September 22 marks the coming into force of the latest provisions of the famous Bill 25. Unlike previous amendments, these new provisions not only impose new obligations for the protection of personal information, but also introduce a new “technological” right for all individuals in Quebec: the right to portability of personal data. Essentially, this new right will enable individuals whose personal information is concerned to obtain a copy of that information in a format that facilitates its transfer and re-use.
The usefulness or purpose of the right to portability
The first objective attributed to the right to portability is often an economic one, namely to promote free competition. By making personal information easily reusable by its owner, this right simplifies the process of changing service providers, which benefits consumers[1] .
It also gives rise to a principle of “informational self-determination”[2] , reinforcing an individual’s control over his or her personal information. An individual could retrieve his or her data for storage and personal use, or request that it be transferred to another company or organization of his or her choice.
Some would argue that the latter principle of control over personal information is more closely related to the objectives of privacy legislation than the former economic objective of free competition[3] . Nonetheless, the idea that emerges from these two principles is that of improving the efficiency and ability of requesters to take possession of their personal information and reuse it as they see fit. Some could see it as a “right of access 2.0”, or a more operational extension of this right.
How will such a process be possible?
The new wording of the Act respecting the protection of personal information in the private and public sectors stipulates that, at the request of the person concerned, personal information must be communicated in “a structured and commonly used technological format“[4] . It is this specific format that enables an individual to obtain all the information concerned with a single click or transmission, and to transfer it just as easily.
The terms “structured” and “commonly used” may seem imprecise or complex on first reading, but the idea is simple. The file containing your information must be easily readable by a computer. Commonly used software must be able to easily recognize and extract the information it contains[5] . The idea is to “automate” the process.
So what formats will be accepted?
To meet its legal obligation, a company should provide you with personal information in an open, interoperable format such as CSV, XML or JSON[6] . The data contained in these formats appears in code form, and although they are not very readable to the naked eye, they enable systems to communicate easily with each other. This is why it is so useful for people to obtain data in such a format, and to be able to store or transfer it without any additional manipulation on their part.
Let’s imagine that it’s 2026 and the right to portability is now in force. You want to change insurance companies. Your new company asks you for a substantial list of information that you have already provided to your old company in the past. At your request, your old company provides you with the list of information in a standard PDF file. Is your old company complying with its portability obligations?
The answer is no! A PDF file will not be considered a “structured” and “commonly” used format. This format is too difficult to process[7] .
Please note! You will always have the right to obtain your information or consult it in PDF or other text formats that are more suitable for reading. The right to portability is just another option available to you.
I have a business. What information is covered by this right?
For those responsible for implementing the law within an organization, an important question to ask is: what personal information is covered by the right to portability? While this may seem a simple question, its importance should not be underestimated. Properly identifying the personal information covered by this right is the basis of everything, especially when it comes to implementing IT systems.
Strictly speaking, the new provisions do not create an obligation for organizations to adopt processing systems that are technically compatible with the systems of other organizations. Yet the idea of efficiency and interoperability behind the right to portability encourages the adoption of such systems. The new provisions also require organizations to ensure that any project for the acquisition, development or redesign of an information system, or for the electronic delivery of services, enables the communication of personal information in a structured and commonly used format. In other words, new systems will have to allow for the implementation of the right to portability, or at least enable the communication of information in a format that complies with it. That’s why it’s important to target the information that will have to be available in this format.
The new wording reflects three criteria:
- the information must be personal to the applicant;
- this information must have been collected from the person and;
- it must be computerized personal information.
Information gathered directly from the person
This second criterion requires some clarification. That is, it must be information collected from the individual and not information inferred or created from personal information about the individual[8] .
Personal information is collected “from the individual” when it comes directly from that person. Examples include information provided on an electronic form or when creating a user account.
Information can also be collected indirectly from the user. Examples include a purchase history or a geolocation history. In these examples, through their activities or interaction with a service, an individual provides personal information, but without necessarily having entered it into the application or platform. This information nevertheless comes directly from the individual.
In contrast, personal information created or inferred from other personal information does not come directly from the individual and is therefore excluded from the right to portability. Let’s take the example of purchase history. A person buys a Staedtler pencil and ruler. A website algorithm then determines that she is likely to like a Staedtler brand compass. The algorithm also determines that this person has a student buyer profile.
Her purchase history, consisting of two items purchased, is information that comes directly from this person and is therefore covered by the right to portability. On the other hand, the fact that she might like a Staedtler brand compass, or that she is identified as a student, is not information covered by the right to portability. As the latter is inferred from her purchase history, it does not come directly from the individual.
Computerized personal information
This third criterion of computerized personal information is simple, but nonetheless imprecise. Clearly, personal information collected on paper is excluded from the right to portability, since it is not computerized[9] . But what happens to this information once the document has been digitized? Will all the information a company holds in digitized format be covered by the right to portability?
