Data portability in the new European Regulation 2016/679
A new civic duty for personal data controllers and a new right for data subjects: let’s see the content, the legal basis and the actual realization.
Why should one be interested in data portability and understand what it means?
The date of the 25 May 2018 comes closer. That day the GDPR will come into effect in all EU Countries. There are several news introduced by the new regulation that must be understood, regardless of being the physical person personal data refers to (as new rights are gained), or being the controller of data being received and processed (as new duties are gained). One of the main new features it the so-called “right to data portability” which is outlined by Article 20 and “Whereas” 68 and 73 of the GDPR, and illustrated by the Guidelines WP 242 adopted on 13 December 2016 (and last revised on 5 April 2017), the so-called document WP 242, written by the European Working Party “WP 29”.
The text of the GDPR can be accessed here, while the WP 242 document can be accessed here.
What is data portability in the context of GDPR?
Broadly speaking, data portability is the right of a data subject to obtain a copy of her own personal data provided to a company or an on-line service provider and transmit them to a different provider (social network, Internet service provider, …), and to ask for a direct transmission of data from a controller to another.
The first aspect of portability is “the right to receive the personal data in a structured, commonly used and machine-readable format”. As explained by the guidelines of WP 242, this storage can be on a private device or on a private cloud, without necessarily transmitting the data to another data controller. WP 242 provides a couple examples of the right: a data subject might be interested in retrieving his playlist from a music streaming service, to find out how many times he listened to specific tracks, or to check which music he wants to purchase or listen to on another platform. Similarly, he may also want to retrieve his contact list from his webmail application, for example, to build a wedding list.
The second element of portability is “the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”. Under this second profile, Clause 2 of Article 20 specifies that the data subject has “the right to have the personal data transmitted directly from one controller to another, where technically feasible”. As precised by the WP 242 guidelines, “Whereas” 68 of the GDPR promotes the development of interoperable formats by data controllers but doesn’t envisage an obligation to introduce or maintain technically compatible data processing systems.
Therefore, according to the very same guidelines, special attention should be paid to the format of the transmitted data, in order to guarantee that the data can be reused by the data subject or by a different controller with the least effort. This aspect of data portability enables the transmission of data to a different service provider (belonging in the same or in a different field).
What is the criterion of data portability?
The general criterion is expressed by “whereas” 68 of the regulation, which expresses it as a mechanism “to further strengthen the control over his or her own data”, an idea restated by WP 242 Guidelines. Such guidelines also add that “since it allows the direct transmission of personal data from one data controller to another, the right to data portability is also an important tool that will support the free flow of personal data in the EU and foster competition between controllers. It will facilitate switching between different service providers, and will therefore foster the development of new services in the context of the digital single market strategy.”
What are the legal basis to data portability (and its related duty)? Which processing operations are covered by the right to data portability?
The GDPR indicates two requirements.
At first glance, we need to make a premise in order to answer the question. To be lawful, data processing must be based on one of the following conditions: the consent released by the data subject; a contract; a legal obligation; the protection of vital interests of the data subject or of another natural person; the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or the purposes of the legitimate interests pursued by the controller.
The European Regulation doesn’t call for a general right to data portability applied on data of all data processings, be it their basis on any of the cited ones.
On the contrary, Clause 1 of Article 20 states that processings must be based on the consent or on a contract, which are the first two hypothesis we expressed. Therefore, for instance, WP 242 guidelines state that there is no obligation for financial institutes to answer a data portability request concerning personal data processed as part of their obligations obligation to prevent and detect money laundering and other financial crimes.
As for the second requirement, the right exists exclusively if the processing is carried out by automated means, so it doesn’t apply to most paper archives and registries.
Which personal data must be portable?
Article 20 states data must be portable when is about personal data that concern the data subject (therefore, an anonymous piece of data doesn’t fall into this category) and that are provided by the data subject to a controller (WP 242 provides the example of information of an online registration form like address, user name, age and so forth, but also data derived from the observation of the activities of the user like, for instance, browsing history on a web site or performed searches; data provided by the controller using observed or directly provided as input, like the user-profile created from the analysis of raw data generated by an intelligent counter, don’t fall into the category).
