The new General Data Protection Regulation (GDPR) will come into force on 25th May 2018. Whilst it will replaces the UK’s Data Protection Act 1998 (DPA), it still includes the right of the Data Subject to receive a copy of his/her data, to rectify any inaccuracies and to object to direct marketing. It also introduces new rights, one of which is the right to Data Portability.
Article 20 of GDPR allows for Data Subjects to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller. The aim of this right is to support user choice, user control and consumer empowerment. It will have a big impact on all Data Controllers but particularly data driven organisations such as banks, cloud storage providers, insurance companies and social networking websites. These organisations may find that customers are encouraged to move suppliers, as they will be armed with much more information than they previously had accessed to. This in turn may lead to an increase in competition driving down prices and improving services (so the theory goes; we live in hope!).
When the Right Can Be Exercised
Unlike the subject access right, the Data Portability right does not apply to all personal data held by the Data Controller concerning the Data Subject. Firstly it has to be automated data. Paper files are not included. Secondly the personal data has to be knowingly and actively provided by the Data Subject. For example account data (e.g. mailing address, user name, age) submitted via online forms, but also when they are generated by and collected from the activities of users, by virtue of the use of a service or device.
By contrast personal data that are derived or inferred from the data provided by the Data Subject, such as a user profile created by analysis of raw smart metering data or a website search history, are excluded from the scope of the right to Data Portability, since they are not provided by the Data Subject, but created by the Data Controller.
Thirdly the personal data has to be processed by the Data Controller with the Data Subject’s consent or pursuant to a contract with him/her. Therefore personal data processed by local authorities as part of their public functions (e.g. council tax and housing benefit data) will be excluded from the right to Data Portability.
It is important to not that this right does not require Data Controllers to keep personal data for longer than specified in their retention schedules or privacy polices. Nor is there a requirement to start storing data just to comply with a Data Portability request if received.
Main elements of Data Portability
Article 20(1) gives a Data Subject two rights:
- To receive personal data processed by a Data Controller, and to store it for further personal use on a private device, without transmitting it to another Data Controller.
This is similar to the subject access right. However here the data has to be received “in a structured, commonly used, machine readable format” thus making it easier to analyse and share. It could be used to receive a playlist from a music streaming service, information about online purchases or leisure pass data from a swimming pool.
- A right to transmit personal data from one Data Controller to another Data Controller “without hindrance”
This provides the ability for Data Subjects not just to obtain and reuse their data, but also to transmit it to another service provider e.g. social networking sites and cloud storage providers etc. It facilitates the ability of data subjects to move, copy or transmit personal data easily. In addition it provides consumer empowerment by preventing “lock-in”.
The right to Data Portability is expected to foster opportunities for innovation and sharing of personal data between Data Controllers in a safe and secure manner, under the control of the data subject.
Data Controllers must respond to requests for Data Portability without undue delay, and within one month. This can be extended by two months where the request is complex or a number of requests are received. Data Controllers must inform the individual within one month of receipt of the request and explain why the extension is necessary.
Information is to be provided free of charge save for some exceptions. Refusals must be explained as well as the right to complain to the Information Commissioner’s Office (ICO).
Data Controllers must inform Data Subjects of the right to Data Portability within their Privacy Notice as required by Article 13 and 14 of GDPR. (More on Privacy Notices under GDPR here. See also the ICO’s revised Privacy Notices Code.)
In December 2016, the Article 29 Data Protection Working Party published guidance on Data Portability and a useful FAQ. (Technically these documents are still in draft as comments have been invited until the end of January 2017). It recommends that Data Controllers clearly explain the difference between the types of data that a Data Subject can receive using the portability right or the access right, as well as to provide specific information about the right to Data Portability before any account closure, to enable the Data Subject to retrieve and store his/her personal data.
Subject to technical capabilities, Data controllers should also offer different implementations of the right to Data Portability including a direct download opportunity and allowing Data Subjects to directly transmit the data to another Data Controller.
Impact on the Public Sector
Local authorities and the wider public sector might be forgiven for thinking that the Data Portability right only applies to private sector organisations which processes a lot of personal data based on consent or a contract e.g. banks, marketing companies, leisure service providers, utilities etc. Major data processing operations in local authorities (e.g. for the purposes of housing benefit, council tax etc.) are based on carrying out public functions or statutory duties and so excluded. However a lot of other data operations will still be covered by this right e.g. data held by personnel, accounts and payroll, leisure services and even social services. An important condition is that the Data Subject must have provided the data.
The Government has confirmed that GDPR is here to stay; well beyond the date when the UK finally leaves the European Union. All Data Controllers need to assess now what impact the right to Data Portability will have on their operations. Policies and Procedures need to be put into place now.