadening the scope of the rights to access of the person concerned to receive communication of a document or personal information.
The person concerned also retains the right to request a written and intelligible transcription of their computerized personal information. This could consist of the communication of a list of computerized personal information by means of a letter sent to the individual concerned.
How to prepare for the coming into force of the right to portability?
Here are some good practices to help you prepare for the coming into force of the right to portability.
Prepare an inventory of personal information
- Ensure that you have an up-to-date cartography of the personal information collected and retained by your organization.
- Ensure that your cartography identifies the means of collection of personal information in order to be able to identify those that are computerized and that your cartography identifies the systems/servers that host that personal information.
- Review, if applicable, how personal information is structured in your technological architecture and consider the possibility of putting measures in place to allow the communication of personal information in a structured format without compromising the confidentiality of your technological architecture.
- Review the need to collect or retain certain personal information.
- Consider the possibility of keeping certain personal information in paper format only.
Define the portability processes
- Define the IT and HR processes required to operationalize responses to portability requests.
- Determine the data formats that will be used to provide personal information to the persons concerned.
- Adopt a robust identity verification process.
- Document responses to portability requests.
- Implement security measures to protect personal information during the transfer.
Update external policies and internal procedures
- Ensure that your enterprise privacy policy informs your customers of their right to portability and how they can request it.
- Describe in your internal procedures how to process a portability request, paying particular attention to the applicable response time.
- Make your employees aware of the right to portability.