Data protection - The right to data portability: WP29 guidelines

Published on 20 March 2017

WP29 has published guidelines on the interpretation and implementation of the right to data portability under Article 20 of the General Data Protection Regulation.

The background

The Article 29 Working Party (WP29) is made up of representatives from the data protection authorities of each EU member state, the European Commission and the European Data Protection Supervisor. It was launched in 1996 to provide expert advice and recommendations on data protection issues.

The right to data portability

The right to data portability gives data subjects the ability to receive any personal data which they have provided to a data controller “in a structured, commonly used and machine-readable format, and to transmit that data to another data controller without hindrance”. In other words, it helps data subjects to obtain their personal data and store it for private use on a personal device, as well as the ability to move, copy or transmit their data from one service provider to another, thereby enhancing competition between services.

The guidelines

Tools: On a technical level, data controllers should offer data subjects different ways to exercise their right to data portability – eg by offering direct download as well as allowing the direct transmission of data to another data controller. One proposal to help facilitate transfers is for an Application Programming Interface (API) which interacts with other data controllers’ applications/web services.

Controllers: The guidelines make clear that:
• data controllers answering data portability requests are not responsible for the processing undertaken by the data subject or by another company receiving the personal data
• data portability does not impose an obligation on the data controller to retain personal data for longer than is necessary
• an organisation receiving personal data following a data portability request is responsible for ensuring that the data provided is appropriate for the new data processing.

Scope: The guidelines explain that the “GDPR does not establish a general right of data portability”. To fall under the scope of the right, data must be:
• personal data (ie not anonymous)
• processed based on the data subject’s consent or pursuant to a contract to which the data subject is a party
• provided by the data subject to a data controller, interpreted broadly to exclude only “inferred data” and “derived data” (eg any personal data generated by a service provider such as algorithmic results)
• processed by automated means (so paper files are not covered).

Data processed under one of the permitted conditions for processing (eg for a controller’s legitimate interests) will not be covered.

In short, the personal data must concern the data subject and be provided by the data subject. The guidelines recommend that the term “provided” is widely interpreted to cover data which is actively and knowingly provided by the data subject or generated by virtue of the data subject’s activity (eg search histories from browsers).

Compliance with the right of data portability should not adversely affect the rights and freedoms of others.

Why is this important?

The guidelines should help focus the minds of data controllers on the new portability right, and to help them understand their obligations regarding data portability requests. They provide examples and recommend best practice and tools to enable data controllers to ensure compliance with this aspect of the GDPR.

Any practical tips?

Data controllers need to consider what systems and other tools they have in place to enable data portability. And, on a more basic level, how they are going to process requests by end users to transfer their data without undue delay. The transfer must take place within one month of the initial request, or three months if the relevant supervisory authority has granted an extension for particularly difficult reasons. It goes without saying that at all times the security and integrity of the data must be maintained. There are specific requirements to adopt authentication procedures to be able to identify the data subject requesting the exercise of this right.

As with other rights under the GDPR (such as the right to data erasure) one wonders how many organisations will actually have the appropriate technology in place to meet the demands of the GDPR by the time May 2018 is upon us. And if they cannot provide the data promptly (eg within the one month period of a data portability request), then the backlash from regulators and consumers alike may be severe.