Emily Taylor considers the area of data portability in the private sector in light of the forthcoming EU General Data Protection Regulations (GDPR).
What are the new rules of data portability?
Only 15% of us feel that we have complete control over our data, and more than 30% of us feel that we have no control at all, a survey of 28,000 Europeans found last year. Two-thirds of Europeans, particularly young people, said it is important to them to be able to transfer personal information that was stored and collected by an old provider to a new one when they change.
European lawmakers want to restore a sense of control, by creating a new right of data portability. The right will increase individuals’ control over their data, and improve competition and innovation among businesses by enabling start-ups and smaller enterprises to ‘access data markets dominated by digital giants’, says the Commission.
The new right of data portability will enable a data subject to receive a copy of the personal data which they have provided to a data controller in a ‘structured, commonly used, machine-readable and interoperable format and transmit it to another controller’ (GDPR, art 18(2)).
Controllers are encouraged (but not obliged) to develop interoperable formats to support data portability. Where feasible, the data subject should have the right to have their data directly transmitted from one controller to another (GDPR, art 18(2a).
The right applies where the data subject has provided the data based on contractual consent or where the data is necessary for the performance of the contract, and does not apply to controllers processing data in the line of a public duty, in the public interest or as a result of official authority.
The GDPR sets out various exclusions from the new right of data portability. It is without prejudice to the:
- rights of other data subjects (more on that below)
- right of the data subject to obtain erasure of data
Furthermore, GDPR does not imply erasure to the extent and as long as the data are necessary for the performance of a contract.
There are wide-ranging carve outs for the new right of data portability (and other rights) available to both the EU and individual Member States, for example to:
- safeguard public security o enable archiving, and
- enable the keeping of historical records
How does this differ from the current regime?
GDPR strengthens obligations on controllers to provide transparency on how data is processed and restore individuals’ sense of control over their data.
Data portability is a new right. The nearest equivalent in the current regime is the data subject access request, which allows individuals to:
- access and rectify data
- obtain a copy, and
- be told the source of the data, if available
What impact will data portability have on businesses?
Businesses need to develop workflows to retrieve and share data in interoperable formats. While it is stated that businesses will not be obliged to create new systems that are technically compatible with others, legislators clearly hope this will happen—evidenced by the provision for data to be directly transferred from controller to controller ‘where feasible’.
An operational minefield will be ensuring that data relating to third parties is not caught up in data disclosed to a data subject. In a world where our data is increasingly enmeshed with that of others, this will be easier said than done.
What steps should businesses take now?
Businesses should attempt to:
- work out whether your business is subject to the new rules—there are wide exclusions for smaller businesses
- ensure that your technical systems can efficiently retrieve and transfer individuals’ data to others, and that your security systems are robust enough to prevent disclosure of third party data to unauthorised recipients
- consider working with other industry players to develop standardised formats to support data portability—it will save money in the long-run and may even help your customers
Interviewed by Alex Heshmaty.
This article was first