On September 22, 2024, the fourth wave of amendments to Québec’s Act respecting the protection of personal information in the private sector(“Act”) will take effect. Arguably, the most important change it will introduce is the data mobility right. Below are 5 things to know about this right.
1. What is the Data Mobility Right?
As presently drafted and subject to last minute changes, art. 27 of the Act will be amended to grant an individual whose “computerized personal information” has been collected by a person or a body, the right to request that the person or body communicate the individual’s personal information to the individual, as well as to any person or body authorized by law to collect such information. The information must be communicated in a structured, commonly used, technological format. The data mobility right, however, is not absolute: if the communicating body can prove that the communication will cause serious practical difficulties, it may not be obliged to communicate the personal information in question. As of yet, no guidance has been provided regarding the bodies “authorized by law” to collect such information. Presumably this will follow in a regulation.
2. How Long Does a Business Have to Respond?
This is not clearly stated in the Act. As other data subject rights, such as the rights to access or to rectification, must be responded to within 30 days, we believe that it is reasonable to assume that the 30-day limit will also apply to the data mobility right.
3. Is Québec’s Data Mobility Right the same as the GDPR’s Data Portability Right?
Not entirely. Although both the European and the Québec rights are limited to computerized information collected from the individual and not to information created or inferred from the collected information, art. 20 of the GDPR limits the portability right to personal information that is processed based on the individual’s consent or subject to a contract. As such, the European data portability right might be more limited with respect to the nature of the information it covers. On the other hand, the portability right does not restrict transferees to the individual whose personal information was processed and to a body or person “authorized by law”. The practical effects of these differences remain to be seen.
4. How to Prepare?
Given how most entities collect, use, store and communicate (“process”) data, including personal information, compliance with the data mobility right will certainly prove challenging. This may have contributed to it being the last of the data subject rights to take effect as the legislator wanted to give entities some time to prepare. The legislator also explicitly requires businesses to address the data mobility right in all privacy impact assessments that they must conduct before acquiring, developing or overhauling an information system or electronic service delivery system involving the collection, use, communication, storage, or destruction of personal information.
The best way any business can prepare for the data mobility right is to maintain an up-to-date register of processing activity (“ROPA”). Knowing where data is enables an entity to respond in a timely and thorough manner. A ROPA should include: (i) the personal information types that are being processed by the entity; (ii) how the personal information is collected; (iii) the reasons for processing; (iv) the legal basis for processing; (v) the people who have access to the personal information; (vi) the third parties to whom the personal information is transferred; (vii) the security measures protecting the personal information; (viii) the information’s security classification; and (ix) its retention period.
A second way to prepare for the data mobility right is to inform employees about this right and train them to perform their duties in such a way as facilitate their employer’s compliance with this right.
5. What are the Penalties for Non-Compliance?
The penalties for non-compliance with the data mobility right are the same as for non-compliance with the rest of the Act: the greater of $25 million or 4% of worldwide turnover for the preceding fiscal year. The Act also provides for private rights of action and punitive damages of at least $1,000 for an intentional or gross fault resulting in violation of the Act or articles 35 to 40 of the Civil Code of Québec.
Conclusion
A first in Canada, the Act’s data mobility right will take effect in less than three weeks, on September 22, 2024. It is certain to affect not only the way businesses process personal information but also the way in which they select their information systems suppliers – many of which may have to rapidly adjust to the new data mobility right.
[View source.]
