Enforcing Art.20 GDPR: Data Portability is the new take-away

0

The new General Data Protection Regulation[1](GDPR) of April 2016, in order “to further strengthen consumer control over his or her own data”[2], introduces the so called right to data portability.

In particular, according to Art. 20 of the Regulation, “the data subject shall have the right to receive the personal data concerning him or her which he or she has provided to a controller, in a structured commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided”.

 The right is granted for two principal reasons.

On one side,  the policy objective pursued consists in the” promotion of the individual’s control of their personal data and of their trust in the digital environment” On the other, as clarified by Joaquin Alumnia in his 2012 speech[3]“in a competitive market (…) portability of data is important for those markets where effective competition requires that customers can switch by taking their own data with them”[4]

However, as always when coming to intangible assets, it is difficult to understand what is the actual scope of Art. 20 and, more specifically, to provide a concrete definition of what portability of data means.

In fact, although representing extremely valuable pieces of information, personal data are intangible assets, difficult to define and even more difficult to be tracked.

So, what data portability actually  mean?

Imagine data as food. [5]

Personal data constitutes sensitive information So, imagine them as your tasty, awaited Sunday meal.

By allowing the transfer of data to the subject and then to a different controller, data portability is the new take-away.

Put simply, in its first step, this right is structured in the same way of any other delivery service. The client (“data subject”) places an order (“asks to receive his personal data”) and the delivery service  (“data controller”) provides him with his delicious sushi set (“personal data”), served in a lovely and appealing box (“in a structured, commonly used and machine-readable format”).

Nevertheless, the actual release of the above-mentioned sushi box, will be subject to three different conditions.

First: the customer request has to be made by “automatic means” (let’s say through the Deliveroo application); second the process has to be based on consent (yet to establish if yours or your girlfriend’s); third: it does not have to adversely affect the rights and freedoms of others. In particular, in this respect, the Guidelines[6] on the right to Data Portability refer to situations where ” final records include the data concerning multiple people”, requiring a balance to be made between the interests of the different stakeholders.

In other words, make sure not to finish your girlfriend’s sashimi.

What explained, anyway, only constitutes the first bit of the new right to data portability and does not explain its second aspect, consisting in “the right to obtain the transfer of these data to a new controller”.

Thus, forget Deliveroo and your sushi box for a moment (no point of transferring it to someone else) and go back to personal data.

The main novelty of the discipline is that the data subject not only has the right of obtaining his personal data in a structured format but also to transfer them (or to having them transferred) to a different controller[7].

This provision, however,  at least in its first more disruptive[8] draft has been largely criticised [9]by the doctrinein so far as, by imposing the same duties both to “ a start up in a garage and a large software company” it would contradict the basis of antitrust law[10] and, in this way, it would threaten and even reduce consumer welfare.

Nevertheless, it has been pointed out, these critiques do not apply to the final draft of the Article anymore which, due to its more flexible nature[11], easily falls free of any of these issues.

It could be argued, instead, that the new text,  rather than the previous one, by representing a compromise, eventually fails to address its original purpose.[12]

Implementation will take time and it is too early to draw conclusions at the moment. As Alumnia pointed out in his speech[13] “Whether this is a matter for regulation or competition policy, only time will tell”.

Meanwhile, a positive reflection on experiences which are similar [14]to data portability could offer, de iure condendo, the opportunity for the adoption of a more effective implementation of the latter.

In this sense, positive thought and active debate represent the principal tools for this purpose.

In other words, as somebody would say, “stay hungry”.

Always.

 


[1] General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

[2] Recital 68 of General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

[3] Vice President of the European Commission Responsible for Competition Policy speech taking place during the “Privacy Platform event: Competition and Privacy in Markets of Data(Brussels)” 26 November 2012 (hereinafter “Alumnia speech”).

[4] Ibid.

[5] The comparison between personal data and food, however, rather than assimilating under the same heading two situations whose juridical nature is undeniably different,  aims at evaluating (a) the transferability of the content, in its general terms (b) its “packaged/structured” format and (c) the intervention of a third party in the process.

[6] Art. 29 Data Protection Working Party Guidelines on the Right of Data Portability adopted on 13 December 2016.

[7] In particular, “Subscribers should be able to have those rights provided to them in response to data portability request but new controller cannot use them for his own purpose”.

[8] Proposal of Regulation on Data Protection Brussels, 25.1.2012 COM(2012)11 final 2012/0011 (COD) 2012/0011 (COD) .

[9] Swire P Lagos Y Why The Right To Data Portability Likely Reduces Consumer Welfare: Antitrust And Privacy Critique.

[10] Art 102 TFEU requiring the proof of a dominant position and of its abuse.

[11] Art. 20.2, providing for the controller the duty of “direct transfer of data to the second controller only if it is technical feasible”.

[12] Graef I., Verschakelen J. & Valcke P Putting the right to data portability into a competition law perspective.

[13] Alumnia speech.

[14] See Directive 2002/22/EC introducing Mobile Number Portability.

 

Share this article!

Share.

About Author

Federica Pezza is a trainee lawyer, specialising in EU and IP law, currently working for the legal department of British American Tobacco(BAT) in London. After graduating at University Federico II of Naples in 2015 with a comparative dissertation in EU law, focusing on Copyright developments in Italy and France, Federica recently completed an LLM in Intellectual Property Law with a Distinction at Queen Mary University of London. Before joining the trademark department of BAT, she gained experience in the law tech area by working in a law tech London based start-up. Federica is a registered journalist in Italy and a French and English speaker.

Leave A Reply