EU Privacy Reg Data Portability May Affect Controllers

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

March 23 — The data portability right included in the European Union General Data Protection Regulation (GDPR) may significantly alter the relationship between data subjects and data controllers by making it possible for individuals to manage their data as a single set of information across different platforms.

For example, the right might enable data subjects to take their transaction histories with them when they switch to a new bank, or employees to carry their employment records when they move to a new job, even if that new job is in another country.

The overall effect may weaken the hold data controllers have over personal data, and to force controllers to work with one another, even in cases in which some controllers might lose out, industry professionals and attorneys told Bloomberg BNA.

The data portability right, set out in Article 18 of the GDPR, is “one of the most controversial aspects of the regulation,” according to Sarah Pearce, a partner at Cooley LLP in London, who specializes in technology-related transactions and other information technology matters.

Companies are “concerned because they're going to have to work with their competitors to enable this. This whole area throws up issues of competition, intellectual property, confidential information—they're big alarm bells for clients,” Pearce said.

However, according to Alexander Brown, a partner and head of the technology, media and telecommunications group with Simmons & Simmons LLP in London, the data portability right goes to the heart of the philosophy behind the GDPR—the concept “that it is the individuals' data,” and the individual should have control over it.

Controller-to-Controller Provisions

EU negotiators Dec. 15, 2015 concluded nearly four years of talks on final text of the GDPR . The text should be ratified in mid-2016 and will come into effect in mid-2018, after a two-year transition period.

The European Commission, the EU's executive arm, proposed the GDPR in January 2012 as a uniform law with equal effect across the 28-country bloc to replace the EU's now over 20-year-old Data Protection Directive (95/46/EC).

During the transition period, the Article 29 Working Party of EU member state data protection commissioners will become the European Data Protection Board and will issue guidance on a number of issues . The Art. 29 Working Party has already identified data portability as a priority for guidance in 2016.

Hans Graux, a founding partner with Brussels technology law firm time.lex, said that guidance would be needed particularly on the requirements for data controllers to work together to facilitate data portability.

The controller-to-controller provisions were “two and a half lines in the GDPR,” but opened up “pretty complicated” issues and “a lot of grey area on implementation in practice,” Graux said.

Portability ‘Without Hindrance.'

Graux added that the data portability right isn't “100 percent new” and “not very novel from a regulatory perspective,” because a right for data subjects to access and receive their data already exists under the EU Data Protection Directive (95/46/EC).

Facebook Inc. users, for example, can download a zip-file archive containing their Facebook history that includes a wide range of data—personal information, information on any purchases made via Facebook including payment data, Internet protocol addresses, details of deleted friends, a facial recognition identifier and much more.

Article 18 of the GDPR augments the data access right by requiring the data subject's personal data to be provided “in a structured and commonly used and machine-readable format” so that it can be provided to an alternative data controller “without hindrance” from the original controller.

Under the GDPR, the data subject can also ask the controller to transmit his or her data directly to an alternative controller “where technically feasible.”

The right applies to personal data that is processed on the basis of the data subject's consent or to fulfil a contract.

EU flag photo

Question of Scope

Digital technology companies would prefer the data portability right to be interpreted as having restricted scope.

DIGITALEUROPE, which represents information technology and consumer electronics companies, said it was concerned that EU negotiators had Facebook and other social media platforms in mind when finalizing the data portability right, and hadn't taken into account how it could affect other sectors and business models.

Alex Whalen, DIGITALEUROPE senior policy manager, said that guidance should make clear that the right “needs to be narrowed to cover only the data that the data subject actually needs in order to change providers.”

Brown said that many issues of scope should be straightforward, such as switching photographs from one photo-sharing site to another, but “we will desperately need guidance” on the less-clear areas.

For example, social media profiles are a “soup of data,” made up of the personal data of different data subjects, Brown said. “That's the whole point of Facebook—you're linked with hundreds of other people,” he added.

Inge Graef, a legal researcher on personal data and competition law at the Center for IT and IP Law at Belgium's KU Leuven University, said that in a social media context, the portability right would be “limited to what you have posted yourself,” and would cover “only the messages and pictures you have uploaded.”

What the “data processor has created by observing your data” wouldn't be subject to the portability right, she said.

Graef added that it was an open question “whether reputations on e-commerce platforms would also fall under the right to data portability.”

Brown said that for any individual with a profile on a website that allows comments or reviews—for example, an individual trading via an e-commerce site—would be subject to the portability right if those comments are about the data subject.

Risks of Standardization

Another difficult issue in implementing the right to portability will be the question of common data formats that can be transferred between controllers.

The Article 29 Working Party will need to decide, for example, how far cloud computing providers should be obliged to open up their proprietary platforms to enable portability.

Pearce said that technical issues related to data portability from controller to controller are “a potential concern because that involves costs and time.” However, the GDPR specification that controller to controller portability need only happen “where technically feasible” would “give organizations some kind of leeway,” she added.

Meanwhile, there are worries that standardization of data formats to enable data portability could make data more vulnerable to security breaches.

Whalen said that the Art. 29 Working Party shouldn't interpret the wording in the GDPR that data should be provided to data subjects in a “commonly used format” as “meaning a single format for the transfer of the data.”

This would just “make the data vulnerable to hackers,” he said.

Brown said that there was a risk the data portability right would open up new opportunities for identity thieves.

The right could create dangers “if you can pretend to be me and contact my bank,” and request a transfer of data in line with the portability right, he said.

Europe's Digital Strategy

It may take some time for the ramifications of the introduction of the data portability right to be fully understood.

In some contexts, the right might initially be little used. If a data subject requests a transfer of his or her data from Facebook, for example, what alternative providers are currently available that the data could be transferred to?

However, the right to portability should also be seen in the light of EU competition concerns about the dominance of certain companies—in particular, U.S. companies—in some sectors, such as social networking.

Graef pointed out that, back in 2012 when the European Commission proposed the GDPR, in the accompanying impact assessment “they explicitly made a reference to social networks as a service to which the right of data portability would apply.”

Facebook “would indeed be the one company that could be considered dominant in the social network area,” Graef said.

In that impact assessment from 2012, the commission said there should be no obstacle to switching to other social media platforms if and when “better, cheaper or more privacy-friendly services become available.”

Graux said that among EU lawmakers there was “strategic concern about social networks,” and “concern that a lot of European information is disappearing towards non-European service providers.”

As the volume and value of personal data grows, the debate about its economic importance “is only going to intensify in Europe,” Graux said.

In introducing data portability, the hope of EU lawmakers might be that EU data subjects will transfer their data away from non-European and to European service providers.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com