The Right to Data Portability
Article 20 has the purpose of making it significantly easier for citizens to have any data which is stored with one service provider transmitted directly to another provider. This means that providers of data processing services will have to store personal data in such ways that these can be “taken along” in a commonly used file format.
Up to now, so-called “lock-in” effects are still common: if changing to another service provider entails significant costs or obstacles for the customers, they often decide against any change altogether even if another provider is offering better conditions. Now, the new data protection regulation on portability has been developed to give the concerned persons better control over their personal data. Hence, the new right could also influence the market situation.
It is however still unclear how this theoretically plausible portability will be implemented practically, because there is no similar previous provision and there has been no development of the law by judges either as the right to data portability will only become effective with the European General Data Protection Regulation in May 2018.
In our project, the Stiftung Datenschutz (Foundation for Data Protection) has examined possible ways of practically implementing the right to data portability. The project gives practically relevant suggestions for the detailed definition and arrangement of data portability, how narrowly or broadly the concept of the provision of data must be interpreted, how the transfer of a data set from one provider to another can be realised and which measures should be taken by the concerned companies with respect to the implementation of this right. In addition, Stiftung Datenschutz gives all of the concerned parties – regulatory bodies, the data processing industry as well as citizens – the possibility to join an objective discussion about the possible application of the legal provisions within the scope of events and publications.
Subject Matters of Data Portability
The purpose of Article 20 of the General Data Protection Regulation is to allow for the portability of data between different service providers and to strengthen the so-called informational self-determination of the user. Within the scope of the project, we have analysed whether the user will in fact be given more control over their data: The legislation does require that the transferred data will not be automatically deleted. This could lead to data being distributed even wider.
Within the scope of the project, the following questions are asked for clarification:
- How narrowly or broadly should the aspect of the provision of data be interpreted?
- Does the practical implementation of the regulation allow for better protection of data privacy (“informational self-determination”)?
- How is data portability related to interoperability between different systems?
With the right to data portability, the regulator mainly aimed at social networks such as Facebook or Google +. However, the scope of application of this right is not limited to such business models in any way. On principle, the right to data portability is relevant for all sectors.
This results in the following questions with respect to the economic assessment:
- In which sectors are lock-in effects an issue?
- How do industries for which “lock-in” effects are not an issue plan to implement Art. 20 GDPR?
- Which specific sectoral challenges does this pose for the individual business models?
- Which investments will the industries have to make?
One of the most important challenges in the implementation of data portability is posed by its technical feasibility. On the one hand, the European Commission’s Article 29 Working Party has clarified that the data will have to be made available in a structured, commonly used and machine-readable format. On the other hand, however, it remains unclear what this format should look like exactly and which standards shall be used.
Therefore, we have answered the following questions over the course of the project:
- What could be considered a “common interoperable format” for practical application?
- How can compatibility between different formats be achieved?
- Which specific requirements must be laid down for a compatible format?
- Which standards shall be used for the development of a format and who shall be responsible for defining them?
Every day and nearly all the time, citizens transmit data to their various counterparts and business partners – whether as customers, users, participants, applicants or as patients. The total volume of customer data soon develops certain characteristics according to specific occasions and cases. For example, a parcel service provider analyses customer data differently than a sales-oriented call centre and the latter differently than an internet service provider, an energy supplier or a car rental company – not to mention social networks.
There is also another important aspect: almost all service providers or organisations add further data to their customer data which are usually related to their respective services. From the first meaningful contact, network operators, fulfilment providers or shippers integrate the customer into their planned processes and check resources, availabilities, expenditures and efforts, possible costs, earnings potential and other aspects.
An essential prerequisite for the goal-oriented fulfilment of the demand for the portability of customer data is a clear definition and differentiation of this task. The IT task of reading data from the database systems of the data controller has to be clearly specified and must be convertible into algorithms. The same applies for the customer’s right to deletion of data which may be asserted at the same time. By standardising processes and formats and a firm implementation in data protection management systems, both aims can be achieved: a consumer-friendly implementation of the new right to portability as well as legal certainty and compliance on the part of the companies. A standard operating procedure which is clear, feasible and predictable seems to be good "legal protection insurance" for both sides (customers/users/data subjects on the one hand, service providers/platform operators on the other hand).
With the right to data portability, the regulator mainly aimed at social networks and large digital platforms (Facebook, Google+, etc.). However, the scope of application of this right is not limited to such structures in any way but applies to all industries and business models. Therefore, the realisation of the instrument of data portability also entails a number of area-specific challenges. According to Art. 20, para. 2 GDPR, every person has the right "to have the personal data transmitted directly from one controller to another, where technically feasible".
Recital 68 of the regulation states that "Data controllers should be encouraged to develop interoperable formats that enable data portability" and further that this right "should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible". In their guidelines issued in December 2016, the Article 29 Working Party requests the competent authorities to develop methods – e.g. download tools and APIs – which support data portability. The Right to Data Portability intends to create interoperable systems which however do not necessarily have to be compatible. Up to now, there have been no precise specifications regarding the format for the portable data sets and which standards shall be binding for them.