Data Portability: New Obligation Since September 2024

Art. 27, LPRPSP

What the law requires

Your customers can demand their data in an exportable format (CSV, JSON) and you have 30 days to respond.

This obligation, in effect since September 22, 2024, only covers computerized data that the customer provided to you: contact details, purchase history, uploaded files. Data you created (analyses, internal notes, scores) is excluded.

If the customer requests a direct transfer to another organization, you must comply if technically feasible.

Legal reference

Every person carrying on an enterprise who holds personal information on another person must, at the request of the person concerned, confirm the existence of the personal information, communicate it to the person and allow him to obtain a copy of it.

At the applicant's request, computerized personal information must be communicated in the form of a written and intelligible transcript.

Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant, and not created or inferred using personal information concerning him, must, at his request, be communicated to him in a structured, commonly used technological format. The information must also be communicated, at the applicant's request, to any person or body authorized by law to collect such information.

If the person concerned is handicapped, reasonable accommodation must be provided on request to enable the person to exercise the right of access provided for in this division.

Art. 27, Act respecting the protection of personal information in the private sector

What you must do

Portability requires technical and organizational preparation. Here's how to comply:

What information is covered?

Included in portability:

  • Contact information provided by the customer (name, address, email, phone)
  • Order and transaction history
  • Preferences and account settings
  • Files uploaded by the customer (photos, documents)
  • Messages and communications sent by the customer

Excluded from portability:

  • Information on paper only
  • Data created by your business (analyses, scores, evaluations)
  • Internal notes and employee comments
  • Information concerning other people

Transmission format

Data must be provided in a format that is:

  • Structured: Data organized in a machine-readable way (not an image PDF)
  • Commonly used: Standard formats like CSV, JSON, XML
  • Reusable: The person must be able to import the data elsewhere

Example: A customer requests their purchase data. You export a CSV file containing: date, product, quantity, price, delivery address.

Direct transmission to a third party

If the customer requests that their data be transmitted directly to another organization:

  • Verify that the receiving organization is authorized to receive this information
  • If a technical interface exists, perform the transfer directly
  • If no interface exists, inform the customer of the technical impossibility and provide them the data to transmit themselves

Processing procedure

  1. Receipt: Acknowledge receipt of the request and note the date (the 30-day deadline starts)
  2. Identity verification: Confirm the requester's identity before transmitting data
  3. Extraction: Generate the export in the appropriate format
  4. Secure transmission: Send the data securely (protected download link, encrypted email)
  5. Documentation: Keep a record of the request, response, and date

Common mistakes

  • Ignoring requests. Not responding within 30 days constitutes a breach of the law. Even a refusal must be communicated within the deadline.
  • Providing an unstructured PDF. A PDF containing images or unstructured text does not meet the structured format requirement. Use CSV, JSON, or XML.
  • Including third-party data. If the customer's data contains information about other people, you must remove it before transmission.
  • Charging fees. Portability is free. You can only charge if the request is manifestly excessive or repetitive.
  • Not verifying identity. Before transmitting personal data, ensure the requester is indeed the person concerned.
  • Confusing portability and access. The right of access (Art. 27) covers all information you hold. Portability only covers computerized information provided by the person.

Frequently asked questions

What is the right to data portability?

It's the right for a person to obtain their personal information in a structured, commonly used technological format, and to request its direct transmission to another organization.

When did this obligation come into effect?

The right to data portability came into effect on September 22, 2024. It's the final implementation phase of Quebec's privacy law.

What information is covered by portability?

Only computerized information that the person provided to you is covered. Information you created or inferred (analyses, scores, internal notes) is not included.

What format must I provide the data in?

In a structured and commonly used technological format. Common formats include: CSV, JSON, XML. The format must allow easy reuse of the data.

What is the deadline to respond to a portability request?

30 days from the request.

Must I transfer data directly to a competitor?

If the person requests it and it's technically feasible, yes. However, you can cite technical impossibility if no standard interface exists with the receiving organization.

Is portability free?

Yes. You cannot charge fees to respond to a portability request, unless the request is manifestly excessive or repetitive.

Next step

Portability is often requested alongside a deletion request (right to erasure). Ensure you have a process to handle both types of requests.

← Back to compliance guide

Related topics