Quebec’s Portability Regime
This article is part of our Law 25 Blog Series, which provides readers with a 360° view on Law 25 (formerly known as Bill 64) and its sweeping amendments to Quebec’s Act respecting the protection of personal information in the private sector (the “Private Sector Act”). To view other blog posts in the series, please visit this page. We have also put together a comprehensive toolkit for organizations looking for resources to understand and ensure that they are compliant with Law 25. This toolkit can be found here.
The final element of Quebec's comprehensive privacy law overhaul brought about by Law 25, portability, entered into force on September 22, 2024. Even though this final entry into force phase of Law 25 involves significantly fewer new obligations for organizations to comply with, there are still questions surrounding how to approach portability. This article outlines the main aspects of portability as defined in the Private Sector Act and addresses important questions for organizations, as well as the compliance steps they should consider.
Portability in the Private Sector Act
Portability is an extension to the longstanding right of individuals to access their personal information held by an organization. Thus, alongside the unique particularities specific to portability, the existing conditions of applicability, limitations, timelines and procedures that must be employed to fulfill access requests under the Private Sector Act are also relevant to an organization’s compliance strategy.
We have reproduced article 27 of the Private Sector Act and have added colors to distinguish the different components of portability.
27. Every person carrying on an enterprise who holds personal information on another person must, at the request of the person concerned, confirm the existence of the personal information, communicate it to the person and allow him to obtain a copy of it.
At the applicant’s request, computerized personal information must be communicated in the form of a written and intelligible transcript.
If the person concerned is handicapped, reasonable accommodation must be provided on request to enable the person to exercise the right of access provided for in this division.
Important questions facing organizations
Let’s break down the portability right by addressing a few common, sequential questions.
Question 1: When does portability apply?
There are certain conditions (“Threshold Conditions”) that must be met for portability to apply. Namely, portability only applies to:
Question 2: Are there any limits to portability?
Meeting the Threshold Requirements referred to above is not the end of the story. Portability is not an absolute right just like a standard access request. Before complying with a portability request, it is important to ensure that the disclosing organization has considered the applicability of these limitations – some of which are mandatory (e.g. subject to certain exceptions, the organization must not disclose personal information about a third person or the existence of such information if it would seriously harm that third person). All of the limitations provided for access requests under the Private Sector Act also apply for portability. Additionally, the law provides a limitation that is unique to portability: organizations do not need to comply with a portability request that would raise serious practical difficulties. Quebec’s privacy commissioner, the Commission d’accès à l’information (“CAI”) points to two factors that may be considered when assessing “serious practical difficulties” in its portability guidance (“CAI Guidance”): (a) the incurring of significant costs to fulfill a request or (b) a heightened complexity due to the applicant’s choice of format. Note that the CAI Guidance can be found here. It is only available in French, so we have prepared unofficial translation available here.
Question 3: Ok. I have a valid portability request and I’ve considered the limitations. Now what?
As we noted above, portability is an extension to the existing access right. Therefore, all of the steps that an organization must take to comply with a standard access request also apply. For instance, the organization on the receiving end of a portability request must respond to the requesting individual in writing within 30 days and if the request is partly or fully rejected, the organization must provide its reasons.
Otherwise, the organization must also comply with portability-specific requirements.
What should organizations do to comply?
Organizations should be proactive and prepare a plan and process before facing a portability request. Here are a few steps that organizations should consider taking:
- Data Inventory: Develop an inventory of the categories of personal information that the organization holds which meet the applicability criteria of portability. Organizations that already have personal information inventories should add labels to control for those criteria.
- Portability Hypothesis: Develop a hypothesis of which categories (if any) of personal information identified in the inventory that are reasonably likely to be the subject of a portability request. This can help the organization build realistic expectations of how portability might affect them. The CAI Guidance offers useful perspective in this regard as it suggests that the purpose of portability is to provide individuals with greater control over their personal information and to facilitate their efforts to obtains services from another public body or company.
- Portability Strategy: Document the organization’s compliance strategy and procedure, which might include the following.
- The organization could develop a policy which defines portability and identifies the inventory of applicable (and likely) data that could be the subject of a portability request, and then sets out a procedure for handling such requests.
- The organization may also choose to develop template responses to portability requests to append to their policy. If an organization already has a robust policy for handling access requests, then it may be simpler to adjust that policy so that it also reflects the specificities of portability.
- The organization should consider how it will securely handle portability requests directing the organization to communicate the data to a third party. Some organizations have been encouraging individuals to directly obtain their data via user-friendly customer portals. This could, for instance, mitigate the incremental risk associated with an accidental unauthorized disclosure to a third party while also providing a great user experience.
- Privacy Impact Assessments: Organizations operating in Quebec must also conduct a privacy impact assessment (“PIA”) for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information (article 3.3 of the Private Sector Act). The PIA must assess if the project allows for an organization’s portability requirements to be complied with. More specifically, article 3.3 requires that a PIA ensures that computerized personal information can be communicated to individuals in a structured, commonly used technological format. Therefore, organizations must ensure that their PIA templates are constructed in a manner that allows for this risk to be assessed (and naturally, if an organization doesn’t yet have a PIA strategy or template, then these must absolutely be put in place).
- Training and Awareness: As with any new privacy law compliance obligation, the organization should ensure that procedural and technical training is offered to management, IT, HR and other relevant units. Frontline employees might also benefit from learning about the basics of portability, in case they are asked about it.
Conclusion
With the entry into force of portability, it can now be said that organizations doing business in Quebec are operating in a new era of privacy compliance. The entry into force of portability also marks the one year anniversary since the majority of the significant Law 25 amendments to the Private Sector Act came into effect. See below for a recap of the three entry into force phases, with a focus on the most significant wave on September 22, 2023:
The CAI has proven to be restrained thus far, as it focused on publishing guidelines and other educational content about Law 25. How long will this leniency last? It is anybody’s guess, but probably not for much longer. Therefore, prioritizing compliance now is critical, especially considering the significant potential fines. The Private Sector Act now provides for potential penal fines as high as the greater of $25 million or 4% of worldwide turnover for the preceding fiscal year (which amounts can be doubled for repeat offences) and monetary administrative penalties of up to the greater of $10 million or 2% of worldwide turnover for the preceding fiscal year.
To learn more about how our Cyber/Data Group can help you navigate the cyber and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.
For more details, you can also refer to McCarthy Tétrault’s Law 25 Compliance Toolkit.