The right to data portability is one of the fundamental data subject rights in the General Data Protection Regulation (GDPR). While several of these rights of the data subject regarding his/her personal data existed before, data portability is new – and ambitious.
Essentially data portability is the right to transfer personal data from one organization (controller) to another organization or to the data subject in the context of digital personal data (sets and subsets) and automated processing. It might sound easy but is far less in practice.
The right to data portability needs to be seen in the scope of the higher degree of control that the GDPR gives to data subjects with stricter rules and principles that aim to ensure that the control of personal data is handed to the data subject with an accountability duty for the controller with regards to the principles of personal data processing (and stricter rules regarding some of the legal bases for lawful processing).
The WP29 Guidelines on data portability effectively put the right to data portability in a context of use choice, control and empowerment.
The scope and digital aspect of the right to data portability
The right to data portability certainly also needs to be seen against the backdrop of a digital era of digitization and digital transformation whereby personal data have become part of virtually all areas of society, life, business and tons of processes, ranging from buying online to seeking online customer service and all the big data processes going on in myriad digital data processing activities.
Moreover, we need to realize that, with for instance the IoT (Internet of Things) we really still are at the beginning of this data deluge and a digital transformation economy where the types and volumes of data, as well as the number of processing activities relating to them, exponentially grow, with unstructured data accounting for the main growth. IoT data are mentioned further below in the context of data portability.
So, it shouldn’t come as a surprise that data portability is about automated data processing activities and digital data. In fact, originally, before the final text of the GDPR was ready it mentioned social networks (the WP29 Guidelines still do, in a particular context as we’ll see). This link has been removed in the text though and data portability is broadened to personal data processing operations in the digital context where it applies in specific circumstances mentioned below.
Here as well the WP29 guidelines on data portability clearly point to the digital and IT dimension of data portability where they state that the new right to data portability aims to empower data subjects regarding their own personal data, as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another.
This transmission of data from one IT system to another can be:
- From the controller’s IT system to the systems of the data subject.
- From the controller’s IT environment to data systems of trusted third parties.
- From the IT system of a controller to that of another (new) data controller.
The introduction of the right to data portability is also related with the constraints of the right of access, which was already present in the Data Protection Directive (the predecessor to the GDPR) and is another one of those data subject rights.
The right to data portability is certainly also seen as a way to avoid vendor, or let’s say, controller lock-in.
What data portability means
We already covered the right to data portability in our articles on GDPR compliance and on data subject rights. However, it’s important to take a deeper dive as data portability is not just new but the GDPR Articles and GDPR Recitals do use confusing language in the scope of this new right whereby the terms aren’t exactly clearly defined (which is undoubtedly related with the fact that it’s new).
So, it also doesn’t come as a surprise that among the first (not legally binding) guidelines of the WP29 (the European Data Protection Board now) are guidelines on data portability. A second reason no doubt is the fact that, again given the increasing digitization and digitalization of business, commerce, society, leisure, buying, pretty much everything, the right to data portability has been a headache for many organizations, certainly in specific industries and business areas.
The main GDPR Article that covers the right to data portability is GDPR Article 20. What does it say?
Data subjects have a right to receive personal data which concern them AND which they have provided to a controller organization in a structured, commonly used and machine-readable format.
Essentially this part of the description of the right already implies a transfer from the controller’s IT system to the systems of the data subject.
Moreover, data subjects also have a right to transfer those data to another controller whereby there should be no hindrance from the data controller who received the personal data originally and is asked to provide them, whether it’s to have them transmitted to another controller (which can be another provider in the scope of switching services but could be another type of service if all rules of the GDPR are taken into account), to simply receive them as a data subject (which thus is a right) and to store them on a system the data subject has, whether it’s a storage device, a cloud-based app they use, etc.
It’s also in this regard that the WP29 guidelines on data portability see that right to data portability as being complementary to the right of access: the data subject doesn’t just have a right of access, with data portability he also has a right to receive them in a way that makes it easy to manage and reuse personal data subsets (again with that ‘digital’ notion of ‘a structured, commonly used and machine-readable format’).
An example that is often cited in the context of data portability is related with music streaming service Spotify. Obviously the GDPR doesn’t mention Spotify but the WP29 guidelines on data portability give the example of how data subjects could leverage easy to reuse and manage subsets of personal data in the context of using a music streaming service. By mentioning Spotify it simply makes it more tangible when people want to explain this example.
Whether it’s Spotify or not, a data subject could, as the WP29 guidelines put it, be interested in retrieving a current playlist or history of listened tracks so they can, for example check how often they’ve listened to songs, find a few albums they might want to buy or listen to when using another platform.
Of course it’s not just about music streaming services. Other examples include digital data regarding the books a data subject has bought via an online bookstore or general e-commerce platform, data regarding their contacts for which they use a certain application (and thus company and data controller) in order to prepare an invitation to an event with another platform, data regarding their energy usage (with the energy company as the data controller) to check out their carbon footprint, data regarding their location history from their service provider, their online search history, you can imagine ample more examples.
Which personal data fall under the right to data portability?
It is clear that the right to data portability does not cover all personal data. However, when personal data do not fall under the right to data portability, they of course can still fall under the right to access.
What’s important here is that the data subsets they can receive both related to data they have provided to the data controller but also certain data that the controller lawfully collected by having their systems track data subject activity.
The WP 29 Guidelines on data portability elaborate on what exactly ‘provided data’ means and which types of personal data fall under the right to data portability and which don’t.
