The Potential Effect Of Data Portability Under GDPR
Law360
What began as a tremor on April 27, 2016, has the potential to become a truly seismic event on May 25, 2018. For those involved in data privacy, these dates may sound familiar. On April 27, 2016, the European Union adopted the General Data Protection Regulation, which replaces the Data Protection Directive and comprehensively strengthens the data protection rights of all EU residents. The GDPR becomes effective on May 25, 2018, but few companies sufficiently meet compliance criteria. While many aspects of the GDPR may be causing consternation in boardrooms around the world, one particularly innovative provision could benefit individuals and businesses alike by leveling the competitive playing field — the right to data portability.
The EU deems “the protection of natural persons in relation to the processing of personal data” a fundamental right, and the EU balances this right with the rights to privacy, personal integrity, freedom of expression and information, and freedom to conduct a business, among many others. In the recitals to the GDPR, the EU acknowledges the rapid technological changes in the global economy that have significantly increased the scale of the collection and sharing of personal data. In order to strengthen an individual’s control over his or her own data, the EU crafted Article 20, which frames the issue from the perspective of an individual, not a business. As a result, individuals will now be able to obtain and reuse their personal data for their own purposes across different services.
One could be forgiven for overlooking the significance of this new fundamental right amid the other 98 articles of the GDPR. Article 20 does not initially appear overly distinctive, reading:
There is much to unpack in these four provisions of Article 20, but in short, the EU establishes two rights:
1. The right of a data subject to request a copy of all his or her electronically stored personal data from a data controller; and
2. The right of a data subject to request the transfer of personal data to another data controller.
This right to data portability does not apply in all situations; rather, it applies to: (1) the personal data provided to a data controller by an individual; (2) where the data processing is based on the individual’s consent or for the performance of a contract; and (3) where the data processing is effected by automated means. Even with these limitations, the right to data portability will greatly alter the business landscape.
The current business landscape places restrictions on individuals who seek to marshal their own personal data for their own purposes. For example, an individual seeking to switch service providers/data controllers must submit a new and complete information packet to the competitor, spending unnecessary time and resources to simply submit personal data already provided to a prior controller. In this walled-off environment, individuals may be less likely to transact business with new controllers, artificially suppressing choice in the process. Innovation and growth similarly suffer because smaller and/or newer data controllers may find it difficult to compete with established competitors.
While data portability is a boon for individuals, the analysis is not so clear for businesses. On the one hand, smaller and/or newer data controllers may encounter a more level playing field where concerns related to data silo or vendor lock-in are lessened. As a result, these controllers could experience an increase in business as new customers would no longer be burdened by unnecessary bureaucracy and paperwork when considering a switch in controllers.
On the other hand, system incompatibility within and among controllers presents potential technical difficulties. The EU recognized the variance in software and technology among controllers, and not wanting to unnecessarily disrupt the global market, carved out a significant exception to the right to data portability. As set forth in subprovision 2 of Article 20, a data controller would only be required to transfer the data to another controller where the transfer is “technically feasible.” The GDPR does not define this ambiguous term and fails to specify the electronic format necessary for data portability. When coupled with the fact that the GDPR does not require a controller to adopt or maintain systems that are technically compatible with a competitor’s, the shortcomings of the right to data portability become apparent.
Guidance does, however, exist regarding the minimum requirements imposed on data controllers with regard to the portability of personal data. Though the standard of a structured, commonly used and machine-readable format is merely the floor, it is nonetheless instructive in establishing a controller’s requirements for compliance. Recital 21 of Directive 2013/37/EU33, 34 defines “machine readable” as:
The EU deems “the protection of natural persons in relation to the processing of personal data” a fundamental right, and the EU balances this right with the rights to privacy, personal integrity, freedom of expression and information, and freedom to conduct a business, among many others. In the recitals to the GDPR, the EU acknowledges the rapid technological changes in the global economy that have significantly increased the scale of the collection and sharing of personal data. In order to strengthen an individual’s control over his or her own data, the EU crafted Article 20, which frames the issue from the perspective of an individual, not a business. As a result, individuals will now be able to obtain and reuse their personal data for their own purposes across different services.
