In an effort to future-proofing the European data protection laws, it was an intention of the EU Commission from the outset, to implement into the General Data Protection Regulation (GDPR) new instruments that would be fit to deal with the data protection challenges of the digital age. One of the themes running through the GDPR is the strengthening of consumer rights and controls over how their data is processed. These new instruments include inter alia the obligation to notify data breaches, the right to be forgotten, and also the right to data portability. The latter was originally intended to enable users of social networks to take “their data” with them when they decide to change the network provider. In the pre-final version of the GDPR, which has been agreed by the Trilogue parties on 15 December 2015, a general right to data portability has actually been included; however, questions remain as to the exact scope and impact of this right – it might be much more far-reaching than expected. One reason for this is that, while data including personal user data are an ever more important competitive factor, there is no coherent concept of ownership in data, yet. Therefore, it will be crucial for businesses, in particular those with data-driven business models, to ensure that data transmissions under the right to data portability are not too far-reaching. Otherwise, they might be forced to disclose business secrets and unduly weaken their competitive position.*
1. The Right to Data Portability in Art. 18 GDPR
Article 18 GDPR provides for the right of the data subject “to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured and commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided […].”
This right is only be granted however, where the processing has either been based on the consent of the individual or where the processing is necessary for the performance of a contract to which the data subject is party. It should not apply where processing is based on another legal ground other than consent or contract. By its very nature this right should not be exercised against controllers processing data in the exercise of their public duties. It should therefore in particular not apply where processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.
Where, in a certain set of personal data, more than one data subject is concerned, the right to receive the data should be without prejudice to the rights of other data subjects.
The data subject shall also be entitled to demand that the data is transmitted directly from the actual controller to the replacement controller where technically feasible.
2. Underlying aim
As per Recital 55 of the GDPR, it was the intention of the lawmaker to further strengthen the data subjects’ control over their own data. It is therefore somehow surprising, that the right to data portability is included into the GDPR because control over and ownership in data are in its nature less privacy-related issues. The instrument is intended to address the so called ‘lock-in-effect’ which might e.g. exist in social networks. The phenomenon is described as a potential imbalance between the users of social networks (and possibly other businesses) and their operators, which might prevent the users to switch to another operator. The provision is therefore rather one of competition law than of data protection law. A link to the individual’s right to privacy might exist however, if such an imbalance creates a situation where the user is being given the choice between accepting new and unnecessary data processing activities and abandoning the effort they have already put into providing masses of data to the provider (e.g. in the form of a social network profile). Accordingly, the right to be forgotten intends to prevent that a data controller uses such a lock-in-effect for the purpose of applying unfair data processing practices.
3. Implications for businesses
The implications that the right to data portability might have for online businesses cannot be overestimated. As shown in more detail below, Art. 18 of the GDPR is formulated in a very general way. It is therefore crucial for those businesses that they themselves, the data protection authorities as well as any competent courts adopt a careful approach not losing sight of the competitive implications and restricting the application to situations where this is required to protect the individual’s right to privacy. In detail:
- Concerned businesses: The reference to the term “controller” in Art. 18 GDPR makes it clear, that the right to be forgotten does not apply to so-called data processors, i.e. entities which process personal data only on behalf of others. In most cases, cloud service providers and other IT service providers are operating as data processors so that they would not be directly affected by this requirement. Of course, they might be affected indirectly when the respective data controller who is faced with a data transmission request requires his provider acting as a processor to facilitate this transmission. It seems advisable for data processors to adapt their standard processing terms accordingly to clearly define their obligations in case of a data portability request.
It is also very important to note that while the right to data portability has been mainly discussed with respect to social networks, the scope of the provision is not in any way limited to these or other types of data controllers. Accordingly, any type of business which collects data from individuals might generally been caught by this provision. This is particularly unfortunate because most likely the described lock-in effect will only occur in certain business models but not generally with respect to every data controller.
- Concerned data processing activities: Data portability can only be requested with respect to processing activities based on consent or a contractual relationship with the data subject. This means that no data needs to be transmitted in case the processing is based on other grounds, e.g. when based on a balancing of interests according to Sec. 6 (1) lit. f GDPR. While it is generally positive, that the right to data portability is restricted in this way, is not clear how to handle situations where the processing of data on a respective individual is based on several grounds at the same time. This is a common scenario. E.g. while some data provided in a contractual relationship might be clearly necessary for the performance of the contract, others are argueably not necessary but may still be processed on the basis of a balancing of interest. An example could be customer data profiles created by e-businesses; another example are employee datasets – in very many cases these contain a mixture of data based on either consent, the employment agreement or justified interests of the employer. Therefore, when faced with a data transmission request, data controllers should carefully check the grounds for processing of the respective data.
- Concerned data: The right to data portability shall only apply to data which the individual “has provided” to the controller. It is not fully clear, which type of data this covers. It seems appropriate to adopt a restrictive approach in this regard and include only content data, i.e. data that is provided as content to certain types of online businesses (e.g. the data provided to the individual’s own profile of a social network). Otherwise, the obligation to transmit “provided information” might be far too broad – because no lock-in effect occurs – and could from the mere wording of the provision possibly even stretch to job applications sent to possible employers, order forms sent to e-commerce stores, etc.
In the absence of a more specific definition, businesses should be very careful in assessing which data they are actually obliged to transmit. Depending on the exact scope of covered data, further costs might arise because a special technical setup could be required for a partial export and transmission of data.
- Restrictions and exceptions: The right to data portability does not provide for specific exceptions. Therefore, controllers may not rely e.g. on a balancing of interest test in order to reject the data subject’s request to transmit the data he provided. On the other hand, the requested data might either have a substantial economic value or entail important business secrets so that transmission of the data could be detrimental to the company. The only possibility of the controller in such cases seems to be to rely on “inherent restrictions” to the right to data portability; i.e. regarding the concerned businesses, data and data processing activities as explained above.
- Technical feasibility: The data subject’s right to transmit or receive personal data concerning him or her does not create an obligation for the controller to adopt a certain technical set-up of his data processing system. However, the data subject shall be entitled to a transmission of the data to the new controller “without hindrance of the controller” and to a direct transfer to a new controller “where technical feasible”. Is it unclear, in which cases such a technical feasibility or an unjustified hindrance would exist. It seems likely that this assessment does not only take into account the specific technical setup of the controller but also market standards. As a matter of fact, therefore, the controller might be forced to certain investments for adjusting their IT systems in order to meet the requirements and allow for a smooth and secure data transmission.
- Erasure and further retention of the data: Finally, the right to data portability should not prejudice the right of the data subject to obtain the erasure of personal data. Just as important for businesses, it should also not imply the erasure of personal data which is still necessary for the performance of the contract for which it has been provided. Therefore, companies who are faced with data transmission requests in the future should carefully assess, whether statutory obligations require a further retention of the data.
The global digital economy is underpinned by data and the GDPR means that compliance issues associated with the use of data will need to be a core element of all personal data-based business operations. In this context, also the right to data portability will need to be respected. On the other hand, the transmission of customer data to competitors – as required by this provision – has a much wider implication than only on the privacy rights of the concerned individual. Businesses should therefore very carefully assess their future obligations under this provision in order not to unduly disclose business secrets or weaken their competitive position. In respect of the penalties for getting it wrong, this looks like an extremely challenging task.
* First published in E-Commerce Law & Policy 2016, issue 2