Data Portability Under the GDPR

The EU General Data Protection Regulation (GDPR) is a key player in the data protection reform of the EU. It came into force in May 2016 and needs to be applied by the EU Member States from 25 May 2018 after a two-year transition period. Many of the GDPR’s main principles derive from the Data Protection Directive 95/46/EC it repeals. However, the GDPR also introduces several novelties, one of them being the right to data portability set out in Article 20.

Article 20 contains two new interrelated rights for data subjects:

1. Data portability allows data subjects to receive their own personal data that they have provided to a data controller, in a “structured, commonly used and machine-readable format”.

2. Data portability also allows data subjects to transmit their data to another controller.

Data portability will have impact on all data controllers, but especially large organizations such as banks, insurance companies, cloud or streaming service providers and social networking service providers. This new right empowers data subjects by giving them more control over their personal data, enables free flow of data within the EU, while also fostering competition between data controllers.

The Article 29 Working Party (WP29), an independent European Union Advisory Body on Data Protection and Privacy, composed of representatives from each of the EU Member States, the European Data Protection Supervisor, and the representative of the European Commission, has issued guidance on the application of this new right. According to the published guidelines, the right to data portability applies only to data controllers. Nevertheless, data processors have a contractual obligation to assist data controllers in answering data portability requests.

The right to data portability is not a general right, instead for Article 20 to apply three cumulative conditions need to be met:

1. The personal data needs to be automated, meaning that the new right cannot be exercised to e.g. paper files. It also needs to be processed on the basis of prior consent of the data subject (e.g. by filling out an online form), or by contract to which the data subject is a party to.

2. It is essential that the requested personal data concerns and is provided by the data subject. Anonymous data does not fall under the scope of Article 20, however, pseudonymous data does if it can be clearly linked to the data subject; hence, personal data includes data that is observed from the activities of users, including raw data processed by a smart meter or other types of connected objects, activity logs, history of website usage or search activities. Moreover, “provided by” is a wording that requires broad interpretation to include both data provided actively and knowingly by the data subject (e.g. age, date of birth, contact information etc.), but also data provided indirectly by the data subject (e.g. by using services or devices producing metadata including search histories, location data etc.), however, excluding personal data inferred or derived by the data controller from data provided by the data subject (e.g. a credit rating or health score resulting from the application of algorithms to the data subject's personal data).

3. The right should not adversely affect the rights and freedoms of third parties. Under this rule when data is transferred under a data portability request and third party data is included in the requested data set, the new data controller should only process these data when there is an appropriate legal ground to do so (i.e. purely personal or household activities) .

1. It is important to have an authentication process to confirm the identity of the data subject making the data portability request.

2. Data subjects should be informed of their new right in privacy policies and notices, including situations where the data subject is looking to close their account with the controller.

3. Data subjects should be offered the option of direct download and allowed to directly transmit the requested data to another data controller, e.g. by making available an application programming interface (API).

4. It would be beneficial to bring into play mechanisms for consent for implicated third parties to ease transmission, (i.e. in situations where a data subject makes a portability request for personal data which includes personal data of other private individuals, such as in phone records).

5. Data controllers should not take part in activities hindering data portability, such as demanding a fee for delivering data, excessive delay or lack of interoperability. They also need to acknowledge their responsibility in justifying possible legitimate obstacles.