The new right to data portability (See also "four new rights of the individual
") is introduced by Article 20 of the GDPR. This right allows for data subjects to receive the personal data that they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller. The purpose of this new right is to empower the data subject and give him/her more control over the personal data concerning him or her.
On the 5th
of April, the Article 29 Working Party
(WP29 or WP) published updated guidance on data portability. In accordance with Article 20(1)(a) of the GDPR, in order to fall under the scope of data portability, processing operations must be based:
- either on the data subject’s consent (pursuant to Article 6(1)(a), or pursuant to Article 9(2)(a) when it comes to special categories of personal data);
- or, on a contract to which the data subject is a party pursuant to Article 6(1)(b).
Observations to data portability
The following items are of interest to your clients:
- the main elements of data portability under GDPR;
- when data portability applies under GDPR.
The main elements:
The WP29 views data portability as an extension to the right to receive data. As such data portability is part of the right of the data subject to receive a subset of the personal data processed by a data controller concerning him or her, and to store those data for further personal use. The WP points out that the data subject may choose not to transmit the data to another data controller.
In that perspective data portability complements the right of access. One specificity of data portability lies in the fact that it offers an easy way for data subjects to manage and reuse personal data themselves. These data should be received “in a structured, commonly used and machine-readable format”.
There are two conditions relevant to this discussion:
- The first condition is that personal data should concern the data subject. Only personal data is in scope of a data portability request. Therefore, any data that is anonymous or does not concern the data subject, will not be in scope.
- The second condition is that data is provided by the data subject. There are many examples of personal data, which will be knowingly and actively “provided by” the data subject such as account data (e.g. mailing address, user name, age) submitted via online forms. Nevertheless, data “provided by” the data subject also result from the observation of his activity. As a consequence, the WP29 considers that “provided by” includes the personal data that are the result of behaviour, such as activity logs, history of website usage or search activities.
It should be noticed that data that is the result of analysis of the controller ("inferred" or "derived") is not included in the description of provided data. This means that “provided by” includes personal data that relate to the data subject activity or result from the observation of an individual’s behaviour, but is not include based on subsequent analysis.
When it applies or rather when data portability does not apply:
As mentioned in the introduction the GDPR does not establish a general right to data portability for cases where the processing of personal data is not based on consent or contract. When it comes to employees’ data, the right to data portability typically applies only if the processing is based on a contract to which the data subject is a party.
For instance, in the case of HR processing, which is based on legitimate interest or are necessary for compliance with specific legal obligations in the field of employment. In practice, the right to data portability in an HR context is expected to be limited.
Finally, the right to data portability only applies if the data processing is “carried out by automated means”, and therefore does not cover (most) paper files.
Actions for the right to data portability
Since the GDPR and more specifically Article 20 allows the direct transmission of personal data from one data controller to another, the right to data portability is important for a free flow of personal data in the EU. The WP also believes data portability will foster competition between controllers. Given the limitations of the applicability to controllers and, more importantly, the limited attention that data subjects have for their personal data, it is highly probable that the outcomes that WP29 describes are not achieved.
The GDPR is however not the only law that describes data portability. The long-contested Payment Service Directive 2 also proscribes the possibility for a natural person to request his or her data to be made available, to share the data with a different provider.
Data controllers should consider not developing the automated means that will contribute to answer data portability requests, such as download tools, but instead focus on Application Programming Interfaces. Controllers can then guarantee that personal data are transmitted in a structured, commonly used and machine-readable format, and limit their effort in case the whole idea of portability does not gain traction.
Data controllers should carefully consider if they are in a market that will trigger portability requests, i.e. do you have customers that would like their data transferred to a competitor. In addition, it makes sense to assess the effort necessary to automate versus the manual process. It does seem to be good practice to develop API’s to allow customers to access their data. This serves two of the rights of the data subject under GDPR.
Data controllers should also be aware that there is a significant risk associated with the new data portability: identity theft. The GDPR recognises that a controller cannot comply with a data portability request if it is not able to positively identify the data subject. In this regard, WP29 recommends
that controllers should implement an authentication procedure to confirm the identity of the data subject.