Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
WP29 GDPR Guidelines: The Right to Data Portability
Article 29 Working Party provides new guidelines with respect to data portability under the GDPR.
The Article 29 Working Party (WP29), an advisory body made up of national data protection officers from across European Union (EU) Member States, has published three sets of guidelines on how the incoming General Data Protection Regulation (GDPR) will work in practice (Guidelines).The Guidelines focus on three separate issues: data protection officers; data portability; and lead supervisory authorities. These three issues will all place new obligations on some organisations under the GDPR which will come into force in May 2018.
You can see our previous blog posts on GDPR developments here.
This blog post will focus on the Guidelines on data portability.
The GDPR will introduce a new right to data portability that will enable individuals to receive information which they have provided to a data controller in a structured, commonly used and machine-readable format, in order to transmit the data to another service provider, usually for no fee and without undue delay.
Data portability and the existing right to access
The new right is intended to give individuals more control over the processing of their data and the opportunity to move to new service providers more freely, thereby encouraging competition.
Subject access requests will continue to exist under the GDPR and it is hoped that the right to data portability will complement the existing access rights.
Scope of the data to be provided
The new right applies both to data knowingly provided by individuals and to personal data generated by an individual’s activity. However, data inferred or derived by the data controller on the basis of the personal data provided by the individual would not fall within the scope. This may be a grey area for some organisations which might find it difficult to determine exactly how the personal data they process is generated.
One of the more complex aspects of the right to data portability is providing data which adversely affects the rights and freedoms of a third party. This data should not be provided, unless the receiving data controller is pursuing a legitimate interest in relation to the data.
Data controllers will also have to consider applicable intellectual property rights, for example database rights, and decide to what extent these rights may restrict the provision of data.
How should the data be provided
The Guidelines state that data controllers should provide a range of tools for individuals to receive their data, including a direct download option and an option to automatically transmit data to another data controller. WP29 recommends and encourages industry stakeholders to work together to develop a common set of standards and formats for delivering information related to a data portability request to simplify the process for the individual.
It is suggested in the Guidelines that the data is provided by an application programming interface (API) which enables users to access their data via an application or web service to which other service providers can link their systems, to enable a data controller to automatically pass personal data to the individual’s chosen new service provider.
The Guidelines set minimum standards that organisations must comply with when delivering data including:
- to provide for a high level of abstraction to allow for the data controller to remove information which is outside the scope of portability, e.g. passwords;
- to provide as much metadata as possible in order to preserve the precise meaning of the exchanged information; and
- to securely deliver information to the correct individual and ensure that the information is transmitted and stored as securely as possible.
Even with the help of the Guidelines, the new right to data portability remains complex in a number of respects, including third party data and the scope of data that must be provided.
Organisations which expect to receive numerous data portability requests will be keen to receive further clarification from the Information Commissioner’s Office (ICO) as to the extent of their obligations under the GDPR.
Unfortunately however, data portability is not currently on the ICO’s list of upcoming GDPR guidance (see below). It remains to be seen if national data protection authorities will favour an industry-led approach to data portability compliance and allow industry stakeholders to develop common practices within their own sector.
This blog post was written by Amelia Day, trainee solicitor at White & Black.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.