First, the guidelines offer two categories of personal data that are considered given to the data controller (whereby the right to data portability thus can play):
- The obvious category of personal data which are actively and knowingly provided by the data subject.
- Observed data whereby the data subject indirectly provides data when using a service, device and so forth. These include raw data relating to the data subject such as location, data tracked by wearables, by smart meters and other connected devices (here come the IoT data again indeed), activity logs, histories regarding website usage and search, etc.
In contrast, so-called inferred data and derived data typically do not fall under the right to data portability. Examples: health assessment outcomes in the scope of risk management, credit scores etc.
That is the essence of the first part of the first paragraph of GDPR Article 20 where it states that “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”.
Conditions to exercise the right to data portability
However, as mentioned, this right to data portability is not absolute and is subject to restrictions or, the other way, around only can be invoked when specific conditions are met, which are covered in the rest of that first paragraph of GDPR Article 20.
So, here are those conditions under which the right to data portability can be exercised:
- The right to data portability can be exercised when the legal basis for lawful processing is either:
- The right to data portability can only be exercised when, on top of the presence of consent, explicit consent or contractual necessity as grounds for lawful processing, the actual personal data processing is ALSO carried out using automated means, which brings us back to that IT systems and digital aspect of the right to data portability.
In the context of switching providers of particular services, applications and so forth, which the right to port data from one controller to another controller essentially means, the controller has specific duties and must try direct transmission to another controller.
However, this won’t always be the case
- First, as we saw before, the data subject can receive the data in a structured, commonly used and machine-readable format whereby he or she can store or use them (which is pretty obvious given the fact that the GDPR in principle hands over control of personal data to the data subject) but also can transfer those data to another data controller if so desired.
- Moreover, and this is the subject of paragraph 2 of GDPR Article 20: the data subject has a right to have the personal data which fall under the right to data portability transmitted directly from one controller to another, WHEN this is technically feasible.
Data portability, the right to erasure and public interests
Just as is the case for all data subject rights, the exercise of the right to data portability happens without any prejudice to another data subject right. Paragraph 3 of Article 20, among others mentions the right to erasure, a.k.a. right to be forgotten.
Exercising the right to data portability in the context of the relationship with the right to erasure, among other means that:
- Exercising the right to data portability does not automatically lead to the erasure of the concerned data and that the data subject still can use the services of the data controller as long as his/her data are processed. This is relatively obvious as the right to data portability does not by definition mean a switching of services from one controller to another as we saw but even if it fits in the scope of using other controllers’ services etc. there isn’t a reason why the data subject wouldn’t be able to use several controllers, except of course where this is not possible.
- When the data subject exercises the right to data portability and the right to be forgotten, the first one cannot be used as an excuse by the data controller to delay or refuse the data erasure.
Paragraph 3 further stipulates that “That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
Simply put: it’s clear that when the data controller has legal obligations to fulfil, an official authority or a task in the public interest that requires processing of personal data, then the right to data portability cannot apply to the specific data.
The right to data portability and third-party personal data – the rights and freedoms of others
Last but not least, Article 20 states that the right to data portability cannot adversely affect the rights and freedoms of others, which has consequences on the level of the types of personal data the data subject can receive when exercising his or her right to data portability.
Personal data sets can contain data of others, so when these data are transmitted to another data controller, the ‘new’ or ‘other’ data controller by definition obtains personal data from other people than the one who wants to exercise his right to data portability.
Just think back at some of the previously mentioned examples: if a service is used to manage contact data or leverage contact data for specific purposes, the right to data portability would not apply if the data subjects whose contact data are managed under the service would prevent them to exercise their own data subject rights.
Moreover, thinking about purpose and the fundamental data processing principle of purpose limitation and the essential rules on a legal basis for lawful processing it’s clear that a data controller cannot leverage the data of contact persons of the data subject exercising his right to data portability in any other way than for the purpose of the specific platform, service and processing operation.
This of course doesn’t mean that, when data of other data subjects are part of a set of data that needs to be transferred from one controller to another, that is impossible because it would make switching providers impossible in several cases. In most of these cases, another legal basis for lawful processing with regards to these third parties, such as a legitimate interest, will be sought.
The WP29 guidelines on data portability state that:
- To prevent adverse effects on the third parties involved, the processing of such personal data by another controller is allowed only to the extent that the data are kept under the sole control of the requesting user and is only managed for purely personal or household needs,
- A receiving new controller cannot use these third party data for his own purposes,
- As a leading practice implements tools enabling data subjects to select the relevant data they want to receive, transmit and exclude which further reduces risks for third parties if third party data are included,
- Data controllers should implement consent mechanisms for other data subjects involved, to ease data transmission for those cases where such parties are willing to consent (whereby social networks are mentioned).
More on the right to data portability
In several circumstances, enabling the right to data portability isn’t indeed the easiest of GDPR rights to make possible.
More information with regards to the right to data portability can of course also be found when searching the official GDPR Articles and GDPR Recitals. In particular GDPR Recital 68 is relevant here as it covers not just the right to data portability as such but also the question of interoperability (encouraging data controls to develop interoperable formats enabling data portability) and more.
It is a key topic we haven’t touched upon yet: the actual deployment in particular circumstances and the impact on an IT systems level with additional explanations on essential terms, starting from that ‘structured, commonly used and machine-readable’ aspect.
Attention though: these are still guidelines and for some aspects, including those data sets containing third party data, there are disagreements.
Top image: Shutterstock – Copyright: Natali_ Mis. Although our GDPR content has been carefully verified, we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.