Data portability is a key feature of GDPR. In our previous article we provided an overview of what GDPR is. In this second article, we discuss the concept of ‘data portability’ in the context of GDPR. Just to recap, the General Data Protection Regulation will apply from May 2018. Whilst most organisations will be treating GDPR as a compliance exercise, forward thinking organisations will be viewing GDPR as a journey and will appreciate the longer term implications and potential business model impact. In this regard, the concept of ‘data portability’ is a particularly important concept to note. However, the right to data portability remains complicated issue. In Dec 2016, the Article 29 Working Party, an advisory body made up of national data protection officers from across the EU Member States published guidelines and FAQs on how data portability will work in practice. Here is a summary of some of the topics discussed.
What is Data Portability?
In essence, GDPR says that data subjects (see our previous article for an overview of what data subject are) have the right to obtain and reuse “their” data for their own purposes and across different services. In practice, this means that data controllers need to provide functionality that enables the data subject to move, copy or transfer personal data easily from one IT environment to another, without hindrance.The GDPR defines the right of data portability in Article 20 (1) as follows:
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided [...]”
What is the objective of Data Portability?
One of the key objectives of data portability is to prevent “lock-in” and empower consumers to switch service providers, leading to socio economic benefits that arise through greater competition. Moreover, API driven sharing of personal data between data controllers is expected to lead to have a profound market impact in terms of innovation and creation of new market opportunities for various stakeholders.
Exactly what kind of data will a data subject have rights over?
The new right applies only to data processed by automatic means and does not therefore include paper files. Personal data requested should also concern the data subject and be provided by him. This latter point is important. GDPR makes a distinction between three types of personal data. In the below list, 'A' and 'B' would both be in scope of the right to data portability. Type 'C' on the other hand would be out of scope.
(a) Data that has been knowingly and actively “provided by” the data subject can be considered as provided by the data subject. This includes data typically submitted via online form such as:
- User name
(b) Data generated by and collected from the activities of users. Example here would include:
- Titles of books purchased by an individual from an online bookstore
- Songs listened to or play lists created via a music streaming service
- Bank transaction history
- Photos and comments posted on social media sites
(c) By contrast, personal data that are derived or inferred from the data provided by the data subject are excluded from the scope of the right to data portability. Inferred data and derived data are created by the data controller based on the data “provided by the data subject”. Typical examples of inferred data would include:
- Preference and behavioural profiles derived from analysing what an individual views or shares on social media
- Smart phone derived location based data
- Marketing classifications around lifestyle preferences inferred and derived depending on what a user searched, read, watched or bought.
- Data derived from an individual’s smart phone location
- Credit score inferred and derived from multiple data sources
How will data portability work in practice?
There are 3 ways for a data subject to exercise their right to data portability:
- First, data controllers should offer a direct download opportunity for the data subject that is supplied “in a structured, commonly used and machine- readable format” (ie: XLS or CSV file formats).
- Second, data controllers should offer the ability to directly transmit data directly to another data controller typically via API.
- Third, data subjects may also make use of a personal data store, a trusted third party, to hold and store the personal data and grant permission to data controllers to access and process the personal data as required. This option has potentially far reaching impact.
Won't data portability rights potentially impact company business models?
GDPR text does to some extent acknowledge the potential impact of data portability on businesses. In Recital 63 says that:
“the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software….”
However, the situation remains complicated and privacy professionals are seeking further clarification from the EU's Information Commissioner’s Office (ICO) on this and other points. In particular, the reality of data portability in practice will differ from industry to industry and it remains to be seen if national data protection authorities seek to apply the same practices across all industries or allow a more industry-led approach to data portability compliance to emerge in which industry stakeholders develop common practices within their own sector.
What about personal data stores?
The UKs ICO has recently published version 2 of its paper on big data and discusses the concept of personal data stores as a potential solution for GDPR data portability compliance - especially in the emerging era of big data, machine learning and IoT. Its says:
It has been suggested that one way to increase an individual’s control over the use of their data is through what are usually called personal data stores, or sometimes personal information management services. These are third-party services that hold people’s personal data on their behalf and make it available to organisations as and when the individuals wish to do so.
This is, it acknowledges, a early stage and developing area but it does provide a idea of what data portability may evolve into over the next decade. Essentially, systems that allow consumers to store their personal data, set 'fine-grained' privacy preferences and control how and when organisations have access to their personal data. Data storage systems may ultimately enable consumers to charge organisations for access to their personal data and in such create entirely new markets and revenue streams. It is quite feasible for these markets to start ti unfold over the next 5 years and forward thinking organisations would be wise to start evaluating their business strategy in this regard.