Late last week, the Article 29 Working Party (“WP29”) issued detailed guidance on companies’ obligations under three key provisions of the General Data Protection Regulation (“GDPR”). This is part two of a three-part Alston & Bird series evaluating WP29’s positions, and relates to the Right of Data Portability for data subjects and its obligations for data controllers. Part 1 deals with Data Protection Officer obligations, under the GDPR, while part 3 analyzes guidance on the Lead Supervisory Authority mechanism.
Article 20 of the GDPR creates a new right to data portability for data subjects. In short, this right permits a data subject to receive personal data they have provided, directly or indirectly, to a data controller in a structured, commonly used, and machine readable format, and to transmit that data to another data controller of the data subject’s choosing.
Article 20 (1) of the GDPR reads “[t]he data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided […]” WP29 provides guidance in four parts: the elements of the right to data portability, when the right applies, how the right interacts with other general rules regarding the rights of data subjects, and how controllers must provide portable data upon request.
1. Elements of Data Portability
WP29 identifies five key elements of the new right and provides guidance on each element.
- “Right to receive personal data:” WP29 describes the right as complementary to, but distinct from, the right of access. The first aspect of that right is to receive personal data “in a structured, commonly used and machine-readable format” and store it for “personal use on a private device,” so that data subjects themselves can use and manage their data.
- “Right to transmit personal data from one data controller to another:” The right also permits a data subject to transmit personal data from the controller to another “without hindrance.” WP29 explains that this right allows data subjects to avoid becoming “locked in” with a single controller, and can promote innovation in data use and better controlled sharing of personal data.
- “Data portability tools:” WP29 also suggests that data controllers should offer different implementations of this right to assist consumers, including allowing a data subject to choose between either directly downloading his or her data and having the data controller transfer the data to another data controller at the data subject’s request. WP29 also notes that a data controller might do so by creating an application programming interface (API) or use of a personal data store or trusted third party to hold and store a data subject’s personal data, and make it available to other data controllers with the data subject’s authorization.
- “Controllership:” WP29 highlights that the right of data portability imposes no obligation on a data controller to retain personal data “for longer than is necessary or beyond any specified retention period” and that there is no requirement to retain data in anticipation of a potential data portability request. Data controllers are responsible, however, for “ensuring that the portable data provided are relevant and not excessive” in relation to the new data processing use, such as removing irrelevant information. The recipient organization of portable data becomes a new data controller with respect to the data it receives, and must “clearly and directly” state the purpose of any new processing before any request for transmission, and should not process data it receives that is irrelevant or unnecessary for the new purposes.
- “Data portability vs. other rights of data subjects:” WP29 explains that a data subject exercises his or her right to data portability, and indeed any other right within the GPDR, “without prejudice to any other right.” For example, a data controller cannot use a data portability requests as a way of delaying or refusing a request for erasure of personal data, or can continue to use a data controller even after exercising the right to data portability. As long as the data controller continues to process the subject’s data, that individual can exercise his or her rights.
2. When Data Portability Applies
WP29 notes that, under Article 20(1)(a) of the GDPR, processing operations fall under the scope of the right when based on either the data subject’s consent or for the performance of a contract to which the data subject is a party. Additionally, the data processing must be “carried out by automated means” in order for the right to data portability to apply.
WP29 also provides guidance on what types of personal data are subject to the new right. Under Article 20(1), only data which is personal to the data subject and which he or she has provided to a data controller falls under the scope of the right. Additionally, Article 20(4) notes that compliance with one data subject’s right to data portability shall not adversely affect the right and freedoms of a third party data subject. WP29 further clarifies each of these three requirements:
- “Personal data concerning the data subject:” WP29 clarifies that anonymous data would not fall under the scope of the right, but that pseudonymous data that can be clearly linked to a data subject, is within the scope. WP29 also cautions that data controllers must not be “overly restrictive” in interpreting “personal data concerning the data subject.” For example, a data subject should still be able to receive call records including the details of third party contacts.
- “Data must be provided by the data subject:” Again, WP29 cautions data controllers against being overly restrictive in interpreting this language, noting that data “provided by” a data subject includes both data “actively and knowingly provided” (such as data submitted through an online form” and “observed” data (such as search history and location data). Data which is derived or inferred from provided data, in contrast, is not within the scope of the right and need not be provided in response to a data portability request. Examples of derived or inferred data may include copies of invoices, analytics profiles generated from personal data, and evaluation reports.
