The General Data Protection Regulation (GDPR) n°2016/679 will be applicable May 25th, 2018 and introduces, for the first time, the right to data portability within the European Union (EU) on a large scale.
Article 20 of the GDPR defines the right to data portability as the data subject’s “right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance”.
In short, the data subject has the right to receive or transfer his or her personal data. It facilitates the data subject’s ability to move, copy or transfer personal data easily from one IT environment to another. It also allows data controllers to share personal data between one another in a safe and secure manner.
It must be stressed that the right to data portability does not hinder the data subject’s other rights. He or she may still exercise his or her right to object, request the suppression of his or her data or exercise his or her right of rectification regarding his or her personal data.
In contrast, the United-States does not have a comprehensive federal law regulating the collection and use of personal data. Instead, it has a patchwork of federal and state laws and regulations which may overlap, contradict or supplement each other. It regulates personal data on a sector-by-sector basis. The same goes for the right to data portability. Indeed, most privacy laws, namely the Federal Trade Commission Act (15 U.S.C. §§41-58), do not provide data subjects with a specific right to access their personal data. However, some acts do grant data subjects rights similar to the right to data portability in the EU.
Under what conditions does Article 20 apply ?
Four cumulative and specific conditions must be met for a data subject to invoke his right to data portability :
- The personal data requested concerns the data subject making the request
Personal data is “any information relating to an identified or identifiable natural person (…) either directly or indirectly” (article 4, 1° of the GDPR). Thus, the personal data requested must directly or indirectly identify the data subject making the request. This includes pseudonymous data according to the Guidelines on the right to data portability released by the Working Party (WP29) on April 5th, 2017.
Third party data may be processed with the data subject’s data and be too intertwined to separate them. This will be the case with telephone records in which third parties’ incoming and outgoing calls are part of the data subject’s account history as a subscriber. The WP29 states that such a situation should not obstruct the exercise of the right to data portability but cautions the new data controller that the third-party data should not be processed for any purpose which would adversely affect his or her rights and freedoms.
However, anonymous data is not subject to the right to data portability.
- The data subject provided the personal data requested
Such data can be actively and knowingly provided. For example, the data subject gives his or her mailing address and other information by submitting an online form. The WP29 considers that “provided by” also results from the observation of the data subject’s activity as a user. This would be the case for raw data processed by connected objects, location data or the data subject’s search history.
Nonetheless, according to the WP29, personal data cannot be considered as provided by the data subject if it is the result of a subsequent analysis or action of the data controller or if the latter creates it. This will namely be the case of the assignment of a credit score seeing as the data controller compiles the data given by the data subject to create an independent profile of that subject.
- The personal data requested are processed by automatic means and the processing is based on consent or a contract
This condition excludes paper files and limits the applicability of the right to data portability.
Moreover, the data subject requesting his or her personal data must have consented to the processing of such data (article 4, 11° of the GDPR) or been a party to a contract under which the processing was necessary (article 6 of the GDPR). These requirements aim at ensuring that the processing of personal data is lawful.
If the data is processed for any other reason than the grounds stated above, the right to data portability does not apply. For example, the WP29 states that financial institutions processing data as part of their obligation to prevent and detect money laundering and other financial crimes are not required to answer to a data portability request.
- The exercise of the right to data portability should not adversely affect the rights and freedoms of third parties
If a comparison were to be made with the United-States, the Health Insurance Portability and Accountability Act (HIPAA) offers a similar right to data portability. Under this Act, a data subject has the right to request access and make corrections to his own protected health information (45 C.F.R.164.524 a) and b). However, this Act is limited to personally identifiable health information and has many exemptions such as non-disclosure for law enforcement purposes. The Act does also not apply to some educational and employment records.
Practical implications of the right to data portability
Data controllers must make major adjustments to ensure that they will be able to answer data portability requests within the next year.
Other entities, whether or not established in the European Union, which process the personal data of European citizens should take into consideration the right to data portability.