Solving Puzzle Law 25: Revealing the Principles of Data Transfer Rights

Solving Puzzle Law 25: Revealing the Principles of Data Transfer Rights

Starting September 22, 2024, individuals in Quebec will have greater control over their personal information, as the Quebec government introduces new data portability rights under the amended Act Respecting the Protection of Personal Information in the Private Sector.

The Right to Data Portability

Organizations in Quebec must enable individuals to obtain and transfer their personal information held by the organization to another organization in a commonly used, structured, and interoperable format. This right empowers individuals to take their data across service providers, consistent with modern privacy principles as enacted in Quebec’s private sector privacy law.

Company Obligations

Organizations must comply with requests to transfer personal information directly to another organization when technically feasible, ensuring the transfer does not compromise privacy or security. They should also respect the purpose and scope of consent given by individuals, confirm identity before transferring data, and ensure transparency regarding the data portability process.

Security Measures

Safeguards must be maintained to protect the confidentiality and integrity of personal information during the portability process. The Quebec government and the CAI suggest that "structured" and "commonly used" refer to open and interoperable formats that can be easily recognized, extracted, and processed by widely available software.

Conditions and Limitations

The scope of data portability requests is limited to "computerized personal information collected from the applicant". Formats such as images and PDFs do not meet the requirements for data portability.

Organizations must collect data for a "serious and legitimate" reason and "necessary" for the purposes identified prior to collection. Other recipients must also collect data for a "serious and legitimate" reason and "relevant" to the stated objective of the file.

Enforcement and Compliance

Non-compliance with data portability obligations may lead to enforcement actions, including possible penalties. The Quebec Commission d’accès à l’information (CAI) has provided a detailed data portability checklist for AccessPrivacy subscribers to ensure comprehensive compliance.

The National Privacy and Data Management team has prepared an Update to help organizations prepare for these changes. Organizations launching a new project for acquiring, developing, or overhauling an information system or electronic service involving personal information must conduct a privacy impact assessment and ensure that computerized personal information can be provided in a structured, commonly used, and technological format.

Accessing and Sharing Personal Information

Individuals will have the right to request that an organization provide them with computerized personal information collected from them in a structured, commonly used technological format. They can also request that an organization provide this information to another person or organization authorized to collect the information. The entity handling a request to transfer information in a data portable format must verify that the third party recipient is legally authorized to collect the information before granting the request.

At the applicant's request, computerized personal information must be communicated in the form of a written and intelligible transcript. Organizations must provide personal information to authorized third parties upon request, provided that the data recipient complies with legal obligations for collecting personal information.

Public bodies, enterprises, and other recipients must meet specific conditions to be considered "authorized by law" to collect personal information.

These provisions aim to empower individuals by facilitating control over their personal information and enabling data transfer across service providers. For comprehensive compliance, organizations should refer directly to the amended Quebec Act text and CAI official guidance published around the effective date.

[1] Quebec Commission d’accès à l’information (CAI): https://www.cai.gouv.qc.ca/ [1] National Privacy and Data Management team: https://www.priv.gc.ca/en/ [1] AccessPrivacy: https://www.accessprivacy.org/

Organizations in Quebec are required to enable data transfer of personal information to another organization in a commonly used, structured, and interoperable format, as outlined in the amended Act Respecting the Protection of Personal Information in the Private Sector. To ensure this process does not compromise privacy or security, they should comply with requests to transfer personal information directly to another organization when technically feasible.

By facilitating the transfer of personal information, the Quebec government's data portability rights aim to empower individuals to take their data across service providers, consistent with modern privacy principles as enacted in Quebec’s private sector privacy law.

Read also: