GDPR Right to Portability
Article 20 of the GDPR provides the right of data portability. That is, if you’ve got some data on me, then I’m allowed access to it.
But that’s not all. Portability is about providing your data to you and anyone else you choose, in a format that you can understand and that someone else can import automatically. Whilst this is a pain for may organisations, it will be a huge opportunity for some companies and a welcome feature for us data subjects.
In some regulated industries, such as health care, there is already the concept of requesting access to your data and at some point in the following year, maybe receiving it. GDPR changes this radically, and here’s a summary of the new rights to portability:
- Data Subjects can request a copy of the personal data held on them, for free. (You can now only charge for these requests if you can demonstrate they are vexatious, overly repetitive or overtly costly.)
- The Data has to be provided in a format that the requestor can easily understand and that another controller could easily import, e.g. list of emails as separate email files rather than one big pdf document, or a contact list in csv file.
- The data controller must send the data to a 3rd party controller (e.g. competitor) if requested to do so by the data subject “without hindrance”. (Akin to asking your bank to handle the switching of a current account to a competitor. Banks are very much already ahead of the game when it comes to portability.)
- Controllers should offer different tools for data portability, e.g. direct download tools for the data subject and automated transfer tools for transmitting the data to another controller.
- Controllers are not responsible for protecting the data that has been received by the data subject or a third party controller.
- The right cannot infringe others’ rights, e.g providing someone else’s personal data that touches yours.
- Only personal data is in scope for a portability request. Any data that is anonymous or doesn’t concern the subject is not in scope. Pseudonymised data is in scope.
- The right applies to data “provided by the data subject”, as opposed to “inferred data” and “derived data” which are data generated by the service provider such as algorithmic results.
- Supermarket clubcard holder requests the records of all of their transaction history to import into their new preferred supermarket account. Only the details that the new controller needs for the purpose specified by the data subject should be imported and used, e.g. new controller shouldn’t import unnecessary details and then use those for other purposes such as marketing.
Imagine you’re a small streaming media provider. You offer the same services as the big competitors but struggle to pull customers away from their “sticky” service of play history and playlists. The Right to Portability offers these smaller operators an opportunity to provide a simple “import your Spotify playlist” or “transfer your account to us” facility and acquire new customers. The Right to Portability helps level the playing field in many industries, offering an opportunity and a challenge for many businesses.
See the WP29 guidance on the Right to Portability here.