In the context of the reform of PIPEDA, Bill-C11 introduces the Consumer Privacy Protection Act (“CPPA”) a provision relating to data mobility. This right, also called right to data portability, is well-known to organizations that are subject to the European Union General Data Protection Regulation (“GDPR”).
The right to data mobility allows individuals to request of an organization to transfer the personal information they have collected to another organization. For example, if a user wants to change streaming services, they can ask for a transfer of their playlists from one service provider to another. In other words, the primary objective of the right to mobility is to facilitate the flow of personal information between different organizations at the request of the individual.
Except for those Canadian organizations that are subject to the GDPR, the right to data mobility is a very new concept for most. In this context, a look at the challenges faced by European organizations in the implementation of the right of portability will help Canadian organizations to get better prepared.
Indeed, in spite of a couple of differences, the GDPR and the CPPA share similar objectives on data mobility, while adopting different paths.
For example, both the CPPA and the GDPR consider the right to portability as a means to empower individuals. The Canadian government, in its Proposals to modernize the Personal Information Protection and Electronic Documents Act states that Data mobility “has been touted as having the potential to empower individuals to “vote with their feet” so to speak”, while recital 68 of the GDPR provides that “To further strengthen the controller over his or her own data, (…), the data subject should be allowed to receive personal data concerning him or her (…) and to transmit it to another controller”.
It is therefore clearly the intention of both the GDPR and CPPA to avoid that individuals are stuck in “lock-in” situations, in which they wish to change service providers but choose not to because exporting their personal information is too complicated.
However, data portability/mobility is not only advantageous for individuals – it can also have a positive impact on competition and on the free flow of information. Indeed, it avoids situations where all personal information is in the hands of a few industry leaders. For example, if an individual chooses to move from a major e-commerce platform to a local online shop, the transfer of their purchase history through a mobility request will give the online shop an opportunity to know their customers better and to offer products or services that are tailored to their interests.
Today, the CPPA is still far from being definitively adopted. However, it is beneficial for Canadian organizations to start considering the challenges that lay ahead. In this context, looking closely at the experience of organizations that are subject to the GDPR may be useful.
Challenge n°1: distinguish between portable and non-portable data
Both CPPA and GDPR recognize that not all personal data is portable, which implies that organizations must be capable of carrying out a “filtering” process before responding to a data portability request.
However, it seems that at this stage, the CPPA’s scope on what personal information can be subject to a mobility request is much broader than in the GDPR. Indeed, whereas the CPPA only mentions that personal information is any « personal information that the organization has collected from the individual », the GDPR lists three conditions for personal data to be portable.
First, the personal data must be processed by automated means, therefore the data which is collected or stored on a paper format is not portable.
Second, similarly to the CPPA, the personal data must have been “provided to a controller”, which implies that:
- all personal data that has been directly provided by the individual or observed on the individual’s activity (for example their location or purchase history) is portable; and that
- personal data that has been collected from third parties, such as data acquired from data brokers, is not portable.
Third, the GDPR refers to the lawful basis “contract” and “consent”. In other words, it is only when the organization processes the data because it is necessary for the performance of the contract (such as a home address for product delivery), or because it has obtained consent for the processing operations, that it becomes portable. Thus, data that is processed on the basis of a legal obligation (for example for anti-money laundering purposes) or for a legitimate interest (such as the fraud detection) is not portable.
These three conditions significantly restrict the scope of data portability under the GDPR. Although the CPPA only mentions for the moment “personal information that has been collected from the individual”, it will probably follow the same path as well. If it does, organizations will need to develop process allowing them to distinguish personal information that may be subject to a mobility request and those that are not.
Challenge n°2: the technical feasibility of a data mobility request
This is again the example of a common objective between CPPA and GDPR, but where different paths are taken. While the GDPR merely states that a portability request should be complied with “where it is technically feasible”, the CPPA anticipates the major problem that has arisen for the majority of stakeholders subject to the GDPR in the EU; that is, the technical obstacles to transfer personal data from one organization to the other.
Indeed, data sharing methods are not the same for everyone and, above all, they are not necessarily interoperable. For example, some organizations use Application Program Interfaces (“APIs”), others use web scrapping techniques, while some prefer using e-mail attachments such as Excel files.
Despite the limitation of technical feasibility that is put forward by the GDPR, European regulators consider that cases where technical obstacles can be raised against an individual should be very rare. In other words, it is not because there is no similar technical process adopted between two organizations that it is sufficient to conclude that the exercise of the right is technically impossible. Instead, reasonable efforts are necessary to find technical solutions for the proper transmission of the personal data.
The CPPA went one step further than the GDPR; a data mobility request can only be successful if the two organizations are part of a data mobility framework. In other words, if the recipient organization is not a member of such a framework, the individual may be denied this right to data mobility. Although this might seem to be very practical for organizations, it is not without any challenges.
Indeed, the question remains unclear as to whether this mobility framework will be a private-sector or a public-sector initiative. If it is an industry-led initiative, smaller stakeholders may be in a situation where they would have to invest considerable financial resources to be part of this framework, especially if a proprietorship and not an open-source model is chosen. Smaller stakeholders would be left without any choice insofar as being part of such framework may be very crucial for their business and represent a competitive advantage.
Fortunately, it seems for the moment that this is not the path taken by the industry. For example, a major industry-led framework has already appeared in response to the GDPR data portability requirement, called the Data Transfer Project (“DTP”). This framework is an open-source, service-to-service data portability platform, relying on APIs and authorization mechanisms to access data. For the moment, the participating companies are Apple, Facebook, Google, Microsoft and Twitter. Smaller organizations can in theory participate in the DTP, but the leaders of the framework recognize that “Although the DTP reduces the technical burdens of service-to-service transfers, development work is required of each participating organization. Deciding to participate in the project may require shifting limited resources from other priorities”. In other words, joining such framework will require major investments on behalf of smaller organizations.
Challenge n°3: making the personal data easily re-usable
The possibility to successfully transfer personal information from one organization to the other is one thing. However, the whole point of data mobility hinges on the recipient organizations being able to re-use the personal data for their own purposes (provided that this re-use is done lawfully). The GDPR stresses the importance of this condition by requiring that the format in which the data is transmitted “should be structured, commonly-used and machine-readable“.
European regulators have interpreted this provision by stating that organizations should use global or industry-wide standard formats, preferably open and documented, such as XML, JSON, CSV, with meaningful metadata at the best possible level of granularity, while maintaining a high level of abstraction.
The CPPA is silent on this requirement, probably leaving it to the data mobility framework to resolve. It is however crucial for organizations and for individuals that the re-usability of the personal information is emphasized and made possible.
Challenge n°4: responding to a data mobility request in time
Another point tackled by the GDPR is the time it takes for organizations to respond to a portability request. It is, as with all other rights, one month with a possible extension of two months in the event of a complex request. However, the GDPR does not define what a complex request is, but European regulators usually interpret it as a request where a large amount of personal data is requested, or when a specific legal analysis is necessary.
The CPPA adopts a more open approach for organizations by mentioning that the response must be provided “as soon as possible”, which is a factor of great legal uncertainty. For example, is a year too long to respond to a mobility request? To what extent can an organization argue that complying with the request was not possible before? Further guidance will most certainly be necessary.
Challenge n°5: dealing with the interaction between portability and other individuals’ rights
Contrary to the GDPR, the CPPA does not tackle the interaction of the portability right with the individual’s other rights, such as the right of erasure. For instance, when a data mobility request has been complied with, should organizations delete the personal information that has been transferred? How about a mobility request where the personal information also contains third-party personal information – should organizations respond to such request? And finally, what if the personal information contains sensitive information for the organization – should this information really go to their competitors?
Articles 20(3) and 20(4) of the GDPR begin answering these questions, by mentioning the fact that the portability right “should not adversely affect the rights and freedoms of others”, and that it “shall be without prejudice” to the right of erasure.
On the basis of these two provisions, EU regulators consider that portability requests should not adversely affect “trade secrets or intellectual property and in particular the copyright protecting the software”; they emphasize, however, that the result of those considerations should not lead to a categorical refusal to provide all information to the individual. This implies that sending organizations should filter the information to transfer, but that they cannot simply rely on trade secrets or intellectual property to completely reject the individual’s request. Because the CPPA is silent on this point, Canadian organizations are left without any answer to it.
In addition, when the requested personal information contains information relating to a third-party individual, then the organization complying with the request should not “filter” the data to be transmitted. In other words, EU regulators consider that it is not up to the sending organization to distinguish between the personal information relating to the individual making the request and any third-party individual. However, the onus is on the receiving organization not to use the personal information in a way that would adversely affect the third-party individual’s rights (i.e., the receiving controller should not process the personal data for their own purposes unlawfully, without for example having an appropriate lawful basis, or having a lawful purpose to do so).
Finally, the GDPR states that when an individual exercises his or her right to data portability he or she does so without prejudice to any other right (as is the case with any other rights in the GDPR), including his or her right of erasing the personal information. In other words, an individual can continue to use and benefit from the data controller’s service even after a data portability operation. Canadian organizations would benefit from the CPPA tackling this question as well.
In a nutshell, to be better prepared for the arrival of this new right under Canadian legislation, it is strongly recommended that organizations:
- draw a clear distinction between the personal information that has been directly collected from the individual and the personal information that has been collected through third-parties;
- maintain an appropriate, up-to-date and accurate data map, where they can easily locate and retrieve portable personal information;
- start investing in securing tools for the transfer of personal information, such as the creation of APIs;
- define internal deadline for complying with data mobility request; and
- ensure that they rely on format that will allow them to easily transmit and receive “re-usable” personal information
Data portability has been and will continue to be one of the toughest GDPR compliance challenges for organizations. The CPPA is attempting to adopt a more pragmatic approach to data mobility by requiring the creation of a data mobility framework, but many questions are still left unanswered. In addition, it seems that the scope of personal information that can be subject to a mobility request is much wider than under the GDPR.