Pack Your Digital Bag, Because Law 25’s Data Portability is Finally Here
On September 22, 2024, Stage 3 of Quebec’s Law 25 came into effect and with it, the right to data portability. As a refresher, Law 25 has been implemented in stages over the years. Stage 1 took effect in September 2022 and addressed the mandatory designation of a Privacy Officer and PIAs. Then, in September 2023, Stage 2 came into play which focused on Accountability, Consent, Transparency, and Individual Rights. Finally, we have arrived at Stage 3 which centers around Data Portability rights.
Before we dive into the practical steps your company should take to prepare for data portability, let’s do a quick crash course on what this new right is.
Data Portability Crash Course
Under Law 25, the right to data portability is another data subject right that a company is obligated to consider and deliver in the correct format, with some degree of exception as outlined by the regulation below:
“ […] Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant, and not created or inferred using personal information concerning him, must, at his request, be communicated to him in a structured, commonly used technological format.”
In other words, a data subject has the right to ask a company that collected their personal information to make a copy of all the permittable data, package it up nicely in a digital and readable format and transfer it to another company of the data subject’s choosing or simply deliver a copy to the data subject. This right equates to increased autonomy for the data subject if they want to be a frequent flyer of different companies in addition to fostering more competition in the business economy. By circumventing “vendor lock-in", data subjects can transfer their data with ease and companies must provide a structured and secure pathway for them to do it.
Data Portability Limitations
However, as great as data portability may sound for some individuals, it is not without its limitations. We can garner a deeper understanding of Law 25’s right to data portability by looking at what has been done via GDPR which served as a model for Quebec’s privacy law formulation. As Quebec regulators come to understand how data portability will play out in scope on Canadian soil, they may turn to the guidelines published by the European Data Protection Board (EDPB).
Firstly, as explained by Law 25 and the EDPB, this right is limited to the (digital, not paper) personal data provided by the data subject and doesn’t apply to data collected from third-party sources or data that was inferred or created by the data controller. For example, if an online service analyzes your browsing habits to create a profile of your interests, this profile is not covered by the right to data portability. Additionally, the right to data portability also applies to any personal data generated by a data subject’s activity while using a service. For example, data generated by your activity on a social media platform, such as posts, likes, and comments, is covered by this right.
The type of portable personal data that falls under the purview of this right also includes pseudonymous data (since it can still be linked to an individual through a secondary source), but does not, however, include anonymous data.
Action Items
Now that we all remember what data portability is, let’s get back to business, specifically your business.
If you conduct business in Quebec, it may seem daunting to navigate so many different, intersecting privacy laws, but that doesn’t need to be the case. There are some key steps to consider to best prepare your business for complying with Law 25 and abiding by the right to data portability for your clientele. Ultimately, companies collecting personal data from Quebec residents should complete a gap assessment of their current policies and procedures and make amendments where needed.
Here is a breakdown of the 10 Practical Steps you can take:
1. Accountability for Data Portability: If you don’t already have one in place, Law 25 mandates companies to designate an individual responsible for overseeing the protection of personal information – this can be a Privacy Officer or a virtual Privacy Officer. When it comes to data portability, a Privacy Officer plays a substantial role in facilitating data access and portability requests and doing so within the lines of compliance. A Privacy Officer will likely rely on the assistance of their IT and legal teams when it comes to dealing with technical and legal requirements of securely and compliantly transmitting personal data. Ultimately, the data controller is responsible for ensuring that data portability requests are handled appropriately.
2. Logistics: A data portability request must be processed within 30 days of receipt. In addition, the company must verify the identity of the applicant to lawfully process it.
Furthermore, the right to data portability entitles an individual to two things: (1) Receive a copy of their personal data; and/or (2) have their personal data transmitted from one company to another company through automated means.
In terms of transporting data in a “structured, commonly used technological format”, it is recommended by Quebec regulators that companies use an open format, such as CSV, XML or JSON, to facilitate portability. Complex formats that are considered unstructured or difficult to process are images, PDFs or those needing specific software or licenses. If a data portability request specifically asks for images and PDFs, the company can argue that these formats raise “serious practical difficulties” and may not be obliged to comply with the request in these formats.
The cherry on top of a data portability request is record-keeping! Don’t forget to document the entire process, including the request, the transfer method, and any communications with the vendor and the new data controller.
3. Third-Party Vendors and DPAs: If the data in question resides with a third-party vendor, then the vendor can directly transfer the data to the new data controller if they have the capability and consent to do so. Alternatively, the vendor can transfer the data back to the original data controller, who then handles the portability request and transfers the data to the new controller. To facilitate seamless data portability requests between controllers and third parties, it is crucial to have a Data Processing Agreement (DPA). The DPA should specify whether the vendor will directly transfer the data or provide it to the controller for transfer. Companies should ensure that DPAs clearly outline the responsibilities of each party regarding data protection and obligations in fulfilling these requests.
4. Third-Party Data Recipients: In the process of transmitting data, the original data controller fulfilling the data portability requests has three data recipient options, however prior to that the original data controller must first verify that the third-party recipient is legally authorized to collect and process the data subject’s personal information.
In Québec, a data recipient is considered “authorized by law” to collect information if it meets specific conditions: (1) for public bodies; the collection must be necessary for their functions or programs; (2) for enterprises; it must be for a serious and legitimate reason and necessary for the identified purposes; and (3) for other recipients, it must be for a legitimate reason and relevant to the stated objective.
5. Data Maps: Data maps help a company understand what types of personal information it collects, where it is stored, and how it flows through different departments. This is crucial for identifying data sources and addressing data portability requests quickly and efficiently which will save your company time and resources. Using data maps works both ways in a data portability request, it is useful for both companies sending personal data and receiving it. Data maps are especially helpful in knowing which personal data is permittable when a company finds itself asking which data belongs to the data subject requestor and if it’s anonymous/pseudonymous.
6. Use tools like a Customer Data Platform (“CDP”): To assist a company in being compliant with Law 25 and navigating data portability, using tools like a CDP, is especially helpful. A CDP is effective because it provides a comprehensive view of customer data from various sources, making it easier to manage and export data and fulfill data portability requests. A CDP could show you the type of data you have on a data subject and the source of it which can improve efficiency in fulfilling requests.
7. Update your Privacy Notice: Law 25, like other data protection regulations, mandates that companies inform users about their rights, including the right to data portability. Updating your privacy notice ensures that the company complies with these legal requirements and avoids potential fines. Amongst the list of data subject rights outlined in your privacy notice, data portability should be included if your company is conducting business that uses the data of Quebec citizens. The company's privacy notice should also include instructions on how to make a request or direct them to those instructions.
8. Ensure Data Portability Means: Companies must provide individuals with the ability to access and transfer their personal information upon request. Companies must implement specific procedures to securely receive and fulfill data portability requests. This can include having user-friendly portals or downloading tools and Application Programming Interfaces (APIs) to facilitate these requests. Other means include handling requests via email or customer service channels; however, these options require thorough staff training to ensure safe handling. Ultimately, the means through which your company processes these requests must be via secure transmission, and in a structured and machine-readable format. Additionally, if your company is on the receiving end of a data portability request you must also ensure you have a secure way of receiving and storing the data.
9. Regular Training and Company Policies: Conduct regular training for employees on privacy practices and perform audits to ensure ongoing compliance with Law 25. This includes educating your employees on what to do if they receive a data portability request. Will they know who to go to or how to process it? And if they are processing a data portability request, are they doing it as per Law 25 compliance? To complement thorough training, companies should update their internal privacy policies, including notices for employees, to ensure protocols for data portability requests are clearly outlined, communicated, and understood.
10. Update PIAs: The final step towards preparing for data portability is updating company PIAs to ensure any new initiative can comply with portability requests. Having an updated PIA can help identify and mitigate privacy risks associated with data portability. This includes assessing the security of data transfers, ensuring the company has the appropriate technical and organizational measures in place to facilitate requests, and ensuring that personal data is handled appropriately. In addition, to comply with Law 25, the Québec government recommends providing features that enable individuals to download their personal information. The availability of this feature is an example of a technical consideration when conducting a PIA.
As we navigate the final stage of Law 25, it’s clear that the right to data portability marks a significant shift towards greater data autonomy and transparency. This newfound freedom allows data subjects to pack their digital belongings and switch service providers with ease, much like frequent flyers navigating through the digital airspace. While there are challenges and limitations to consider, the benefits of empowering individuals with control over their personal information cannot be overstated and should not be seen as a punishment for companies. By embracing these changes, companies not only comply with legal requirements but also build trust and foster stronger relationships with their customers.