Is there any other condition on portability?
The answer has to be yes, as the last clause of Article 20, with an ambiguous expression, stated that the right to data portability “shall not adversely affect the rights and freedoms of others.”
WP 242 stated that the “new” controller can’t use any received data referred to third parties for its purposes, for instance providing marketing and service offers to said third parties, or to elaborate the profile of them by and reconstructing their social profile without their knowledge and consent.
How the right to data portability is effectively applied? What is the time limit? What are the expected means for data provision?
First of all, Article 13 and 14 of the GDPR state that data controllers must inform data subjects of the existence of the right to data portability and WP 242 restates that, when providing the informative document, controllers must distinguish this right from the other rights (ie the right to data access). Clause 3 of Article 20 clearly states that the right to data portability shall be without prejudice to the right of their deletion as expressed by Article 17.
Regarding time limits, according to clause 3 of Article 12, the controller provides “information on action taken on a request under” the right to data portability “to the data subject without undue delay and in any event within one month of receipt of the request” or, in case of substantial difficulties, within three months as long as the data subject is informed of the reasons of the delay within a month from the data of receival of the initial request.
WP 242 suggests that “implementing automated systems such as Application Programming Interfaces (APIs)27 can facilitate the exchanges with the data subject, hence lessen the potential burden resulting from repetitive requests.”
Data then must be transmitted (Article 20) “without hindrance from the controller to which the personal data have been provided” (hindrance can be, according to WP, fees asked for delivering data, lack of interoperability or access to a data format, ..).
Moreover, clause 2 of Article 20 states that the controller must transmit personal data directly to a different controller if “technically feasible”. WP 242 clears that, on a practical standpoint, controllers should explore and evaluate two different and complementary ways of providing data subjects or other controllers with portable data: the direct transmission of the overall dataset of portable data (or several extracts of parts of the global dataset) and an automated tool that allows extraction of relevant data.
To implement these two approaches, WP suggests different methodologies which are clearly expressed in the document.
As far as the format of data is concerned, clause 1 of Article 20 states that personal data must be provided in a “in a structured, commonly used and machine-readable format”. “Whereas” 68 further explains that the format should be “interoperable”. As explained by WP 242, interoperability is the ultimate aim, while the terms “structured”, “commonly used” and “machine-readable” specify the means to use; also, “where no formats are in common use for a given industry or given context, data controllers should provide personal data using commonly used open formats (e.g. XML, JSON, CSV,…) along with useful metadata at the best possible level of granularity”.
Another relevant aspect to keep in mind is about the security of the transmission of data the controller must guarantee by evaluating risks associated with such portability and by implementing any appropriate mitigation methods.
Are there any fines in case of infringement of the right to data portability?
According to Article 83, Clause 5, of the GDPR, the infringement of a right of data subjects (including the present one) can be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Therefore, it’s not a duty to underestimate.
In conclusion. A last consideration is appropriate, as it also serves as a conclusive auspice of the Article 29 Working Party that wrote the aforementioned guidelines: the actual realization of the right to data portability will depend on the creation of standards and formats that guarantee the interoperability between systems as the result of the collaboration between industry stakeholders and trade associations. Note that the Italian Legislator, with Legge di bilancio 27.12.2017, n.205, Clause 1021 (“Legge di Bilancio” is the italian equivalent of an annual financial statement presenting the government's proposed revenues and spending for a financial year”), in order to adapt the internal regulation to the GDPR, called for “the Garante per la protezione dei dati personali (the authority in terms of privacy, AN), with an own regulation to be adopted within two months from the date of entry into force of this law: .... b) regulates the methods of verification, also with the acquisition of information from the owners of personal data processed by automated means or through digital technologies, of the presence of adequate infrastructures for the interoperability of the formats with which data are made available to concerned subjects, both for the purposes of data portability pursuant to Article 20 of the GDPR, and for the timely compliance to the provisions of the regulation itself; …”.
At the closing date of the present article, we are still waiting for for any development.