The right to data portability is perhaps one of the most ambitious elements of the General Data Protection Regulation ("GDPR"). For the first time, data controllers across all industry sectors will be required to provide personal data to individuals – or even directly to competitors – in a structured, machine-readable (i.e. interoperable) format. Portability requirements have existed for mobile phone numbers, but never for the range of services that will be implicated by the new provisions.
At its plenary session on 5 April, the Article 29 Working Party ("WP29") approved a revised guidance document shedding further light on this concept. The revisions to the draft guidance, which was initially released in December 2016, followed a period of open public consultation that ran through the end of January 2017.
We summarised the first draft in an earlier alert and highlighted the key questions that were not addressed. The new points raised by the WP29 in its final guidance are as follows:
While the earlier draft of the guidance set out “the primary aim of data portability” as “facilitate[ing] switching from one service provider to another, thus enhancing competition between services”, the language of competition is all but absent in the revised guidance. Instead, portability is justified more firmly by traditional data protection concerns, such as “affirming individuals’ personal rights and control over personal data” and “re-balancing” the relationship between individuals and service providers. Benefits to competition are only incidental, as the WP29 stressed that “the GDPR is regulating personal data and not competition”.
The right to data portability applies only to data controllers. However, the revised guidance clarifies that data processors will have contractual obligations under the GDPR to assist the controller “by appropriate technical and organisational measures” with responding to requests by individuals to exercise their rights. Thus, the WP29 concluded that the data controller should “implement specific procedures in cooperation with its data processors to answer portability requests”.
The revised guidance recognised that the right to portability under the GDPR could conflict with other access and portability requirements in sector-specific EU or member state legislation, such as the right to access one’s bank account history under the Payment Services Directive 2. Provided it is clear from the request that the individual intends to exercise his rights under the more specific legislation, the WP29 made clear that the GDPR right will not apply. If, however, the requester seeks to exercise his rights under the GDPR, the controller must assess the interplay between any competing rights case-by-case, but the more specific legislation will not automatically displace the GDPR right.
One of the most controversial elements of the draft guidance was its stipulation that “observed” personal data qualified as “provided by” the data subject and therefore fell under the portability requirement. This interpretation remains in the revised guidance, along with the inclusion of new examples such as “raw data processed by a smart meter or other connected objects, activity logs, history of website usage or search activities”. The WP29 clearly sees this broad interpretation as integral to ensuring that the right to portability remains relevant in an IoT world.
By contrast, “inferred” personal data, such as “the profile created in the context of risk management and financial regulations (e.g. to assign a credit score or comply with anti-money laundering rules)” – all new examples in the revised document – remain outside the scope of the right.
The right to portability is both a right to receive personal data in an interoperable format which the individual can then transfer to another controller “without hindrance” and a right to have personal data transferred directly from one controller to another where “technically feasible”.
In the first scenario, the WP29 clarified that hindrances may be “any legal, technical or financial obstacles placed by data controller[s] in order to refrain or slow down access, transmission or reuse”. Examples include fees, lack of interoperability, excessive delays or complexity, deliberate obfuscation or undue accreditation demands. The WP29 recognised, however, that there could be legitimate obstacles, including where necessary for security or to protect the rights and freedoms of others. Moreover, in the absence of clear industry standards, commonly used open file formats, such as XML, along with any useful or relevant metadata, will qualify as sufficiently interoperable.
In the second scenario, the WP29 specified that a direct transfer is “technically feasible” when “communication between two systems is possible, in a secured way, and when the receiving system is technically in a position to receive the incoming data”. Thus, there is no obligation on the first controller to create or adopt compatible processing systems – rather it is the receiving controller that must have a compatible system for a direct transfer to proceed. If, however, the first controller cannot or does not transfer the data directly, it must explain its reasoning to the data subject.
Those who were critical of the absence of meaningful discussion of data security in the initial draft are unlikely to be fully satisfied by the revision. While the revised guidance provides some further detail, it leaves it to controllers to “assess the specific risks linked with data portability and take appropriate risk mitigation measures”. Mitigation could include multi-factor authentication techniques and suspending transfers where there is suspicion that an account is compromised.
The revised guidance on portability is available here. For a redline comparison with the earlier draft, click here.