Right to data portability

In brief

The term “data portability” describes the ability to re-use data across interoperable applications. Under the Regulation, a data controller must, upon request of the data subject, provide a copy of personal data processed by electronic means to the data subject in an electronic and interoperable format. In addition, the data subject has the right to request that the data is transmitted directly from the data controller to a third party where technically feasible. In other words, the Regulation requires the data controller not only to provide to the data subject the personal data held, but also to provide them in a format which enables the latter to re-use his/her data in a different context.

Background

The current EU Data Protection Directive (95/46/EC) grants data subjects the right to be given copies of their data (known as the subject access right) but not a right to have the data provided back to them in a manner that enables use with another data controller.

Changes in detail

Pursuant to Article 18 of the Regulation, the right to data portability provided by the Regulation is limited to those data processed by automated means.  In relation to such data, the data controller must, upon request, provide the data to the data subject in a structured, commonly used and machine-readable format - if and as far as the data concerns the data subject him-/herself and the data was provided by the data subject to the controller. The data subject shall have the right to receive the data as well as to transmit such data to another controller.

However, the data controller need only comply with a data transfer request when the data processing is based on the data subject’s consent or on the basis of the performance of a contract, and when the processing is carried out by automated means.

Furthermore, the right to receive and transmit personal data shall not apply where:

  • processing of the data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Interestingly, a previously included exclusion that referred to situations where: 
    • disclosing the data would infringe intellectual property rights in relation to the processing of such personal data has been removed and instead an ambiguous reference to the right of data portability not adversely affecting the rights and freedoms of  "others" has been included.  

Pursuant to Article 14 of the Regulation, the data controller has the obligation to inform the data subject of its right to data portability at the time when the personal data is obtained.

Analysis

It is worth noting that the concept which aims at providing individuals with control over their personal data only applies to private companies but not to the public sector. In addition it is limited to personal data which has been provided based on the consent of the data subject or in relation to the performance of a contract.

The right of data portability has been discussed predominantly in the context of transfer of data between social network providers and the theory is that an individual could obtain a copy of his or her personal data in an electronic and structured form which is commonly used to re-use the data in an alternative social network.  That said, the right would apply to all data controllers potentially and could, for example, be used to require the portability of banking related data or files stored in a cloud based storage service.

It also has to be noted that Recital 125 of the Regulation suggests that Member States should be authorized to provide not only specifications but also derogations to the right of data portability, in particular specific procedures for data subjects to exercise such rights. There is, however, no explicit “operative clause” in the Regulation that grants such derogation - right to Member States (the Recital itself can hardly be seen as such).

It remains to be seen whether the new concept - will lead to material repercussions for businesses across Europe. Even today, data subjects are entitled to obtain information on all data held by an organization about them (through the use of a subject access request). The real development under the Regulation lies in the fact that, when the right applies, the data has to be provided in a specific format, namely a format which enables the data subject to re-use the data in a different context. In addition, the right to require direct transfer "where technically feasible" imposes an additional burden on data controllers that is not limited by reference to cost or commercial impact.

Finally, the new concept embodies much of the ethos behind the Regulation, namely that data subjects should be empowered with regard to their personal data. Businesses will have to reflect more thoroughly in the future on how long they need to preserve personal data for and also which personal data exactly they need to collect and process to fulfill their contractual obligations for example. Ultimately, holding less personal data will mean less work under the new concept of data portability.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.