The right to data portability means to provide individuals with the right to receive personal data which they have provided to a controller in a structured and machine-readable format. It can be said as one of the most important introductions within the EU General Data Protection Regulation (GDPR) both in terms of warranting control rights to data subjects and in terms of being found at the intersection between data protection and other fields of law. The right to data portability can be applied under two circumstances:
- When the lawful basis for processing the information is either consent or for the performance of a contract
- When an individual is carrying out the processing by automated means (i.e. excluding paper files).
The new version of Article 20, GDPR describes the right to data portability as mentioned below
1| The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means.
2| In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3| The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to process necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4| The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
In a recent conference, the Future Of Privacy Forum (FPF) discussed the limits and benefits of the right to data portability as introduced by the GDPR. Introduction to data portability can be said as one of the greatest innovations by GDPR where one should be able to transfer his/her personal data between participants in the market.
Limitations Of Right To Portability
The right to data portability only covers personal data which is basically “provided” by the person to an organisation. The data which is not protected is the data that are the byproducts of services such as when a data controller uses an algorithm and processes data including inferences from data. The development manager of Microsoft who was in the panel discussion pointed out that there are three difficulties with data portability in practice:
- Syntactic (is the data an integer, string, floating, or something else?)
- Semantic (for example, if data references a “Jaguar” is it discussing a car or an animal)
- Policy-related (how does it interact with existing regulations and contractual requirements for these companies).
Security has always been a key concern but it should not be used as an excuse for porting data. According to the panel discussion, ideally, each data controller would have the GDPR already as a starting point of compliance, and as such, it would have applied all protective portions such as transparency, lawfulness, etc.
Watch the full discussion below: