TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Data portability in the EU: An obscure data subject right Related reading: European Commission, experts uneasy over WP29 data portability interpretation

rss_feed

""

GDPR-Ready_300x250-Ad

The EU General Data Protection Regulation aims to empower individuals and give them "control" over their personal data. To do this, data subjects have been granted various rights, including the right to data portability, which did not exist under the Data Protection Directive. Contrary to the well-known access right, data portability allows data subjects to obtain and reuse their personal data, at least in theory.

In January 2022, we asked data protection expert lawyers in our Lex Mundi Network in all 27 EU jurisdictions whether there have been any notable developments regarding the right to data portability, such as supervisory enforcement or case law. Their feedback shows very few developments; most jurisdictions reported none at all. Data portability rarely ever seems to be used by data subjects — let alone debated before a court. This is in stark contrast with the access right, which data subjects have frequently relied on under the Data Protection Directive and the GDPR, resulting in a broad catalog of jurisprudence, including by the European Court of Justice. 

Purpose of data portability under the GDPR

Data portability allows data subjects to receive the personal data they provided to the controller. The controller must respond by providing data in a structured, commonly used and machine-readable format and allow for it to be transmitted to another controller without hindrance. Article 20(1) of the GDPR reads:

"The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  1. the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
  2. the processing is carried out by automated means."

The EU co-legislators objective was to allow data subjects to move "their" data around in the field of social network and cloud storage. It would enable them to easily transfer their personal data from one online service provider to another, thereby preventing vendor lock-in. Therefore, the right to data portability aims to facilitate switching between different service providers, which was also acknowledged in the guidelines of the Working Party 29 (as endorsed by the European Data Protection Board). The right is focused mainly on consumer services in the digital economy, like personal drop boxes or social media. 

How to interpret data portability under the GDPR?

Article 20 of the GDPR is limited in scope compared to Article 15's access right in terms of the personal data that it covers. It only covers personal data provided by the data subject to a controller, by their consent or in the context of a contract, which is processed in an automated manner. However, what precisely falls within the scope of "data provided by the data subject" has been a subject of discussion. 

In 2016, the WP29 broadly interpreted the right to data portability, covering personal data provided knowingly and actively by data subjects and personal data generated by their activity. This includes "observed data" and raw data, which WP29 deems to be "provided by" data subjects when using the service or the device. After criticism from European Commission Vice President for Values and Transparency Vera Jourová, the WP29 updated its guidelines (more information on Jourová's comments to the WP29's guidance can be found here).

Finally, the WP29 revised guidelines (April 2017) essentially remained the same on the controversial topic of "provided by." Therefore, the WP29 seems to uphold an interpretation that differs from the European Commission, which is quite remarkable in our view. This triggered us to assess how courts in the various member states interpret the scope.

Developments across the EU

We learned several interesting things from our informal survey. For example, the Lithuanian supervisory authority views that if data subjects want to change between financial institutions, they should be able to transfer their payment account, including bank history and all transactions made with their account. According to the Dutch supervisory authority and Slovenian supervisory authority, songs listened to via a streaming service fall within the scope of the data portability right. According to the French supervisory authority, it is possible to obtain one's purchase history under the same right.

It is worth noting another interesting finding: Spanish law provides for a right to content portability on content that users post on social media network services or equivalent services, in addition to the GDPR. On the one hand, this right is broader than the right to data portability under the GDPR, as it covers personal data and refers to all "content" provided by a user. On the other hand, it is narrower, as it can only be exercised against social media network service providers or equivalent information society services.

Although the vague scope of data portability should be expected to give rise to discussion, we learned from our survey that there is little to no relevant case law about data portability. We conclude that one of the most relevant cases is the case we have advising on ourselves in the Netherlands: the Ola Cabs case.

The Netherlands: Uber and Ola Cabs

In the Netherlands, there have so far been two relevant judgments by the Amsterdam court in cases brought by taxi "app drivers" against Uber and Ola Cabs. They requested to receive their data based on Article 20. The court assesses the format in which the data would have to be provided; the drivers requested to receive data specifically by means of an API or a CSV file. The court interpreted the term "machine-readable" by referring to Directive 2013/37/EU on the reuse of public sector information and concluded that "machine-readable" does not necessarily require a controller to provide data by means of an API or a CSV file. The judgments are available here and here (in Dutch). The requests were rejected because the data subjects failed to explain why the data they had already been provided with would nevertheless entitle them to additional (machine-readable) personal data — and if so, what data that would be. The drivers have appealed the decisions.

