The right to data portability is the new individual’s right provided in article 20 (1) of the new data protection regulation (GDPR).
This new right allows data subjects to ask data controllers to provide him/her or another data controller of their choice with a copy of the personal data they have provided for the data subject or the recipient controller to re-use the data to provide its service.
The aim and the scope of this right should be distinguished from the right of access which aims at providing individuals with a copy of any data held by a controller (not only the one provided by the data subject) for any reason whatsoever.
When it comes to dealing with data portability, one’s should answer the following questions:
How to inform users about their right to data portability?
What procedure to follow when dealing with such a request? (i.e. Can the controller refuse to deal with the request, charge fee? How long does it have to answer? How should it authenticate the requester? Etc.)
What is the content and the format of the file to be transmitted ? and Who is the recipient of such a request?
What can the recipient controller (where applicable) do with the information?
1.Information about the right to data portability
In the privacy notice provided to individuals when collecting their personal information, the controller should clearly distinguish the right to data portability from the other rights and more particularly from the right of access and should clearly state the data an individual may expect to receive when exercising its right to data portability.
2. Procedure to follow (it also applies to other individuals’ rights)
Authentication.The controllers should put in place an authentication process to ensure the requester is the individual concerned by the request. This requirement should not be a problem when a account is necessary to connect. However, in case of doubt as to the identity of the requester, the controller must ask for further information.
Time period.The request must be answered without undue delay and no later than within one month of the receipt of the request. In the case of a complex request, an extension of 2 months is possible.
Refusal/fees.The controllers should not refuse or charge fee for dealing with the request unless it is unfounded or excessive. Repetitive request could be a reason of refusal or charging fee but the controller should prove it is an excessive burden. According to the WP29, repetitive requests are unlikely to be an excessive burden for information society service provider.
If it refuses to answer the request, the controller should still inform the user of such refusal and inform him/her about his right to lodge a complaint with the authority.
3. Content and format of the data portability request
3.1. Data to be provided by the data controller
Step 1: Identifying the data processing concerned by the request
According to the article 20 of the GDPR, the concerned processing operations must be based either :
- on the data subject consent ; or
- the performance of a contract
Therefore any data processing based on any other legal ground such as legitimate interest or a legal obligation must be excluded of the request.
In addition to these criteria, the data must be processed by automated means which exclude all manual filing.
Step 2 : identifying the data to be transmitted
Once the scope of processing defined (i.e. consent/contract), the data to be transmitted to the individual or the new controller must be the ones that :
- concern him or her
- (s)he has provided to the first controller
Data concerning him or her means that any anonymous data or third parties data should be out of the scope of the request. However, the criteria should not be applied restrictively as the WP29 would consider that a recorded conversation should be transmitted to the data subject even though a third party is concerned.
This position is very extensive and controllers should be cautious when it comes to sharing third party data as it would be against the law to transmit third party data if this would adversely affect the rights and freedoms of others.
Pseudonymous data that can be clearly linked to a data subject (e.g. him or her providing the respective identifier) should fall under the scope of the right to data portability (article 11 (2))
Data provided by the data subject are the one provided when the individual filled out a form or answered questions over the phone. But once again the definition should not be interpreted too narrowly.
Indeed, the data generated by and collected from the activities of the individuals should be included as well as observation of the individuals’ behaviour made.
This includes data collected through cookies or any equivalent tracking technologies (e.g. history, traffic data, location data, any other raw data such as heartbeat tracked…)
On the contrary, inferred and derived data created by the data controller on the basis of the data provided by the individual should be excluded from the scope of the right to data portability.
Therefore only raw data should be transmitted and not the analysis and comments made from them.
It must also be noted that it is recommended to add the metadata necessary to enable the reuse of the data properly (e.g. copy of email box should be sent with the meta data so that it can be transferred to the new email provider).
3.2. Format of the transmitted data and Recipient
The format chosen must support re-use of the data since it is the purpose of the right of data portability.
According to the regulation, the data must be provided in a structured, commonly used and machine readable format. It should also be interoperable.
There is no specific recommendations as the kind of data to be transmitted may vary from one sector to another, the limit being that controllers do not have to adopt or maintain processing system which are technically compatible. However format subject to costly licensing constraints would not be considered adequate.
The WP29 encourages industry stakeholders and trade associations to work together to agree a common set of standards and format in order to meet the requirements.
Therefore there is no unique answer to this question and controllers should do their best to provide a format enabling the easy reuse of the information.
The recipient of the information should be at the choice of the individual making the request, either the him/herself or another controller for the latter to provide its service.
In terms of security, the data controller sending the information to the user or another controller on the user’s request, is responsible for the security of the information transmitted until it is in the hands of the recipient.
4. What can the recipient controller do with the personal data?
Where the data subject request his/her data to be transmitted to another controller, the latter should only use the information necessary to provide its service and delete any unnecessary information. It should not either use the information for its own purpose (other than the provision of the service) such as for direct marketing/profiling purpose unless it has obtained the consent of the individual.
If you have any question, do not hesitate to contact Arnaud Blanc, French & UK qualified lawyer based in France.