Two important points should be made in this regard. The first is that the right to portability does not require an organization to retain personal information longer than its retention schedule allows. Old information held by the organization that can be destroyed according to its retention schedule therefore does not have to be included in the right to portability. Secondly, an important exception is made for cases where the right to portability poses serious practical difficulties.
All this information will therefore have to be available in this structured, commonly used format?
The new sections on the right to portability contain an important exception. That is, an organization may refuse to disclose personal information in a structured and commonly used format if this “raises serious practical difficulties”. In other words, if, for whatever reason, the information in the company’s possession is in a format that poses serious difficulties in transferring it to a commonly used, structured format, or if this transfer would entail significant costs, the company may refuse such a request for communication.
In practice, such a limit is necessary to ensure effective implementation of the right to portability. We must not ignore the challenges facing companies and organizations seeking to comply. What’s more, in Europe, the implementation of this right has proved rather arduous[10] .
Although the right to portability is not exclusively limited to data considered useful and relevant to the services offered by competitors of the company holding the personal information[11] , the idea remains that this data must be useful to the requester. Personal information communicated in a specific format is communicated for the purpose of automatic data extraction and efficiency. Thus, to ask a company to make available all the personal information it holds on an individual is unrealistic in practice, without recourse to the exception of “serious difficulties” for some of it.
This exception also takes on its full meaning when we place the right to portability in the legislative context of information protection in Quebec, more specifically when it is analyzed alongside the right of access to personal information. Whether we call the right to portability a “Right of access 2.0” or an extension of this right of access, the fact remains that their ultimate function differs. The right to portability emphasizes the principles of efficiency, automation and re-use of information. In so doing, it aims for more dynamic and operational management. It is therefore not shocking that the pool of information available in this specific format is more circumscribed than that covered by the right of access, which, for its part, aims to ensure an organization’s principle of transparency[12] .
A company’s first priority should therefore be to make available, in a “structured and commonly used” format, information that is useful and relevant to its service or product. After all, automating this process also has advantages for companies, reducing the need for manual intervention to respond to customer requests.
Sources:
[1] Pellegrini, F. (2018). The portability of data and services. Revue française d’administration publique, 167, 513-523. https://doi.org/10.3917/rfap.167.0513, par. 15.; and BLG Avocats (2022, October). Réforme des lois québécoises en matière de protection des renseignements personnels: Guide de conformité pour les entreprises. https://www.blg.com/fr/insights/2021/11/quebec-privacy-law-reform-a-compliance-guide-for-organizations, p. 35.
[2] Pellegrini, F. (2018). The portability of data and services. Revue française d’administration publique, 167, 513-523. https://doi.org/10.3917/rfap.167.0513, par. 2.
[3] Terwangne, C. de, Rosier, K., Poullet, Y., Centre de recherche Information, droit et société, & Groupe Larcier. (2018). Le règlement général sur la protection des données (rgpd/gdpr) : analyse approfondie (Ser. Collection du crids, 44). Éditions Larcier. Retrieved 2023, Retrieved from https://www.stradalex.com/fr/sl_mono/toc/REGEPRODO/doc/REGEPRODO_001., p. 17
[4] An Act to modernize legislative provisions respecting the protection of personal information, LQ 2021, c 25, ss 30 and 120.
[5] Government of Quebec (2023, June 22). Right to portability. Quebec.ca. https://www.quebec.ca/gouvernement/travailler-gouvernement/travailler-fonction-publique/services-employes-etat/conformite/protection-des-renseignements-personnels/acces-aux-renseignements-personnels/titre-par-defaut. And; Commission Nationale de l’Informatique et des Libertés (CNIL). (2018, May 25). The right to portability: obtain and reuse a copy of your data. Retrieved from https://www.cnil.fr/fr/le-droit-la-portabilite-obtenir-et-reutiliser-une-copie-de-vos-donnees
[6] Right to portability. Quebec.ca.
[7] Préc, Right to portability. Quebec.ca. and; Préc., le droit à la portabilité : obtenir et réutiliser une copie de vos données, CNIL.
[8] An Act to modernize legislative provisions respecting the protection of personal information, LQ 2021, c 25, ss 30 and 120.
[9] Right to portability. Quebec.ca.
[10] Chartered Professional Accountants Canada (2021), Implementing Data Portability: Lessons for developing a Canadian model, https://www.cpacanada.ca/-/media/site/operational/sc-strategic-communications/docs/02702-sc-portabilite-donnees.pdf, p. 23 and 24.
[11] On reading the new wording of the right to portability and by analogy with the European right to portability see in particular: Article 29 Working Party, Guidelines on the right to data portability, April 5, 2017, WP 242 rev. 01, p. 6.
[12] Griguer, M. (2018). Right of access, right to portability: what are the differences? Communication Commerce électronique, (4), Dossier 13