This article was first published in Financier Worldwide Magazine, May 2019.
Article 20 of the General Data Protection Regulation (GDPR) gives every data subject “the right to receive the personal data concerning him or her, which he or she has provided to a controller” in an appropriate machine readable form to enable the data subject to pass his or her personal data to another controller.
The UK Information Commissioner’s Office (ICO) has already published guidance on the right of portability, where the ICO confirmed that: “the right to portability allows individuals to obtain and re-use their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.” While some businesses have already put in place solutions akin to the right to data portability, such as the UK’s government’s ‘midata’ and other similar initiatives, many organisations have yet to grapple with how to support the right to data portability.
The right to portability is not an absolute right and only applies: (i) to personal data that a data subject has provided to a controller; (ii) where processing of the personal data is based either on the data subject’s consent or for the performance of a contract; and (iii) when processing is digital, as opposed to manual.
The Article 29 Data Protection Working Party produced updated guidance in 2017 as to how businesses can support the right to data portability confirming that Article 17 of GDPR does not give portability rights to individuals in respect of either: (i) manual personal data; (ii) personal data that has not been provided directly by the data subject to the controller; or (iii) personal data that is needed for processing necessary “for the performance of the task carried out in the public interest or in the exercise of official authority vested in the controller”.
It would not be unreasonable for the controller to not allow portability if it compromised confidential information, trade secrets and company intellectual property. However, the Article 29 Data Protection Working Party suggests that these concerns should not be used to circumvent dealing with a data portability request.
Article 20(4) of the GDPR states that the right of data portability should “not adversely affect the rights and freedoms of others”. The above guidance indicates that this can be understood as “including trade secrets or intellectual property and in particular the copyright protecting the software”. So there may be reasons why certain of the data may not be portable, but the same guidance indicates that even though these issues should be considered before answering a data portability request, “the result of those considerations should not be a refusal to provide all information to the data subject”. Finally, the right to data portability is not a right for an individual to “misuse the information in a way that could be qualified as an unfair practice or that would constitute a violation of intellectual property rights”.
The right of data portability does not appear to be a right of ownership. In other words, even though a data subject has willingly given their personal data to a controller this does not mean that the data subject owns that personal data. However, social media accounts are the subject of data portability requests, as are insurance records where an insured wishes to move their business from one insurance company to another.
The requirement that the personal data must be made available in a “structured, commonly used and machine readable form” requires controllers to consider whether or not their current systems are capable of moving personal data to another controller’s IT environment without there being any corruption or technical impact on the quality of the data concerned.
The terms ‘structured’, ‘commonly used’ and ‘machine readable’ are a set of minimal requirements that should enable the interoperability of the data format provided by the controller. ‘Machine readable’ is defined in Recital 21 of Directive 2013/37/EU as: “a file format structured so that software applications can easily identify, recognise and extract specific data, including individual statements of fact, and their internal structure. Data encoded in files that are structured in a machine-readable format are machine-readable data. Machine-readable formats can be open or proprietary; they can be formal standard or not. Documents encoded in a file format that limits automatic processing, because the data cannot, or cannot easily, be extracted from them, should not be considered to be in a machine-readable format.”
Since the portability right must not incur a financial charge to the data subject, businesses must anticipate how to absorb the cost of a data portability request and must also consider what policy should be put in place to ensure that, on the one hand, the right can be complied with, while on the other hand the rights and interests of other parties are observed. In addition, controllers need to think what rights they have to retain the use of such personal data, even after porting has occurred, on the basis that the right does not appear to be a transfer of ownership of personal data, but is merely a ‘licence’ to have personal data transferred from one controller to another.
A practical way to enable controllers to respond to data portability requests, given the technical challenges, is to offer a secure and documented API, as this can enable data subjects to make portability requests via their own or third party software. By granting access to data via an externally accessible API, it might also offer a seamless access system to help data subjects exercise their rights. We are beginning to see the emergence of preference centres and subject rights control dashboards.
In the same way that subject access requests under the GDPR have to be complied with within one month, the advice from the ICO is that a data portability right must also be dealt with without undue delay and within at least one month. The one-month period may be extended by a further two months where the request is ‘complex’.
Businesses should now be prepared to robustly respond to data portability requests and have a suitable policy addressing the supportability of data portability.