The federal government has introduced an ambitious new bill that aims to protect Canadians' privacy while promoting data-driven innovation, an Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, or Digital Charter Implementation Act, 2020 ("Bill C-11").
For a high-level summary of key features of Bill C-11, please see our bulletin: "The Canadian Government Proposes Significant Changes to Privacy Law: Key Features include New Requirements, Orders, Penalties and a Private Right of Action".
This bulletin discusses one feature of Bill C-11 in greater depth: a new right to data mobility. Although such a right would be new to Canada, data mobility is part of an international trend to give individuals more control over their personal information. This new right was inspired by recital 68 and section 20 of the EU's General Data Protection Regulation (the "GDPR"), as well as the California Consumer Privacy Act ("CCPA"), both of which provide for the right to data portability. A similar right also appears in Quebec's Bill 64,1 which seeks to modernize Quebec's privacy laws.
The Right to Data Mobility Under Bill C-11
Section 72 of Bill C-11 provides individuals with a right of mobility for their personal information – allowing individuals the right to transfer their personal information from one organization to another. Section 72 states:
Subject to the regulations, on the request of an individual, an organization must as soon as feasible disclose the personal information that it has collected from the individual to an organization designated by the individual, if both organizations are subject to a data mobility framework provided under the regulations.
As in the EU and California legislation, and in Quebec's Bill 64, it would appear that the right to mobility has two goals:
- increasing an individual's control over his or her own personal information; and
- stimulating competition by facilitating the transfer of information, and therefore the possibility for the individual to more easily change service providers.
Of note, section 72 of the Bill speaks of direct organization-to-organization disclosures of personal information. It does not provide a right for an individual to obtain a copy of his or her own personal information in a useable format – which is how Quebec's Bill 64 frames the right (i.e., that individuals can request and obtain their own personal information in a "structured, commonly used technological format").
It is also important to note that Bill C-11 makes data portability subject to future regulations. Sections of the Bill C-11 related to data portability may come into force separately from the rest of the Bill C-11 (e.g., once those regulations have been made).
Restrictions to the Right to Mobility
It is possible that the new right will have broad application. It could apply to all personal information that an organization has collected from an individual; likewise, it could apply to every organization that is governed by the new law. However, it is also possible that the right to mobility will apply more narrowly. The scope of this new right will depend on future regulations.
Even so, on closer inspection, this new right under Bill C-11 has some clear limitations:
- it only applies to personal information collected from individuals (i.e., it would not apply to personal information collected from third parties);
- it only applies if both the disclosing and receiving organizations are subject to a "data mobility framework" provided under the regulations; and
- according to section 120 of Bill C-11 (which illustrates what regulations governing data mobility may contain):
- regulations may specify only certain organizations or sectors as subject to data mobility frameworks; and
- regulations may provide for exceptions to the requirement to disclose personal information, including exceptions related to the protection of proprietary or confidential commercial information – which means that some personal information may be excluded from the scope of data mobility.
Also, Bill C-11, contrary to the GDPR, does not put the right to data mobility at the same level as the right to access personal information, or the new right to request disposal of personal information. Specifically, Bill C-11 does not require the right to mobility to be mentioned in public-facing privacy statements (i.e., the summary of an organization's privacy policies and practices, commonly posted on websites). Quebec's Bill 64 takes the same approach – likely because, as noted above, that Bill treats data mobility as an enhanced version of the right of access rather than a truly separate right.
While a right to data mobility will be welcomed in some quarters, it raises a number of significant questions.
A threshold question is: which organizations will be subject to data mobility frameworks (and thus, the right of mobility)? Will data mobility frameworks apply to businesses in general, or will they only apply to certain sectors, like telecommunications, financial institutions, health care, social media, or retailers?
There is also the question of whether all personal information can be the subject of a data mobility request or if it will be limited to certain types of personal information, certain quantities of personal information, particular purposes for collecting or disclosing the personal information, or certain time periods.
Once a data mobility request is fulfilled, must the disclosing organization destroy or anonymize the personal information that was the subject of the request? For example, according to the interpretation of article 20(3) of the GDPR, the business that is the subject of a data portability request need not erase that information. We expect the same would apply under the proposed federal legislation: fulfilling a data mobility request should not over-ride the disclosing organization's ongoing need to retain the personal information, for example, to comply with its contractual obligations or to otherwise carry out the purpose for which the personal information was collected. Of course, if that purpose is no longer relevant, or an individual exercised the new right under Bill C-11 to request that the organization dispose of his or her personal information, then that would be a different matter.
The right to data mobility could have a significant impact on businesses if Bill C-11 becomes law. The extent of that impact will depend on future data mobility regulations, and how they address the questions raised above. Organizations that are subject to data mobility frameworks will have to implement new procedures and potentially adopt new technology to meet the requirements of that framework. Pending those regulations, organizations that are developing new technologies or systems should ensure they facilitate data extracts to common file formats (e.g., CSV) – as this may ease future compliance burdens if Bill C-11 is enacted.
Exercising a right to data portability turned out to be fairly difficult in the EU. Indeed, questions arose in the EU on how to provide personal data in a "structured, commonly used technological format", i.e. something that Bill C-11's data mobility frameworks will need to wrangle with. Ultimately, guidance was derived from the Article 29 Working Party, the predecessor of the European Data Protection Board, as well as national data protection authorities, such as the French and British authorities.2 Canadian governments and privacy commissioners have not historically issued technical guidelines, standards or codes in the privacy realm – and so this will be new territory they will necessarily have to explore to ensure the effectiveness of a right to mobility.
2 J. Uzan-Naulin, Right to Data Portability: True Data Portability or Simply an Updated Version of the Right of Access?, Fasken Bulletin.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.