Bill 64 proposes many amendments to the Private Sector Act and aims to enhance and modernize the protection of personal information held by businesses and to ensure individuals have better control over their own personal information.
In this context, Bill 64 creates the right to data portability, inspired by recital 68 and section 20 of the EU's General Data Protection Regulation (hereinafter the "GDPR") as well as the California Consumer Privacy Act ("CCPA"), which also provides for the right to data portability. It is therefore part of an international trend to give individuals more control over their personal information.
Purpose of the Right to Data Portability
As in the EU and California legislation, it would appear that the right to data portability provided under Bill 64 has two goals:
- increasing an individual's control over his or her own personal information; and
- stimulating competition by facilitating the transfer of information and therefore the possibility for the individual to more easily change service providers.
It's in this context that adding this right to the Private Sector Act was proposed.
The right to data portability, which can be seen as an extension of the right to disclosure or right of access, thereby allows individuals to receive the personal information that they have provided in a structured and commonly used technological format. At that person's request, this information will be transmitted to any other person or entity authorized by law to collect such information.
The Right to the Data Portability Mechanism under Bill 64
Section 112 of Bill 64 introduces the right to data portability in section 27 of the Private Sector Act concerning the right of access. By doing so, it adds a particular aspect to the right of access, namely, a right of access in a technological format.
More specifically, it provides that any person is entitled to receive his or her personal information in the following circumstances:
Every person carrying on an enterprise who holds personal information on another person must, at the request of the person concerned, confirm the existence of the personal information, communicate it to the person and allow him to obtain a copy of it.
At the applicant's request, computerized personal information must be communicated in the form of a written and intelligible transcript.
Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant must, at his request, be communicated to him in a structured, commonly used technological format. The information must also be communicated, at the applicant's request, to any person or body authorized by law to collect such information.
This new right covers all personal information that a business holds on a person, excluding, it would seem, information created, derived, calculated or inferred from information provided by the data subject (e.g., user profile), which may have a commercial value for businesses. As such, this new right only relates to personal information provided by that person to the business. Moreover, it should be noted that any new information system or electronic service delivery must allow for portability.
Computerized personal information must be transmitted in the form "of a written and intelligible transcript" and in "a structured, commonly used technological format". This last expression mirrors that of the GDPR.
Lastly, it should be noted that the information that is the subject of a portability request may be transmitted to "any person or body authorized by law to collect such information."
This right is not an absolute right because a business that holds the personal information may refuse to transmit it to them. In fact, just as article 12 of the GDPR gives the right to refuse the portability request (as well as the exercising of other rights) if the request is manifestly unfounded or excessive, in particular because of its repetitive character, the current and unamended version of this notion in the Private Sector Act provides that:
46. A person carrying on an enterprise who holds personal information on others may request authorization from the Commission to disregard applications that are obviously improper by reason of their number or their repetitious or systematic nature or applications that, in the opinion of the Commission, are not consistent with the object of this Act.
But, contrary to the GDPR, any business that does not wish to comply with a request must refer the matter to the Commission d'accès à l'information.
Moreover, given that this right to data portability, as it is currently drafted, seems more akin to a particular aspect of the right of access rather than an actual new right, questions remain unanswered and the right to data portability should be clarified.
Firstly, the question of whether there is a limit to the right to data portability. In its current form, section 112 of Bill 64 indicates that individuals are entitled to receive their personal information. But, while the GDPR specifies that in such a case, the individual is entitled to transmit it to another data controller, Bill 64 makes no such provision. It merely states that the transmission may be made to any person or entity authorized by law, which underscores the fact that the right to data portability is only an aspect of the right of access.
There is also the question of whether all personal information can be the subject of a portability request or if it is limited to a certain quantity, a particular purpose or a request in a certain time frame. For example, where a person wishes to change service providers, is the information that is the subject of a portability request strictly limited to that which is necessary or useful for that purpose?
Then there is the question of what exactly is a "structured, commonly used technological format"? No definition is provided in Bill 64. While the GDPR doesn't define it either, the Article 29 Working Party, the predecessor of the European Data Protection Board, did so and defined it as being a "set of minimal requirements that should facilitate the interoperability of the data format provided by the data controller. In that way, 'structured, commonly used and machine-readable format' are specifications for the means, whereas interoperability is the desired outcome." The French data protection authority, the Commission Nationale Informatique et Libertés ("CNIL") even specifies that the most appropriate format may differ depending on the sector of activity. Adapted formats may already exist and may be used as soon as they are interpretable and without any usage restrictions. For more specific datasets, for which there is no standard for their provision, entities may provide personal data in an open format (XML, JSON, CSV, etc.), completed by any metadata that is useful for their interpretation, and documented.
Lastly, further clarification is required as to what happens to personal information that is transmitted to an individual exercising his or her right to data portability, as provided under article 20(3) of the GDPR: in fact, the business that is the subject of the demand need not erase that information. In other words, exercising the right to data portability does not mean that the business that is the subject of the request must delete the information; rather it must keep it to, for example, comply with its contractual obligations.
In sum, the right to data portability as contemplated under Bill 64 seems more akin to an updated aspect of the right of access that is adapted to our times, by giving access in a technological format, than an actual right to data portability as provided under the GDPR. It doesn't appear to go as far as the GDPR, such as with regard to the interoperability with other businesses, which is certainly relevant given the difficulties that arose when the right to data portability under the GDPR was implemented.
Regardless, the right to data portability provided under Bill 64 needs to be clarified. Exercising this right to data portability turned out to be fairly difficult in the EU. It will likely be even more so in Quebec and Canada due to the lack of detailed technical guidelines from the data protection authorities or the lack of shared standards or technological codes among businesses. There are indeed many challenges to be resolved in order to transmit this data to the individual in a format that that individual will find easy to use.
That being said, legislating the concept of portability is part of a larger process across Canada. For example, Ontario has launched a consultation in order to introduce a law regarding the protection of personal information in the private sector; more precisely, this consultation seeks to introduce a law that would create new rights for individuals similar to the right to data portability. A similar trend is apparent at the federal level. All for the purpose, whether or not conceded, of aligning legislation with the GDPR…