Only 15% of us feel that we have complete control over our data, and more than 30% of us feel that we have no control at all, a survey of 28,000 Europeans found last year. Two-thirds of Europeans, particularly young people, said it is important to them to be able to transfer personal information that was stored and collected by an old provider to a new one when they change.
European lawmakers want to restore a sense of control, by creating a new right of data portability. The right will increase individuals’ control over their data, and improve competition and innovation among businesses by enabling start-ups and smaller enterprises to ‘access data markets dominated by digital giants’, says the Commission.
The new right of data portability will enable a data subject to receive a copy of the personal data which they have provided to a data controller in a ‘structured, commonly used, machine-readable and interoperable format and transmit it to another controller’ (GDPR, art 18(2)).
Controllers are encouraged (but not obliged) to develop interoperable formats to support data portability. Where feasible, the data subject should have the right to have their data directly transmitted from one controller to another (GDPR, art 18(2a).
The right applies where the data subject has provided the data based on contractual consent or where the data is necessary for the performance of the contract, and does not apply to controllers processing data in the line of a public duty, in the public interest or as a result of official authority.
The GDPR sets out various exclusions from the new right of data portability. It is without prejudice to the:
Furthermore, GDPR does not imply erasure to the extent and as long as the data are necessary for the performance of a contract.
There are wide-ranging carve outs for the new right of data portability (and other rights) available to both the EU and individual Member States, for example to:
GDPR strengthens obligations on controllers to provide transparency on how data is processed and restore individuals’ sense of control over their data.
Data portability is a new right. The nearest equivalent in the current regime is the data subject access request, which allows individuals to:
Businesses need to develop workflows to retrieve and share data in interoperable formats. While it is stated that businesses will not be obliged to create new systems that are technically compatible with others, legislators clearly hope this will happen—evidenced by the provision for data to be directly transferred from controller to controller ‘where feasible’.
An operational minefield will be ensuring that data relating to third parties is not caught up in data disclosed to a data subject. In a world where our data is increasingly enmeshed with that of others, this will be easier said than done.
Businesses should attempt to:
Interviewed by Alex Heshmaty.
This article was first published on Lexis®PSL IT & IP on 27 January 2016. Click for a free trial of Lexis®PSL.
Emily Taylor is the CEO of Oxford Information Labs. She is an Associate Fellow of Chatham House and is the Editor of the Journal of Cyber Policy and co-founder of ICANN accredited registrar, Oxford Information Labs.
Published: , 672 Words.