The new privacy data portability right is empowering individuals to have a full control on their personal data representing both an opportunity and a risk for companies.
What is the privacy data portability right?
The EU Privacy Regulation provides that
“the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (a) the processing is based on consent [—] or on a contract [—]; and (b) the processing is carried out by automated means.“
Also, the regulation adds that “the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.”
Considering that nowadays most of data is processed by automated means, the scope of this new right is massive. The regulation does not oblige data controllers to make their systems technically compatible with any other system. But, when systems are not compatible, data shall be in any case handed over to individuals so that he/she can transmit them to their new supplier.
The purpose of the right is to grant individuals with more freedom of choice when selecting their service providers making easier the switch to a new supplier.
What is the impact on your industry?
With the technological development that is leading to services that are exponentially customised on the users’ profile, the portability right enables individuals to “transfer” their profile from a supplier to another.
This might have considerable effects, among others, in the following sectors
- Insurance -> as of today, individuals are “ranked” on the basis of their previous insurance history and the ranking is necessary to determine the insurance premium. If an individual switches to a new provider, such individual will be obliged to pass on to his new insurer only a certificate testifying his “classification“. On the contrary, the portability right will allow to transfer the whole profile of the individual, which might considerably detailed as a consequence of the development of insurance telematics and might contain also useful information/trade secrets on what type of data is collected by the insurer;
- Online/e-commerce/online gaming -> cookies, footprinting and other similar technologies allow to create a detailed profile of online customers which contains not only the history of his purchases, but a full profile of his preferences. Individuals might require under the new Privacy Regulation the transfer of such profile to their new favourite e-commerce platform or online gaming operator which also in this case would oblige the operator to be fully transparent on the data collected in relation to its users;
- Research and clinical trials -> individuals that are enrolled in such projects and want their data to be used for a new project on the same topic, might require the hospitals involved in the first clinical trial to pass on the data to those running the new one. This practice might lead to abuses as the “migration” of data might enable the new hospital to take advantage of the activities previously performed;
- Internet of Things technologies -> if we consider connected cars or eHealth devices, users might decide to transfer their profile when they buy a new car so that this is already customised on their size and preferences. Likewise, the whole health related data of an individual could be transferred from a eHealth provider to another;
- Cloud platforms -> most of data are now stored in cloud platforms and after years of usage of the same provider, users might find a disincentive in switching to a new supplier. However, the data portability right make the competitive advantage of consolidated cloud providers much weaker.
Is this right a potential source of anti-competitive conducts?
A major issue pertains to the portability relates to the potential disclosure of trade secrets and confidential information by means of the transmission of “portable” data.
Likewise, the exercise of the portability right might impact also the intellectual property rights of the data controller. Indeed, a supplier might acquire considerable contents of the database of one of its competitors just granting incentives to customers to the exercise of their portability right. As a consequence, it cannot be excluded that the exercise of the portability right might lead to unfair competition conducts.
Therefore the issue is whether the above rights could represent a limit to the exercise of the portability right or it will be on businesses to allow its exercise in a manner that avoids the breach of their rights.
What to do to minimise negative effects and be ready?
There is no doubt that the portability right might lead to considerable costs for data controllers. And the Privacy Regulation is silent on the possibility to charge any fee to individuals exercising their portability right. But the possibility to charge a possible reasonable fee is mentioned with reference to the exercise of the access right of which the portability right might be considered an extension.
In order to be ready for such right, data controllers shall, among others,
- adopt procedures in order to deal portability rights requests;
- have a standard process that enables the transmission of data to the new supplier;
- adopt measures that allow the removal of confidential information/trade secrets from communicated data; and
- have systems that monitor the amount and types of portability right requests to limit the risks of abuses by competitors.