Written By Caroline Poirier

Effective September 22, 2024, Quebec's data portability right will come into force, marking the final phase of the implementation of the amendments to the Act respecting the protection of personal information in the private sector (the Act) introduced in the Act to modernize legislative provisions as regards to the protection of personal information (Law 25), which began in September 2022.¹ This new right aligns with global trends that emphasize individual control over personal information. For businesses operating in Quebec, understanding the data portability right is essential, as it imposes significant obligations and is critical for both compliance and maintaining customer trust.

What is Data Portability?

In broad terms, data portability allows individuals to request the transfer of their personal information—either to themselves or another organization at their request. This right empowers consumers by giving them greater control over their data and making it easier to switch service providers.

Below are the key considerations.

What are the Requirements for Invoking the Data Portability Right?

1. Personal information must be computerized: Information in non-digital formats, such as paper records, is not subject to portability right. Although the Act does not explicitly define "computerized personal information," the Commission d'accès à l'information describes it as personal information organized and structured through information technology. 
2. Personal information must have been collected from the individual: The data must be obtained directly or indirectly from the individual. This includes information gathered through an individual's activities, such as history of purchase, travel and driving habits.²

What is Excluded from Portability?

Certain types of information are not subject to portability rights:

• Personal information inferred or created from personal information, such as user profiles created from the analysis of an individual's activities on the web,³ the level of risk associated with an individual by their insurance company.⁴
• Third-Party information: Personal information acquired from third-party sources is also outside the scope of portability.

What are the New Obligations for Service Providers as of September 22, 2024?

At the request of an individual, service providers must communicate the computerized personal information in a structured, commonly used technological format.

• Although this notion is not explicitly defined in the Act, the Quebec government clarifies that a format is considered "structured and commonly used" if commonly available software applications can easily recognize and extract the information.  Formats such as CSV, XML and JSON are deemed suitable for portability, while formats like images, PDFs or those requiring proprietary software or paid licenses are not.⁵

How Can Service Providers Prepare?

To comply with data portability requirements, service providers should take the following steps:

• Inventory your data: Understand what personal information is collected, how it is stored and whether it qualifies for portability. This will help streamline responses to portability requests.
• Develop a data transfer process: Establish procedures for managing data portability requests.
• Implement security measures: Transferring data can expose sensitive information to risks. Ensure robust security protocols are in place to verify the recipient's identity and protect data during the transfer process.
• Train your staff: Ensure your employees are familiar with the requirements of data portability and are trained to handle requests in compliance with the law.

By understanding data portability requirements and developing robust processes, businesses can not only remain compliant but also build stronger relationships with their customers, enhancing trust and loyalty.

We are grateful for the assistance of Alexia Armstrong, student-at-law, in connection with the preparation of this article.