The GDPR
Article 20 gives the data subject a new right: the right to data portability. This appears as an improved right of access, which is associated an interoperability requirement (see G29, Opinion 06/2014 of 9 April 2014 on the concept of legitimate interest pursued by the controller, p. 54).
The purpose of the right is, according to the explanatory memorandum to the first proposed Regulation "to transmit data from an automated processing system to another, without the controller ". For this purpose, it allows the data subject to receive the data provided to the controller "in a structured, commonly used and machine-readable format". A novelty in the final version of the Regulation, it may even require that data to be transmitted directly by the first controller to the second, where technically possible.
Let’s note that the other data – that the controller could for example obtain from any third parties – are not covered by such right since these data were not communicated by the data subject to the controller.
The exercise of this right is subject to a double condition: it must necessarily come to processing carried out using automated processes, on the one hand, and based on the consent the data subject, either concerning sensitive data or a contract entered into between the data subject and the controller, on the other hand.
The ratio of this new right would allow the data subjects to recover the use made of the data and strengthen their right of access, recognizing them a more active role (see recital 68). Article 20 specifies that the right to data portability is defined without prejudice to the right to erasure, within the meaning of Article 17 of the Regulation.
Paragraph 3 specifies that the right to data portability is not applicable to the processing necessary to the performance of a task in the public interest or in the exercise of the official authority vested in the controller.
An exception to the right to portability has been added by the second proposal to the Regulation in Article 20 (4) when the data disclosure is likely to affect the rights and freedoms of third parties.
The Directive
Neither the Directive nor most national laws provide for data portability.
Potential issues
This new right is one of the major innovations of the Regulation and in general, probably expresses a very important development in the progress to recovery of control on the data by the data subject itself.
If the goal is laudable, it remains to see how it will be implemented in practice, insofar as it implies a dialogue of the controllers and doubtlessly, an agreement - at least implicit - on the means and the standards used for data recovery.
The text says nothing about the further use of the data by the first controller with which this right is exercised. It is concluded that the general principles of protection continue to apply and that the controller can keep it only to the extent strictly necessary for the announced purposes.
The text says nothing either about the fate of the data "generated" by the use of a product or service and which are not actually 'communicated' by the data subject: data related to billing, traffic data, location data, etc. Are they covered by this new right?
European Union
Retour au sommaire
Article 29 Working Party
Guidelines on the right to data portability - wp242rev.01 (5 April 2017)
(Endorsed by the EDPB)
Article 20 of the GDPR creates a new right to data portability, which is closely related to the right of access but differs from it in many ways. It allows for data subjects to receive the personal data that they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller. The purpose of this new right is to empower the data subject and give him/her more control over the personal data concerning him or her.
Since it allows the direct transmission of personal data from one data controller to another, the right to data portability is also an important tool that will support the free flow of personal data in the EU and foster competition between controllers. It will facilitate switching between different service providers, and will therefore foster the development of new services in the context of the digital single market strategy.
This opinion provides guidance on the way to interpret and implement the right to data portability as introduced by the GDPR. It aims at discussing the right to data portability and its scope. It clarifies the conditions under which this new right applies taking into account the legal basis of the data processing (either the data subject’s consent or the necessity to perform a contract) and the fact that this right is limited to personal data provided by the data subject. The opinion also provides concrete examples and criteria to explain the circumstances in which this right applies. In this regard, WP29 considers that the right to data portability covers data provided knowingly and actively by the data subject as well as the personal data generated by his or her activity. This new right cannot be undermined and limited to the personal information directly communicated by the data subject, for example, on an online form.
As a good practice, data controllers should start developing the means that will contribute to answer data portability requests, such as download tools and Application Programming Interfaces. They should guarantee that personal data are transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.
The opinion also helps data controllers to clearly understand their respective obligations and recommends best practices and tools that support compliance with the right to data portability. Finally, the opinion recommends that industry stakeholders and trade associations work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability.
Link
Retour au sommaire