Data Portability: how will your organisation unlock this right?
13 February 2017
Two months have passed since the Article 29 Working Party (“WP29”) published its “guidelines on the right to data portability." In this time, we have taken a deep dive into this new right through round-table discussions with our clients from a cross section of industries, and seminars internally with our PwC colleagues in various lines of service.
Although the WP29 has clarified elements of this new right and added more flesh to the text contained in Article 20 and Recital 68 of the GDPR, there are many questions that have inevitably (and perhaps naturally) been left unanswered. This is where we see industry stakeholders, trade associations and technology experts as playing an important role in stepping in and filling some of these gaps. The real challenge for organisations now is to understand what data portability will mean in the context of their business operations and devise an approach to tackle it.
What is data portability?
In its simplest terms, data portability provides individuals with the right to obtain and move their personal data from one service provider to another. It allows individuals to:
- receive personal data from a controller in a structured, commonly-used and machine readable format; and
- transmit such data from an existing data controller to a new controller without hindrance.
What is the purpose behind it?
Data portability seeks to further strengthen the control individuals have over their personal data and “rebalance” the relationship between data subject and data controller. It aims to make it easier for individuals to switch between different service providers and therefore prevent “lock-in”. This encourages competition and the development of new services within the digital market which ultimately provides individuals with greater choice.
What do the WP29 guidelines say?
Set out below are some of the key points from the WP29 guidelines which have been broken down into the elements that make up the right to data portability under Article 20 of the GDPR.
- First element: the data subject has the right to receive personal data concerning him/her.
An individual can exercise this right without prejudice to any other right. It complements rather than replaces rights such as data subject access requests and the right to erasure, which are separate exercisable rights. Further, the WP29 guidance clarifies that ‘the personal data concerning the data subject’ should be broadly interpreted and can include third party data (provided that it does not prejudice the third party’s own rights). It also includes pseudonymous data that can be clearly linked to a data subject. Anonymous data however is out of scope for this right.
- Second element: personal data which the data subject has provided to a controller.
Again, a broad interpretation should be taken here – ‘provided to’ not only means personal data ‘knowingly and actively’ provided to the controller but also includes personal data created by the data subject’s use of the service or device i.e. user activities such as search history and location data.
Inferred data or derived data created by the data controller is not within the scope of this right (i.e. any analytics carried out on the personal data such as credit scores or results of a health assessment). It is important to note however that a data subject can still submit a subject access request to obtain such data.
- Third element: in a structured, commonly used and machine-readable format.
The intention here is to facilitate the interoperability between organisations that support the re-use of personal data. The GDPR does not specify or impose specific data formats, however the WP29 strongly encourages cooperation between industry stakeholders and trade associations to set a common set of interoperable standards and formats to deliver the requirements of the right to data portability.
- Fourth element: have the right to transmit those data to another controller.
This element goes to the core of the data portability right. Not only can individuals receive their personal data for personal re-use but they are able to request a direct transmission of their personal data from one data controller to another.
- Fifth element: without hindrance from the controller.
The objective here is to deter organisations from creating artificial barriers in making it more cumbersome when individuals try to exercise this right. This is further supported in the GDPR by the required timeframes for response (i.e. without undue delay, within one month of receipt of a request or a maximum of 3 months for complex requests), a general prohibition on fees and limited scope for a data controller to justify refusal of a request.
- Sixth element: processing based on consent or contract and carried out by automated means.
Only personal data processed by automated means on the basis of either consent or contract is within scope. However, WP29 has made it clear that in circumstances where personal data is processed based on other justifications (e.g. public interest) it would still be good practice to implement data portability.
What should organisations do next?
Organisations should start developing an approach and strategy for data portability with a view of preparing policies and procedures to be implemented and well socialised within the organisation. The WP29 strongly encourages cooperation between industry stakeholders and trade associations particularly with respect to setting a common set of interoperable standards and formats to deliver the requirements of the right to data portability. It is important for organisations to be proactive in getting together and seeking industry guidance on how to tackle some of the issues raised. To kick-start this journey, it may be useful for organisations to consider some of the points below:
- Assess what personal data is ‘in-scope’. In what circumstances are personal data being processed by automated means and on the basis of consent or contract?
- What is the source of this personal data? Distinguish between personal data ‘provided to’ your organisation by individuals and personal data generated by analytics.
- Where is this personal data held / processed? Can it be easily identified and extracted into a ‘structured, commonly used and machine readable format’?
- Is there a market demand for this personal data? Is it likely that an individual will request the metadata generated from the use of your service (rather than simply account details)? Prioritise your solution to personal data that are likely to be requested by individuals.
- Does your organisation currently have existing technical solutions that can be leveraged to facilitate data portability requests?
- Is your organisation thinking about data portability at the outset of new technology (i.e. privacy by design)?
This is of course a non-exhaustive list of points to consider but as a final thought, it should not be forgotten that organisations can also benefit from this right, as new data controllers. Understanding and facilitating the right to data portability and how it can benefit your business operations has potential to unlock a new category of customer base that may have previously been ‘locked-in’ to other service providers.
 EU General Data Protection Regulation
 See Articles 12(2), 12(3), 12(4) and 12(5) of the GDPR