While these cases do not clarify the scope of data portability, i.e., the "provided by" aspect of it, they provide some additional practical guidance as to the format that a data subject can reasonably request to obtain.

The problem with data portability and its future

The question we have is: where is data portability headed? We believe the scope of "data provided by the data subject" should not be interpreted broadly, considering the background of data portability and the legislators' intentions. A broad interpretation, although arguably more "useful" for data subjects, is not justified by the wording of Article 20, which is clearly limited to personal data "provided by" the data subject. If the data portability right were interpreted as broadly as the WP29 (currently EDPB) suggests, it would not be in line with what the GDPR drafters had in mind. It would also become broader in scope than Article 15's access right, while Jourová reiterated in her letter that "there was an understanding that the reach is limited compared to that of Article 15."

Regardless of its interpretation (broad or strict), the actual problem with data portability in its current form appears to be that it does not seem very useful or popular among data subjects, which we believe is evidenced by the lack of case law. Article 20 essentially provides for a limited data portability right. It entitles data subjects to get back any personal data they provided to a data controller. In this context, the complication lies in '"personal data," which refers to the requestors' personal data — where only they are entitled to exercise their own rights. 

We question whether data portability can play any serious role in enabling consumers to take out data from a service they use and upload it into another, as the European Commission intended. In many cases, the data they may have uploaded or provided may not consist entirely of their personal data; certainly not only personal data relating to the individual invoking the right (e.g., a photo album including pictures of others, an electronic folder full of various kinds of documents, etc.). Some of the content stored may not qualify as personal data at all.

In its first evaluation of the GDPR (June 2020), the European Commission noticed the limited appetite for data portability. As such, "unlocking the potential" of data portability was one of its priorities. The Commission also observed the difficulties regarding data portability that need to be addressed and stated that it would explore practical means to facilitate its increased use. 

We believe such increased use may be achieved by abolishing data portability in its current form, under the GDPR, and approaching it from a consumer protection perspective — similar to the Spanish content portability right. Perhaps this will be achieved with the European Commission's Data Act proposal, which emphasizes the importance of data portability in products and services to allow users (both consumers and businesses, apparently) to access and obtain any data generated through products and services they use. If enacted, it may potentially make the GDPR's data portability right irrelevant.

Photo by fabio on Unsplash


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

2 Comments

If you want to comment on this post, you need to login.

  • comment Jay Libove • Mar 25, 2022
    I have a complaint pending against WhatsApp for failure to comply with GDPR Article 20 portability provisions; I filed the complaint with the Spanish AEPD in October 2018; it was accepted by the Spanish AEPD and promptly transferred to the Irish DPC in February 2019; much discussion ensued among the DPC, WhatsApp, and myself throughout the following year .. and for over a year now, the Irish DPC has been silent, as has the Spanish AEPD to my requests beginning one year ago for the AEPD to re-take the case on the grounds of administrative inaction by the DPC. (I am a Spanish resident). So, there may be little resolved and published about portability, but that doesn't mean that it doesn't matter, nor that there aren't any cases too-slowly grinding their way through the works of one or more authorities. (The meat of my complaint is that WhatsApp does not permit the Android user to usefully export the entirety of a WhatsApp chat and the media and attachments that have flowed through that chat; WhatsApp will only email a recent few hundred lines of text and dozen or so attachments.)
  • comment Tim Bell • Mar 25, 2022
    I expect the biggest practical barrier to effective data portability is the lack of common formatting between platforms - if the data which is intended to be ported is in the first company's format (and I anticipate it would be), it's likely that data wouldn't be readable by the second company's system if they have any differences in how they store their data. If a common format were created - or at least a common portability-purpose format for standard types of personal data, into which the first company was able to issue the personal data to be ported - that could help make the process more practical, and therefore hopefully the entitlement would be more useful to data subjects.