26 Jan 2017

Article 29 Data Protection Working Party GDPR Guidelines on Data Portability

Linkedin

Introduction

Article 20 of the General Data Protection Regulation (the GDPR) contains two new and interrelated rights for data subjects:

  • the right to receive personal data from a data controller in a structured, commonly-used and machine readable format; and
  • the right to transmit such data from an existing data controller to a new controller without hindrance.

Together these two rights form the right of so-called "Data Portability". The Article 29 Working Party (WP29) has published updated guidelines on the interpretation and practical implications of this new right (the Guidelines) which are summarised below.

What does Article 20 entail?

The rights contained in Article 20 complement the right of access for data subjects contained in Article 15 GDPR by helping to give consumers within the European Union (the EU) greater control over their personal data and by making it easier for data subjects to move, copy or transmit their own personal data. It is thought that this may foster greater competition between data controllers as it will become easier for individuals to switch between different service providers.

It is important to note that data subjects who exercise their rights under Article 20 do not prejudice any other rights that they may have accrued under the GDPR. Article 20 will apply so long as the data controller processes the personal data. Accordingly, for example, a data subject may request that his data is transmitted to a new data controller before or after exercising his right of erasure under Article 17 GDPR, to ensure that any personal data stored with the previous data controller is removed, other than that which may be retained lawfully.

When does Article 20 apply?

The rights to data portability apply to all personal data processed by automatic means (this will not cover most paper files) that is conducted either (i) on the basis of the data subject's consent; or (ii) based on a contract agreed between the data controller and the data subject.

If Article 20 applies, the data controller must provide the data subject with all personal data that (i) concerns the data subject, and (ii) was provided by the data subject to the data controller.

The Guidelines make it clear that whether or not personal data 'concerns' the relevant data subject is a matter of common sense and will depend on the facts in each case, clarifying that anonymous data will not be in scope but 'pseudonymous' data may be considered to relate to a data subject if the data subject can be easily identified by applying an identifier to the original data.

Whether personal data has been 'provided' is less clear-cut. The Guidelines recommend that the term 'provided' is widely interpreted to cover personal data that is obtained in either of the following ways:

  • actively and knowingly provided by the data subject; or
  • generated by the data subject by virtue of its activity (i.e. its use of a service or device) including, for example, search histories from web browsers.

This broad new interpretation means that wider categories of personal data than previously anticipated will also be subject to the right of data portability. However, personal data either inferred or derived from information otherwise provided by the data subject will be excluded from the right of portability (e.g. information such as credit scores produced on the basis of personal data provided by the data subject).

It is important to note, when choosing whether to apply Article 20, that the exercise of the right of data portability must not prejudice the rights and freedoms of others. This applies to personal data concerning other data subjects, as well as personal data that is covered by intellectual property and trade secrets.

Dealing with Data Portability

The Guidelines set out some practical advice to help organisations deal with data portability requests made under Article 20. Importantly:

  • Inform - data controllers must inform data subjects regarding the ​existence of the new right to portability “in a concise, transparent, intelligible, and easily accessible form, using clear and plain language”.
  • Respond - data controllers must respond to requests without undue delay, and within any event within one month of the initial request.
  • Identify - data controllers must implement an authentication procedure in order to strongly ascertain the identity of the data subject requesting his or her personal data or more generally exercising the rights granted by the GDPR. Where a data controller has reasonable doubts about the identity of a data subject, it can request further information to confirm the data subject’s identity before acting on the request.
  • Tools - data controllers should offer different options for exercising the right to data portability (i.e. offering a direct download opportunity for the data subject but also allowing data subjects to directly transmit the data to another data controller).  This could be implemented by making data available via an Application Programming Interface (API).
  • Extension - if the data requested is particularly difficult to transfer, data controllers can request an extension of up to three months from the relevant supervisory authority.
  • Fees - data controllers may not charge a fee for the service unless the request can be shown to be "manifestly unfounded or excessive", although this will only be permitted in exceptional circumstances.
  • Secure - data controllers must take all security and authentication measures necessary to ensure the secure transmission and storage of the personal data of data subjects.
  • Interoperability - data controllers should provide their personal data in a common format that can be accessed by most other data controllers. 

In respect of this final concept, the GDPR does not impose specific recommendations due to the wide range of potential data types. As a result, the WP29 encourages industry stakeholders to collaborate on the development of a common set of interoperable standards and formats which can then be shared between data controllers to make the transmission of personal data easier for the data subject.

Linkedin

KEY CONTACT

Jonathan Kirsop

Jonathan Kirsop
Partner

T:  +44 20 7809 2121 M:  +44 7554 403 022 Email Jonathan | Vcard Office:  London

Alison Kenney

Alison Kenney
Associate

T:  +44 20 7809 2278 M:  Email Alison | Vcard Office:  London