The Potential Effect Of Data Portability Under GDPR
The EU deems “the protection of natural persons in relation to the processing of personal data” a fundamental right, and the EU balances this right with the rights to privacy, personal integrity, freedom of expression and information, and freedom to conduct a business, among many others. In the recitals to the GDPR, the EU acknowledges the rapid technological changes in the global economy that have significantly increased the scale of the collection and sharing of personal data. In order to strengthen an individual’s control over his or her own data, the EU crafted Article 20, which frames the issue from the perspective of an individual, not a business. As a result, individuals will now be able to obtain and reuse their personal data for their own purposes across different services.
One could be forgiven for overlooking the significance of this new fundamental right amid the other 98 articles of the GDPR. Article 20 does not initially appear overly distinctive, reading:
b. the processing is carried out by automated means.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
There is much to unpack in these four provisions of Article 20, but in short, the EU establishes two rights:
1. The right of a data subject to request a copy of all his or her electronically stored personal data from a data controller; and
2. The right of a data subject to request the transfer of personal data to another data controller.
This right to data portability does not apply in all situations; rather, it applies to: (1) the personal data provided to a data controller by an individual; (2) where the data processing is based on the individual’s consent or for the performance of a contract; and (3) where the data processing is effected by automated means. Even with these limitations, the right to data portability will greatly alter the business landscape.
The current business landscape places restrictions on individuals who seek to marshal their own personal data for their own purposes. For example, an individual seeking to switch service providers/data controllers must submit a new and complete information packet to the competitor, spending unnecessary time and resources to simply submit personal data already provided to a prior controller. In this walled-off environment, individuals may be less likely to transact business with new controllers, artificially suppressing choice in the process. Innovation and growth similarly suffer because smaller and/or newer data controllers may find it difficult to compete with established competitors.
While data portability is a boon for individuals, the analysis is not so clear for businesses. On the one hand, smaller and/or newer data controllers may encounter a more level playing field where concerns related to data silo or vendor lock-in are lessened. As a result, these controllers could experience an increase in business as new customers would no longer be burdened by unnecessary bureaucracy and paperwork when considering a switch in controllers.
On the other hand, system incompatibility within and among controllers presents potential technical difficulties. The EU recognized the variance in software and technology among controllers, and not wanting to unnecessarily disrupt the global market, carved out a significant exception to the right to data portability. As set forth in subprovision 2 of Article 20, a data controller would only be required to transfer the data to another controller where the transfer is “technically feasible.” The GDPR does not define this ambiguous term and fails to specify the electronic format necessary for data portability. When coupled with the fact that the GDPR does not require a controller to adopt or maintain systems that are technically compatible with a competitor’s, the shortcomings of the right to data portability become apparent.
Guidance does, however, exist regarding the minimum requirements imposed on data controllers with regard to the portability of personal data. Though the standard of a structured, commonly used and machine-readable format is merely the floor, it is nonetheless instructive in establishing a controller’s requirements for compliance. Recital 21 of Directive 2013/37/EU33, 34 defines “machine readable” as:
Even though the GDPR may allow for and foster the growth of data portability in the aggregate, its true potential may only be reached if controllers collaborate in creating a collective standard for the transmittal of personal data. The sooner industry players develop the means to respond to data portability requests and transfer information in a commonly used and machine-readable format, the quicker the benefits will accrue to individuals and businesses alike.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
 This is not to say that controllers are free to abuse their dominant position in the market. Pursuant to Article 102 of the Treaty on the Functioning of the European Union, controllers would still be prohibited from abusing dominant position in the market. Consolidated Version of the Treaty on the Functioning of the European Union art. 102, 2008 O.J. C 115/47.
Republished with permission. This Expert Analysis article first appeared on Law360 on November 6, 2017.