The GDPR regulations include a ‘new’ right for data subjects of the right to receive personal data processed by a data controller, and have the right to keep data on their personal devices or transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.
Article 20 of the GDPR states that:
“A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller.”
The reasoning behind this point is that user data should be protected from ‘siloed’ or closed systems that facilitate customer lock in, and where the controller of the data does not permit the user to change provider.
Individuals often hand over personal data as part of opening a bank account, booking a flight, joining a social network, email account or using a utility provider.
As part of their existing data protection duties businesses must guard personal data and may use this to provide services as part of their Intellectual Property Rights, and this will not change under the new regulations.
Data Portability Applies to:
- Personal data an individual has provided to a controller;
- Where the processing is based on the individual’s consent or for the performance of a contract; and
- When processing is carried out by automated means.
Only personal data is in scope of a data portability request. Any data that is anonymous or does not concern the data subject will not be in scope. However, pseudonymous data that can be clearly linked to a data subject is within the scope.
The following categories can be qualified as “provided by the data subject”:
- Data actively and knowingly provided by the data subject (for example, mailing address, user name, age, etc.)
- Observed data provided by the data subject by virtue of the use of the service or the device. They may for example include a person’s search history, traffic data and location data. It may also include other raw data such as the heartbeat tracked by a wearable device.
In contrast, inferred data and derived data that are created by the data controller, such as financial credit scores and health assessments they are not generally considered as ‘provided by’ the data subject and are not in the scope of the legislation.
The GDPR does not establish a general right to data portability for cases where the processing of personal data is not based on consent or contract. For example, there is no obligation for financial institutions to answer a data portability request concerning personal data processed as part of their obligations to prevent and detect money laundering and other financial crimes; equally, data portability does not cover professional contact details processed in a business to business relationship in cases where the processing is neither based on the consent of the data subject nor on a contract to which he or she is a party.
The right to data portability only applies if the data processing is “carried out by automated means”, and therefore does not cover most paper files.
The GDPR states that:
“Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.”
This raises the following issues with the interpretation.
Structured, commonly used and machine readable. Whereas previous data legislation has specified that the data released was to be ‘human readable’ ,and was interpreted as meaning that it could be provided to the data subject as a PDF or printed format, this definition implies that the data should be provided in ‘machine readable’ format which suggests utilising industry standard data markup schemas. For example JSON files, XML, CSV, Text file format.
Providing the data in readable format does not require processors to have compatible systems, merely that it can be read.
Inter-operable. In order to facilitate the change between providers the interoperability of differing data formats is necessary. This requires interchange using file formats and schemas that have been agreed upon so that the relevant data items can be compared and imported into the new providers systems. One example of this in practice is the UK Government midata format that facilitates comparison data in the banking industry.
Transmission. The data is to be provided either to the individual, or their nominated receiving organisation in the machine readable format. Where the transmission is between two providers it is the right of the data subject to be also sent a copy.
The data controller should set safeguards to ensure they genuinely act on the data subject’s behalf. For example, they can establish procedures to ensure that the type of personal data transmitted are indeed those that the data subject wants to transmit. This could be done by obtaining confirmation from the data subject either before transmission or earlier on when the original consent for processing is given or the contract is finalised.
Data portability does not automatically trigger the erasure of the data from the systems of the data controller, and does not affect the original retention period applying to the data which have been transmitted.
Individual. In some cases the data to be ported contains details of other users, say, if a citizen wanted to migrate all their email history to another provider. In this case the details of other third parties included in the data (e.g. other mail addresses) should also be transferred as it represents relations that a person made due to using the service. However, the details of third parties contained within the portability request may not use the transmitted third party data for his own purposes e.g. to propose marketing products and services to those other third party data subjects.
Timeliness. The data must be provided within one month of the request, which may be extended by two months where the request is complex, as long as the subject is informed.
Charging. The processor cannot charge the subject for providing the data.
The EU policy objective with Article 20 is to empower data subjects, improve consumer protection, the general welfare benefits of data exchange, the right to privacy and to avoid overzealous data controllers keeping users in a ‘software prison’. The intention with data portability is that the users should be able to share in some of the value created through the use of their personal data.
Conversely, it has been argued that the extension of the protections to data appears to offer benefits to users, but delivers only compliance costs to the data processors. Portability does, however, offer the hope of less friction when changing providers, and this gives opportunities to those enterprises who are able to take advantage of machine readable portable files, promoting the development of new services and making switching easier.
References and links: