The upcoming European General Data Protection Regulation enhances existing individual rights by creating a new right to data portability. That right requires controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject requests. To better understand the requirements, especially on how to operationalize and implement it, Alibaba Cloud engaged Carnegie Mellon University’s Capstone Project in the Privacy Engineering program to sponsor research that focused on data portability in the cloud under the GDPR.
The IAPP-EY Privacy Governance Survey 2017 indicated that fulfilling the right to data portability was the top-ranked challenge for GDPR compliance. Anuj Shah, CIPT, project team member and student at Carnegie Mellon University, said, “It’s easy to understand why — data-driven enterprises already find data management to be a formidable task, especially when their systems are distributed across the cloud infrastructure."
Adding to the challenge is the fact that the European Commission and the Article 29 Working Party have expressed conflicting opinions about which personal data fall under Article 20 obligations.
"Given the pressing need for a path forward, we investigated how this right translates to the operations of cloud service providers in their roles as both controllers and processors,” Shah said. “Since controllers bear the majority of responsibility for GDPR compliance and the protection of data-subject rights, they also have specific portability obligations depending on whether they are the sending or receiving party. While Article 20 does not require controllers to maintain fully compatible formats purely to enable data portability, it does encourage the development of interoperability standards. ... For processors, they are required to assist controllers in their fulfillment of data subject rights, even though processors are not explicitly mentioned in GDPR Article 20.”
The team further researched and identified technical solutions that cloud service providers can leverage to support data portability for their customers. For example, access to commonly used and easy-to-store file formats through a usable web interface would be most appropriate for a data subject who wants to receive data directly. Additionally, the team found transmission to another controller would be best achieved via industry-wide standard migration protocols, which would tolerate data loss.
With intensive research and testing of different cloud service models (SaaS, PaaS, IaaS) and platforms, the project team demonstrated technical approaches to GDPR compliance through hypothetical use-cases that are easy to understand and relate.
Yunfan Wang, project team member and student at CMU, said, “To comply with Article 20 under the GDPR, we recommend data controllers and data processors apply a metadata-driven solution to determine which personal data must be ported. This solution would be easy to implement because it is a minor extension beyond existing metadata systems. It uses various metadata tags to track the identifiability of a dataset, which in turn informs the controller's decision of what falls under portability obligations. The solution is flexible to different interpretations of the GDPR and could similarly assist with satisfying the requirements of other data privacy regulations.”
The report recommends that “if cloud providers want to continue providing competitive products to both their individual and corporate clients, they must consider how the right to data portability translates to their operations as controllers and processors. Their compliance solutions must also remain flexible.”
The recommendations are based on careful consideration of how the recipient of data from a portability request, the cloud service level, and one's interpretation of the GDPR determine the appropriate portability solution. Most importantly, the recommendations rely on existing technical methods and build upon precedent in the marketplace, meaning that a compliance program for GDPR Article 20 is well within reach.
Professor Norman Sadeh, CIPT, co-director of CMU’s master’s program in privacy engineering and who served as faculty advisor on the project said, "This year, three of our capstone projects in the privacy engineering program revolved around GDPR. Given the unique training that our students receive in both technology and policy, these types of projects are a perfect fit for our program. The project with Alibaba Cloud enabled our students to apply their unique skill sets and showcase their creativity in using technology to support some of the challenging new requirements associated with GDPR."
The privacy engineering program is proving to be essential as worldwide privacy practices are impacted by regulation changes and users' increased awareness. Privacy engineers are the key to bridging the regulation requirements with business operations. A copy of the research report can be downloaded here.