Guidance on the right to data portability was issued by the Article 29 Working Party in December 2016 (WP242). The guidance tackles some of the uncertainties posed by the right:
- What data does it apply to? (unsurprisingly the Working Party suggests a broad interpretation)
- To what extent does the service provider have to build inter-operable and compatible systems? (inter-operability is encouraged but not a hard-law requirement; compatibility is not required)
- Does a service provider have a responsibility to ensure how the data will be used (no).
Data portability extends subject access and makes data more usable for individuals
Data controllers already have to tell individuals what data they process about an individual and (in most member states) to provide a copy of that data to the individual. The General Data Protection Regulation strengthens the access right – if an individual makes a request electronically, the data has to be provided in a commonly used electronic format.
Portability is a stronger right: it is a right for the individual to receive the data in a commonly used, machine-readable format. This extended right will allow the individual to make more use of the data, allowing them to switch service providers more easily for example. The individual can either require the service provider to provide data to them, or direct to another provider.
Data portability applies to a narrower set of data than subject access
Whereas subject access rights apply to all personal data, portability applies to a narrower set of data. Data portability applies to personal data concerning the data subject:
- Which is processed automatically (so not paper records)
- Which is provided by the individual, and
- Which is processed based on consent or pursuant to a contract with the individual.
WP 242 gives examples of occasions when portability would apply: data held by a music streaming service; titles of books held by an online bookstore; data collected from a smart-meter; emails held by an email service provider.
Portability raises many tricky questions. Predictably, the approach of the Article 29 Working Party is to answer these in ways which maximise the usefulness of the right to the data subject making the portability request.
What if the data relates to more than one person?
One tricky question is what to do if the data requested relates to the person making the request and to others as well: emails relate to sender and recipient; bank details relate to payer and payee; information in a social media account relates both to the individual and to their friends and connections.
WP242 suggests that the fact that the data relates to multiple individuals does not stop it all being data which concerns the person making the request: all such data should be provided. However, helpfully, the Working Party states that the original service provider is not responsible for ensuring that the new provider, or the person making the request, respects the data protection rights of these individuals. This is a matter for the new provider, who is independently obliged to comply with data protection law. The Working Party suggests that this limits the new provider to processing data to deliver a service to the data subject who has ported the data – it would not, for example, be able to use data about friends or contacts for direct marketing purposes.
The Working Party does, however, consider that the original provider is responsible for the security of the data whilst it is being ported to the data subject or the new provider.
What does 'data provided by the individual' mean?
Where a user has an email account, is the data that person provides to the email service provider just the account opening information and emails they send – or does it also include emails sent to the individual?
On a literal reading, emails sent to the data subject are not data provided 'by' that individual to the email service provider. This makes portability of little use. A more purposive interpretation would be that, as the individual has chosen to use this provider, they have authorised the provider to receive this information on their behalf, so that this is all information provided by the individual.
The Working Party takes this broader approach. 'Provided by' includes data actively and knowingly provided by the individual (e.g. in filling a form). It also includes observed data which is 'provided' by the individual in a more purposive interpretation – this includes search history, traffic and location data and information learnt from fitness trackers.
Data which the service provider infers from this data – for example, personalisation or recommendations, or profiles – are not 'provided by' the individual. A distinction between data which is directly provided or collected and subsequent inferences is drawn.
Portability could extend to meta data – but need not include all data in an organisation's systems relating to the data subject
The Working Party notes that a data controller should consider what data the data subject needs to receive to meet GDPR's objective - of allowing users to move data more easily from one service to another.
This could mean that metadata has to be provided (so not just emails sent and received – but also timestamp information; information about whether emails have been opened etc.). However, passwords would not have to be ported. Payment information would also not be covered.
Limits to portability
GDPR provides that portability 'shall not adversely affect the rights and freedoms of others'. Businesses also have rights – including rights to protect trade secrets and intellectual property rights. The WP acknowledges that portability should not grant individuals rights to misuse information in an unfair way. However, GDPR provides that these rights should not result in 'a refusal to provide all information to the data subject'. Further the WP notes that a perceived potential business risk does not justify companies refusing to provide portability.
The Working Party suggests that the answer could be to provide information in a form that does not release information covered by trade secrets or IPRs. This may help in some situations. However, the form in which the information is stored may not be the most likely area where IPRs or trade secrets are relevant. For example, in some cases, the actual questions asked by the provider and so the data fields collected (when taken over a large number of data subjects and where they vary by data subject) may be where the innovation and trade secret applies.
The paper only gives 2 short paragraphs to considering this issue: more thought is needed here.
Best practice guidance
The Working Party also makes a number of recommendations for organisations – all from these perspective of ensuring that portability is more useful for individuals or minimises risks to third parties whose data is swept up in a portability request. These include:
- Development of interoperable formats
- Development of APIs to allow easy porting from one provider to another
- Explaining to individuals the differences between the data available to them as part of an access request and a portability request
- Providing portals or tools, to allow individuals to select data for porting and to exclude data about others
- Tools to obtain consent from others whose data is included in a portability request.