The European Commission has written to EU privacy regulators to express concern over their interpretation of the data portability clause in the General Data Protection Regulation. 

Specifically, the Commission appears to be worried that the regulators have interpreted too broad a scope for the GDPR's Article 20. The Article 29 Working Party (WP29), the group that represents EU privacy regulators, issued guidelines earlier this month in which it said "the right to data portability covers data provided knowingly and actively by the data subject as well as the personal data generated by his or her activity."

The guidelines went on to specify that this could include "observed data provided by the data subject by virtue of the use of the service or the device," such as the subject's search history, traffic data and location data – and even "raw data such as the heartbeat tracked by a wearable device."

The WP29's guidelines are supposed to harmonize the approaches of regulators across the bloc as they handle complaints about the GDPR's application, once it goes into effect in May 2018.

"We value the work of [WP29] on [the guidelines], but also have certain concerns that the guidelines might go beyond what was agreed by the co-legislators in the legislative process," a commission spokesperson told The Privacy Advisor. "The scope shouldn't go beyond what was agreed in the trilogues."

The spokesperson would not be drawn on the commission's specific concerns. However, the issue of "observed data" was one of the most controversial aspects of the draft guidelines that the WP29 issued in December, and it was still there in the revised version that came out on 5 April.

Article 20 itself states that "the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided."

The accompanying Recital 68 explains: "That right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract." 

Renate Nikolay, the head of justice commissioner Vĕra Jourová's cabinet, noted the Commission's scope concerns last week at a Humboldt University Law Clinic in Berlin – although again, according to those at the event, she did not go into specifics.

"I agree that WP29 goes too far," said internet lawyer Niko Härting, who spoke with Nikolay at the event. "As Renate Nikolay also explained, data portability is a concept that is focussed primarily on social networks. An interpretation that includes observed data goes far beyond the wording of the GDPR."

Carlo Piltz, a lawyer with Reuschlaw who was also at the Berlin event, also said he thought that the WP29 was wrong to include observed data within the GDPR's scope. "Even the [WP29] in its draft opinion assumes that the data must be 'be knowingly and actively "provided by" the data subject' (page 9 of the draft opinion), but in the next sentence seems to drop these requirements," Piltz said via email. "If you stick to the mere wording of the text of the GDPR, it says 'provided'. The interpretation of the [WP29], to also include 'data that are observed from the activities of users', is literally the opposite of 'provided by.'

"Furthermore, one has to keep in mind that violations of Art. 20 GDPR are threatened with administrative fines of up to €20 million, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover," Piltz added. "It is a fundamental legal principle (principle of legal certainty) that as a possible addressee of administrative fines or sanctions, one has to know in advance which activities are allowed and which aren't. By this broad interpretation of Art. 20 GDPR, the [WP29] undermines this legal principle."

The WP29's guidelines insist that "the term 'provided by the data subject' must be interpreted broadly" in order to meet the policy objectives of the right to data portability. In a footnote, the guidelines suggest that this will also help data subject get "a better view" of the scope of the data that the controller is observing. "[The subject will then] be in a better situation to choose what data he or she is willing to provide to get a similar service, and be aware of the extent to which his or her right to privacy is respected," the footnote explains.

However, the group was clear that the right should not cover data that has then been inferred by the data controller. The heartbeat falls under the scope of the data portability clause, but the resulting health profile does not.

The WP29's guidelines also suggest that data processors might have to be involved in answering data portability requests, even though the GDPR itself only talks about controllers in this regard.  

photo credit: William Hook Apple Watch - Activity Glance via photopin(license)