Implementing data portability: Lessons for a made-in-Canada approach
By allowing individuals to transfer their personal data from one organization to another, data portability is one of the tools jurisdictions have included as they revise and improve data privacy laws.
Combined with other requirements around informed consent and the “right to be forgotten,” data portability can help address privacy concerns and enhance consumer choice. It is intended to help individuals avoid being locked into a relationship with a digitalized business due to the bother of switching service providers.
Data portability has therefore the potential to level the playing field for innovative start-ups and other businesses through access to more data they can use to improve their services and create new offerings.
At the same time, data portability may impose significant obligations on the organizations that have to execute data portability requests. For many businesses, stricter data privacy laws and new digital rights will require them to strengthen their data collection and storage systems, increase their data security measures, and develop processes and protocols for managing requests.
This report reviews data portability regimes in other countries and discusses key issues and challenges encountered when designing and implementing data portability, including:
- scope of portable data
- customer authentication requirements
- reducing the processing burden on organizations
- application protocol interfaces and interoperable platforms
- verifying the suitability of data transferees
As federal and provincial governments in Canada seek to update their respective data privacy regimes, the report highlights how the experiences of other jurisdictions can help guide the development of a made-in-Canada approach to data portability.