The General Data Protection Regulation (GDPR) will apply from 25 May 2018. One of the most high profile changes it introduces is a new right to data portability. Earlier this year, the Article 29 Working Party (WP29) (soon to become the European Data Protection Board) published guidelines together with FAQs (Guidance) to clarify how the new right will work.
A new right – what is data portability?
Article 20 of the GDPR creates a new right to data portability, which is intended to give data subjects more control over their personal data, especially to reuse and manage it, or to switch between service providers (which the WP29 identifies as its primary aim). In the eyes of the WP, it represents an opportunity to "re-balance" the relationship between data subjects and data controllers and support the free flow of personal data in the EU.
Under the GDPR, data subjects:
"…have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided…"
This new right is related to the right of access under Article 15 but differs from it in many ways. Individuals making use of their right of access under the current Data Protection Directive have historically been constrained by the format chosen by the controller when providing the requested information. The new right empowers data subjects as it facilitates their ability to move, copy or transmit data easily from one IT environment to another.
When an individual exercises his or her right to data portability he/she does so without prejudice to any other right (as is the case with any other rights under the GDPR). A data subject can continue to use and benefit from a controller's services even after a data portability request. This means that if the data subject discovers that the data requested under the portability regime does not fully address his or her request, any further request for data under a right of access should be fully complied with, in accordance with Article 15 of the GDPR.
Data portability does not automatically trigger the erasure of the data from the systems of the transmitting controller, and does not affect the original retention period applying to the data which have been transmitted. The original data controller is also not expected to retain data solely because it may be requested under the data portability right.
When does the right apply?
This WP29 expands on the three cumulative conditions under which the new right applies:
- Firstly, the personal data requested should be processed by automatic means (i.e. excluding paper files) on the basis of the data subject's prior consent or on the performance of a contract to which the data subject is a party. As the WP29 points out, this means the right can only be exercised in relation to certain processing operations. If personal data is being processed on other lawful grounds, it will not be covered. For example, there would be no obligation for a financial institution to answer a data portability request concerning personal data processed as part of their obligations to prevent and detect money laundering and other financial crimes.
- Secondly, the data should concern the data subject and be provided by him or her. This covers data knowingly and actively provided by the data subject and observed data provided by virtue of the data subject's use of the controller's service. Inferred and derived data created by the controller on the basis of provided data (i.e. algorithmic results) are not covered. While only personal data is covered, the WP29 confirms this includes pseudonymous data which can be clearly linked to a data subject, warning data controllers not to take an overly restrictive interpretation.
- Thirdly, the exercise of this right should not adversely affect the rights and freedoms of third parties. This condition is intended to avoid the transmission of data containing the personal data of other (non-consenting) data subjects to a new controller. Where personal data of third parties is included in the data set, another legal basis for the processing must be identified by the new controller. The new controller should clearly not use the third party data for its own purposes e.g. to market its products or services, and the information should not be used to enrich the profile that the controller has of the third party data subject without his/her knowledge and consent. Otherwise, such processing is likely to be unlawful and unfair, especially if the third party concerned is not informed and cannot exercise his/her rights as data subject.
Who is responsible for what?
Transmitting data controller
Controllers answering data portability requests are not responsible for the processing handled by the data subject or by the other controller receiving the data. They act on behalf of the data subject so should establish procedures to ensure that the types of personal data transmitted are indeed those that the data subject wants to transmit. This could be done by obtaining confirmation from the data subject either before transmission or earlier when the original consent for processing is given or the relevant contract is finalised. The WP29 also says that data controllers must implement an authentication procedure in order to strongly ascertain the identity of the data subject making a portability request. The transmitting data controller is also responsible for ensuring ported data is delivered to the right destination.
The WP29 makes it clear that there should be very few cases where a data controller can justify refusal to deliver information, even where multiple request are made, especially were a service specialises in automated processing of personal data e.g. an information society service provider. Overall costs of implementing processes to deal with data portability requests should not be taken into consideration when determining whether a request is excessive.
Data processors and joint controllers
Where the personal data requested is processed by a processor, the contract with the processor should follow Article 28 of the GDPR and include the obligation to assist "the controller by appropriate technical and organisational measures (…) to respond to requests for exercising the data subject's rights". The controller should, therefore, implement specific procedures in cooperation with its processors to answer any portability requests. In cases of joint controllership, the contract should allocate clearly the responsibilities between each controller regarding the processing of data portability requests.
The 'receiving' controller becomes a new controller regarding the transmitted data and must respect the principles stated in Article 5 of the GDPR. It must, therefore, clearly state the purpose of the new processing before any transmission in accordance with the transparency requirements set out in Article 14. It should also ensure that the portable data provided is relevant and not excessive with regard to its own service offering. Any data received which is unconnected to the purpose of the new processing, should not be kept and processed.
What format should the data being ported be in?
Data must be provided in a format which supports re-use. As the WP29 stresses, interoperability (and not compatibility of systems) is the key outcome. While the GDPR does not specify formats, the WP29 says formats subject to costly licensing constraints would not be considered appropriate. The Guidance encourages industry development of appropriate tools and a common set of interoperable standards and formats e.g. APIs. Data controllers should provide as many metadata with the data as possible at the best level of granularity which preserves the precise meaning of exchanged information. It may be appropriate, in the case of large and complex data sets, to provide the data subject with a summary explaining the way the data is structured to allow the data subject to select subsets to be ported.
What should controllers be doing now to prepare?
The WP29 recommends controllers clearly explain the differences between the types of data a data subject can receive using the portability and access rights. Data controllers are also urged to provide information about the data portability right before any account closure and receiving data controllers should provide data subjects with complete information about the nature of the personal data required to allow them to perform their services.
- As a first step, controllers must inform data subjects of the existence of the new right of portability:
- where the personal data is directly collected from the data subject, this must happen "at the time where personal data is obtained";
- where the data has not been obtained from the data subject, the information should be provided within a reasonable time not exceeding one month after obtaining the data, during the first communication with the data subject, or when disclosure is made to any third parties.
- Controllers should ensure that they have systems in place to enable them to provide "information on action taken" on the request to the data subject "without undue delay" and in any event "within one month of receipt of the request". This one month period can be extended to a maximum of three months for complex cases. The WP29 suggests it is good practice to manage user expectations by defining the timeframe in which a data portability request can typically be answered and communicating this to the data subject.
- Controllers should start developing the means that will assist with responding to data portability requests, such as download tools and secure APIs. They may wish to provide data in a summarised form using dashboards allowing the data subject to port subsets of the personal data rather than the entirety. The WP recommends that data controllers offer different technical implementations to give effect to data portability rights, for example, direct download, together with transmission directly to another controller.
- Controllers are responsible for taking all the security measures needed to ensure not only that personal data is securely transmitted as part of a data portability request (using end-to-end encryption and strong authentication measures) but also continuing to protect the data that remains in their systems, as well as transparent procedures for dealing with possible data breaches.