Article 20 of the General Data Protection Regulation (Regulation EU 2016/679) (GDPR) gives every data subject “the right to receive the personal data concerning him or her concerning him or her, which he or she has provided to a controller” in an appropriate machine readable form to enable the data subject to pass his or her personal data to another controller.
The right to portability is something which the Information Commissioner’s Office (ICO) has already published guidance on and where the ICO states that “the right to portability allows individuals to obtain and re-use their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.”
Whilst some businesses have already put in place solutions akin to the right to data portability, such as the “midata” and other similar initiatives, many organisations have yet to grapple with how to support the right to data portability.
The right to portability only applies:
• To personal data that a data subject has provided to a data controller;
• Where processing of the personal data is based either on the data subject’s consent or for the performance of a contract; and
• When processing is electronic.
Although the Article 29 Data Protection Working Party has yet to produce guidance as to how businesses can support the right to data portability it seems that Article 17 of GDPR does not give portability rights to individuals in respect of either:-
• Manual personal data;
• Personal data that has not been provided directly by the data subject to the data controller; or
• Personal data that is needed for processing necessary “for the performance of the task carried out in the public interest or in the exercise of official authority vested in the controller”.
The right of data portability does not appear to be a right of ownership. In other words even though a data subject has willingly given their personal data to a controller this does not mean that the data subject owns that personal data. However one can imagine that social media accounts could be the subject of data portability rights as could insurance records where an insured wishes to move their business from one insurance company to another.
The requirement that the personal data must be made available in a “structured, commonly used and machine readable form” requires controllers to consider whether or not their current systems are capable of moving personal data to another controller’s IT environment without their being any corruption or technical impact on the quality of the data concerned.
Since the portability right must not incur a financial charge to the data subject, businesses will need to anticipate how to absorb the cost of a data portability request and will also need to consider what policy needs to be put in place to ensure that on the one hand the right can be complied with whilst on the other hand the rights and interests of other parties are observed. In addition controllers need to think what rights they have to retain use of such personal data even after porting has occurred, on the basis of the right does not appear to be a transfer of ownership of personal data but merely a “licence” to have personal data transferred from one controller to another.
In the same way that subject access requests under GDPR have to be complied with within one month, the advice from the ICO is that a data portability right must also be dealt with without undue delay and within at least one month. The one month period may be extended by 2 months where the request is “complex”.
It will be important for businesses to receive appropriate guidance from the Article 29 Data Protection Working Party as they analyse Article 17 in conjunction with other aspects of GDPR, but in the meantime organisations that manage large volumes of personal data will need to focus on supportability of data portability.
Robert Bond, November 2016
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.