The GDPR privacy data portability right is empowering individuals to have a full control on their personal data representing both an opportunity and a risk for businesses.
As part of the series of blog posts on the major changes introduced by the EU Data Protection Regulation, here is an article on the newly forged “data portability right“. This is an extension of the already existing right of access, but with considerable consequences on businesses and in my view will have a massive impact on businesses.
Below is a video in Italian on the matter as part of Diritto al Digitale and a more detailed outline of the matter in English
What is the privacy data portability right?
The EU Privacy Regulation (GDPR) provides that
“the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (a) the processing is based on consent [—] or on a contract [—]; and (b) the processing is carried out by automated means.“
As clarified in the Guidelines on the right of portability issued by the Article 29 Working Party (the “WP29 Guidelines“), the privacy data portability right is
- a right to receive personal data processed by a data controller, and to store it for further personal use on a private device, without transmitting it to another data controller in a format that cannot prevent third parties from reading it, but also
- a right to transmit personal data from one data controller to another data controller.
The second point above is very interesting since the privacy data portability right is aimed at
- increasing competition between providers easing the switch from a provider to another as well as
- enhancing the sharing of individuals’ personal data between different controllers under the individual’s control in order to provide better services as occurs in the case of Internet of Things technologies, preventing the so called “lock in“.
How does it work?
According to the WP29 Guidelines, data controllers should explore and assess two different and complimentary paths for making portable data available to the data subjects or to other data controllers:
- a direct transmission of the overall dataset of portable data (or several extracts of parts of the global dataset); and
- an automated tool that allows extraction of relevant data.
The second solution is preferable according to the WP29, as (i) it allows for the extraction of any part of the data-set that is relevant for the data subject in the context of his request, (ii) may help minimising risk, and (iii) possibly allows for use of data synchronisation mechanisms. The technical solutions to be implemented in order to enable such transmission of data include secured messaging, an SFTP server, a secured WebAPI or WebPortal.
The GDPR states that “the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.“, but technical restrictions are interpreted by the EU privacy regulators as those due for instance to the large size of data to be transmitted, while for instance the encryption or the format of processed data would not generally be a reason to refuse the exercise of the data portability right. Indeed, the GDPR prohibits controllers from establishing barriers to the transmission.
Individuals should be informed both in the privacy information notice and at the time of closure of the account of the portability right, distinguishing it from other rights. Once an individual requests to exercise his portability right, the response free of charge (save for exceptions) shall be given within a month or 3 months in complex cases.
The data shall be provided in a format which enables their “re-use“ (e.g. PDF copies of email would not suffice), but this does not oblige to create compatible systems, but just to ensure interoperability.
When does it apply?
The privacy data portability right applies only to data collected with the consent or under a contract with the individual and to data processed through automated means.
It relates to personal data concerning an individual which such individual provided to the data controller, without adversely affect the rights and freedoms of others. This means that
- anonymous data is excluded, but pseudonimized data is included and this leads to a debate on when pseudonimized data is still personal data;
- data that is generated by and collected from the activities of individuals is included, while
- assessments performed (e.g. the credit score or even the results of health tests) on the basis of provided data are excluded, as the WP29 expressly excludes derived and inferred data and likewise
- profiling, categorisations, personalisation and organisation of data performed through the provided data are excluded;
- data concerning employees might be subject to the privacy data portability right with a very limited scope, since consent in an employment relationship is being considered not freely given in most of the scenarios. Therefore, it shall be assessed on a case by case basis whether the data processing activity is based on a contract and therefore the privacy data portability right can apply, rather than on for instance legitimate interest or the need to comply with a legal obligation and
- third parties’ data can be included in ported data only if there is another legal ground justifying its processing e.g. the legitimate interest allowing the usage of third parties’ data for merely personal and household purposes which would prevent the receiving entity from using that data for marketing purposes for instance. And in this respect, the European data protection authorities even recommend to provide tools to individuals to select the relevant data and exclude (where relevant) other data subjects’ data or, in the case for instance of social media, to enable the third party to decide whether he wants his data to be transmitted as part of a portability request.
What shall be done before transmitting data?
The WP29 clarified that the data controller answering a data portability request is not liable for the future processing of personal data performed by the receiving data controller. However, it shall put in place a procedure to ensure that only data that the individual is willing to transmit is actually transmitted. This could be done – according to the WP29 – by obtaining confirmation from the data subject either before transmission or earlier on when the original consent for processing is given or the contract is finalised.
What shall the receiver of data do with ported data?
The receiving data controller is responsible for ensuring that the portable data provided is relevant and not excessive with regard to the new data processing. This is an important burden since it requires that the receiving entity reviews the data and assesses which data it can keep and which others should be deleted (e.g. in relation to emails, the details of the correspondents or in relation to bank transactions, all the unnecessary details once they have been labeled). And such review shall be based on the purposes of the processing of personal data as set by the receiving entity based on the service to be provided.
The WP29 Guidelines are not fully clear on this point as individuals might be willing to keep ported data as it is and they might even bring a claim for damages if the controller deletes its data. Therefore the matter shall be further reviewed in the peculiarities of each circumstance.
In any case, it seems clear from the WP29 Guidelines that receiving entities have to comply also in relation to received data with the same obligations applicable to data they directly collect.
What is the impact on your industry?
With the technological development that is leading to services that are exponentially customised on the users’ profile, the portability right enables individuals to “transfer” their profile from a supplier to another.
This might have considerable effects, among others, in the following sectors
- Insurance -> as of today, individuals are “ranked” on the basis of their previous insurance history and the ranking is necessary to determine the insurance premium. If an individual switches to a new provider, such individual will be obliged to pass on to his new insurer only a certificate testifying his “classification“. On the contrary, the portability right will allow to transfer the whole profile of the individual, which might considerably detailed as a consequence of the development of insurance telematics and might contain also useful information/trade secrets on what type of data is collected by the insurer;
- Online/e-commerce/online gaming -> cookies, footprinting and other similar technologies allow to create a detailed profile of online customers which contains not only the history of his purchases, but a full profile of his preferences. Individuals might require under the new Privacy Regulation the transfer of such profile to their new favourite e-commerce platform or online gaming operator which also in this case would oblige the operator to be fully transparent on the data collected in relation to its users;
- Research and clinical trials -> individuals that are enrolled in such projects and want their data to be used for a new project on the same topic, might require the hospitals involved in the first clinical trial to pass on the data to those running the new one. This practice might lead to abuses as the “migration” of data might enable the new hospital to take advantage of the activities previously performed;
- Internet of Things technologies -> if we consider connected cars or eHealth devices, users might decide to transfer their profile when they buy a new car so that this is already customised on their size and preferences. Likewise, the whole health related data of an individual could be transferred from a eHealth provider to another;
- Cloud platforms -> most of data are now stored in cloud platforms and after years of usage of the same provider, users might find a disincentive in switching to a new supplier. However, the privacy data portability right make the competitive advantage of consolidated cloud providers much weaker.
Is this right a potential source of anti-competitive conducts?
A major issue pertains to the portability relates to the potential disclosure of trade secrets and confidential information by means of the transmission of “portable” data.
Likewise, the exercise of the portability right might impact also the intellectual property rights of the data controller. Indeed, a supplier might acquire considerable contents of the database of one of its competitors just granting incentives to customers to the exercise of their portability right. As a consequence, it cannot be excluded that the exercise of the portability right might lead to unfair competition conducts.
In this respect the WP29 Guidelines expressly provide that a potential business risk cannot serve as the basis for a refusal to answer the portability request.
Businesses should therefore be ready to respond to portability requests in a manner that allows to communicate raw data, without disclosing any of their protected assets. This might sound any easy task, but it gets quite complicated in case of a very large databases.
What to do to minimise negative effects and be ready?
There is no doubt that the privacy data portability right might lead to considerable costs for data controllers. And the Privacy Regulation is silent on the possibility to charge any fee to individuals exercising their portability right. But the possibility to charge a possible reasonable fee is mentioned with reference to the exercise of the access right of which the portability right might be considered an extension.
In order to be ready for such right, data controllers shall, among others,
- adopt procedures in order to deal portability rights requests;
- have a standard process that enables the transmission of data to the new supplier;
- adopt measures that allow the removal of confidential information/trade secrets from communicated data; and
- have systems that monitor the amount and types of privacy data portability right requests to limit the risks of abuses by competitors.