Quick Hits
- Effective September 22, 2024, Law 25 provides employees and consumers in Québec in both the public and private sectors with the right to data portability.
- The purpose of this new right is to allow individuals to access their data and transfer it to another legally authorized organization of their choice.
- Private businesses have thirty days to respond to requests, and private-sector entities have twenty days, with a possible extension of ten days.
The purpose of this new right is to allow individuals to access their data and transfer it to another legally authorized organization of their choice. This places an obligation on the original organization to verify that the recipient of the data is legally permitted to receive it. Organizations may also want to consider jurisdictional issues and the nature of third parties involved in such data transfers.
Employee and Consumer Data Applicability
The law does not specify any exceptions to whom this right applies, meaning it extends to both employee and consumer data of individuals situated in Québec. Businesses with employees in Québec that fall under the jurisdiction of the Québec Privacy Act will be subject to this new requirement.
There is, however, an exception for situations where fulfilling the request would cause serious practical difficulties. The Government of Québec defines “serious difficulty” as “significant costs” or “complexity” in processing the request. Organizations invoking this exception must provide detailed justification. Organizations may want to implement policies that include a form to document whether the data was transferred or a refusal was made, with the reasons for the refusal clearly stated.
Timelines and Obligations for Organizations
This new right complements existing access rights, and organizations must ensure that their responses to these requests adhere to the same timelines: thirty days for private businesses and twenty days (with a possible extension of ten days) for public bodies. To comply, organizations may want to develop internal policies with clear guidelines for handling such requests, including proof of identification for individuals. Practical guidelines below may assist organizations in implementing these policies.
Digital-Only Information and Format Requirements
This right applies only to information already in digital form; there is no obligation to convert paper documents. Additionally, the information must be provided in a structured and commonly used format, though the law does not define specific formats. The Government of Québec recommends formats such as CSV, XML, or JSON, and advises avoiding formats like PDFs, images, or proprietary formats that require special software or paid licenses.
Accuracy and the Distinction Between Direct and Inferred Data
Employers and organizations are required to maintain accurate and up-to-date personal information. While they can verify the data’s accuracy before completing a transfer, they are not obligated to assess its quality, there is no specific guidelines outlining what is meant by “quality,” but it may pertain to the level of detail contained in the file.
Importantly, the law applies to data directly provided by the individual, as well as indirectly provided information, such as employment start or end dates. However, it does not extend to inferred data. “Inferred data” refers to information generated without direct input from an individual. The Québec government indicated on its website for public organizations that an example of inferred data could be a user profile based on a user’s web activity analysis. While this type of inferred data is not subject to the new portability requirement, it may still be accessible to individuals through their right to access their personal information under existing access rights.
Retention Policies and Refusal Justification
Retention policies remain unaffected by this law. If data is deleted according to an established retention policy (e.g., employee files deleted two years after termination), employers can rely on this policy to justify why a transfer cannot occur. All transfers of personal information must be carried out securely, considering the sensitivity of the data.
Internal Policies and Procedures
Employers will want to inform their employees of their portability rights, which can be included in an employee privacy notice. Clear internal procedures for handling portability requests may include, but are not limited to, the following:
- Designating a responsible department. Identify the department or person within the organization to whom portability requests should be sent.
- Verifying identity. Ensure procedures are in place to verify the identity of the person making the request.
- Establishing response timelines. Follow the legal timeframes for responding to portability requests (thirty days for private organizations; twenty days for public bodies, with a possible ten-day extension).
- Establishing a secure data format. Ensure the information will be shared in a structured, commonly used, and secure digital format (e.g., CSV, XML, JSON).
- Maintaining a request registry. Maintain a registry to log portability requests and track the request and its resolution (whether data was transferred or a refusal was made).
- Establishing guidelines for refusing requests. Establish clear guidelines for when a request may be refused (e.g., data has been deleted or serious practical difficulties), and document the reasons for refusal.
- Implementing data retention policies. Implement and enforce retention periods for employee and consumer data to ensure compliance.
- Optimizing data accuracy and updates. Create a policy to allow individuals to access and update their personal data before transfer to ensure the data is accurate.
- Implementing security measures. Implement strong security protocols to protect personal information when transferring the data to a third party.
- Ensuring compliance of data management systems. Ensure individuals responsible for choosing new technologies within the organization are aware of the requirement of ensuring these technologies are compatible with the portability requirements under Law 25.
Conclusion
The right to data portability under Law 25 places new obligations on employers and organizations. Ensuring compliance requires careful planning, policy development, and secure data management practices.
Ogletree Deakins’ Montréal office and Cybersecurity and Privacy Practice Group will continue to monitor developments and will provide updates on the Cross-Border and Cybersecurity and Privacy blogs as additional information becomes available.
Follow and Subscribe