One could be forgiven for overlooking the significance of this new fundamental right amid the other 98 articles of the GDPR. Article 20 does not initially appear overly distinctive, reading:
1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a. the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
b. the processing is carried out by automated means.
b. the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
There is much to unpack in these four provisions of Article 20, but in short, the EU establishes two rights:
1. The right of a data subject to request a copy of all his or her electronically stored personal data from a data controller; and
2. The right of a data subject to request the transfer of personal data to another data controller.
This right to data portability does not apply in all situations; rather, it applies to: (1) the personal data provided to a data controller by an individual; (2) where the data processing is based on the individual’s consent or for the performance of a contract; and (3) where the data processing is effected by automated means. Even with these limitations, the right to data portability will greatly alter the business landscape.
The current business landscape places restrictions on individuals who seek to marshal their own personal data for their own purposes. For example, an individual seeking to switch service providers/data controllers must submit a new and complete information packet to the competitor, spending unnecessary time and resources to simply submit personal data already provided to a prior controller. In this walled-off environment, individuals may be less likely to transact business with new controllers, artificially suppressing choice in the process. Innovation and growth similarly suffer because smaller and/or newer data controllers may find it difficult to compete with established competitors.
While data portability is a boon for individuals, the analysis is not so clear for businesses. On the one hand, smaller and/or newer data controllers may encounter a more level playing field where concerns related to data silo or vendor lock-in are lessened. As a result, these controllers could experience an increase in business as new customers would no longer be burdened by unnecessary bureaucracy and paperwork when considering a switch in controllers.
On the other hand, system incompatibility within and among controllers presents potential technical difficulties. The EU recognized the variance in software and technology among controllers, and not wanting to unnecessarily disrupt the global market, carved out a significant exception to the right to data portability. As set forth in subprovision 2 of Article 20, a data controller would only be required to transfer the data to another controller where the transfer is “technically feasible.” The GDPR does not define this ambiguous term and fails to specify the electronic format necessary for data portability. When coupled with the fact that the GDPR does not require a controller to adopt or maintain systems that are technically compatible with a competitor’s, the shortcomings of the right to data portability become apparent.
Guidance does, however, exist regarding the minimum requirements imposed on data controllers with regard to the portability of personal data. Though the standard of a structured, commonly used and machine-readable format is merely the floor, it is nonetheless instructive in establishing a controller’s requirements for compliance. Recital 21 of Directive 2013/37/EU33, 34 defines “machine readable” as:
a file format structured so that software applications can easily identify, recognize and extract specific data, including individual statements of fact, and their internal structure. Data encoded in files that are structured in a machine-readable format are machine-readable data. Machine-readable formats can be open or proprietary; they can be formal standards or not. Documents encoded in a file format that limits automatic processing, because the data cannot, or cannot easily, be extracted from them, should not be considered to be in a machine-readable format. Member States should where appropriate encourage the use of open, machine-readable formats.
The Article 29 Data Protection Working Party has issued guidelines seeking to clarify this murky standard and advises that “data controllers should provide as many metadata with the data as possible at the best level of precision and granularity, to preserve the precise meaning of exchanged information.” Even with this guidance, data controllers have much latitude in determining the technical infeasibility of a transfer to a competitor.[1] Lastly, it is important to remember that the power of requesting an individual’s personal data lies with the individual, not a business. In other words, a controller does not have the right to demand an individual’s personal data from another controller. Only the individual can make such a request.
Even though the GDPR may allow for and foster the growth of data portability in the aggregate, its true potential may only be reached if controllers collaborate in creating a collective standard for the transmittal of personal data. The sooner industry players develop the means to respond to data portability requests and transfer information in a commonly used and machine-readable format, the quicker the benefits will accrue to individuals and businesses alike.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] This is not to say that controllers are free to abuse their dominant position in the market. Pursuant to Article 102 of the Treaty on the Functioning of the European Union, controllers would still be prohibited from abusing dominant position in the market. Consolidated Version of the Treaty on the Functioning of the European Union art. 102, 2008 O.J. C 115/47.
Republished with permission. This Expert Analysis article first appeared on Law360 on November 6, 2017.