- “The right to data portability shall not adversely affect the right and freedoms of others:” WP29 recognizes that while a data subject exercising the right to data portability would either consent to or contract with a new data controller for processing his or her data, a third party whose data was included in the set could not do either. Consequently, where third parties’ data is included, there must be another ground for lawfulness of processing. such as a legitimate interest under Article 6(1)(f). In particular, a data controller would be permitted to offer a service to data subjects that allows the subject to process personal data “for a purely personal or household activity,” In contrast, WP29 notes that a receiving “new” data controller may not use any transmitted third party data for its own purposes, such as marketing, and should only retain and process data that is relevant and not excessive in relation to the new processing. WP29 also recommends that controllers create data porting tools to allow data subjects to select and exclude from their personal data set which data they want transferred to a receiving data controller. Additionally, WP29 suggests implementing consent mechanisms for implicated third parties to ease transmission.
WP29 also specifically notes that, while a data controller is not required to provide its intellectual property or trade secrets in response to a portability request, a potential business risk cannot in and of itself serve as the basis for a refusal of such a request. Instead, WP29 explains that a controller would need to transfer the relevant personal data in a form that excludes any information related to intellectual property or trade secrets.
3. How other general rules for data subjects apply
WP29 notes that data controllers must inform data subjects of the availability of the new right to portability in privacy notices, and must distinguish this right from other rights. WP29 recommends clearly explaining the differences between the type of data a data subject can receive using different rights. WP29 also suggests that data controllers should include data portability information during account closures. For data controllers who receive data portability transfers, WP29 suggests a best practice of explaining what data is relevant to the controller’s services, so that users can minimize the data they provide.
Additionally, while the GDPR does not prescribe requirements for data controllers to authenticate users that submit data portability requests, WP29 highlights that Article 12(2) only permits a data controller to refuse an exercise of a data right (including the right to data portability) if the processing does not require an identified data subject and if the controller can demonstrate it is unable to identify the data subject. Moreover, WP29 notes that controllers must implement authentication procedures to “strongly ascertain” the identity of a requesting data subject, even when the data collected is linked only to pseudonyms or unique identifiers.
In anticipation of data requests too big to download directly, WP29 advises data controllers to consider alternate means of providing data, such as through physical media or through direct transmission to another data controller where technically feasible.
WP29 also expands on Article 12(3)’s requirement that data controllers provide data in response to a portability request “without undue delay” and in any case “within one month of receipt of the request” or within three months for complex cases, as long as the controller informs the data subject of the reasons for the delay within one month of the request. WP29 states that data controllers operating “information society services” are technically capable of responding quickly to requests, and suggests a best practice of defining the typical timeframe for answering such requests for data subjects. In any event, WP29 emphasizes that a data controller may not remain silent in response to a request, and any refusal of a request must be communicated along with the reasons for the decision within one month of receipt of the original request.
Lastly, WP29 points out that data controllers may not charge fees for providing personal data unless the controller can demonstrate the requests are “manifestly unfounded or excessive, in particular because of their repetitive character.” WP29 also states that calculating the cost of creating an overall process to respond to such requests should not be used in determining the excessiveness of a data request, and such costs cannot be passed along to the data subject nor used to justify a refusal of such a request.
4. How portable data must be provided
While the GDPR does not require any specific technical standard for data returned in response to a data portability request, the data provided must be “in a structured, commonly used and machine-readable format” to make the data interoperable. While specific file formats are not required, WP29 notes that a format that can only be read subject to costly licensing constraints would be considered inadequate.
WP29 also notes that, to create interoperable data rather than data requiring controllers to maintain multiple technically compatible systems, personal data should be provided in formats with “a high level of abstraction.” Indeed, WP29 notes that the right to data portability implies another level of data processing to extract data pursuant to a request and filter out irrelevant data, including as much metadata as possible with as much granularity as possible to preserve the “precise meaning of exchanged information.”
To this end, WP29 encourages industry cooperation to create interoperable standards and formats for responding to data portability requests. WP29 also recommends creating tools for better responding to individual requests, such as dashboards to allow data subjects to select specific subsets of their personal data and APIs that can interact with other software to process requests submitted by or on behalf of a data subject.
Finally, WP29 notes that data controllers are responsible for securely transmitting data to requesting data subjects, but those security measures may not be obstructive or require additional costs to data subjects. WP29 also recommends that controllers make data subjects aware of steps they can take to secure their information upon receipt, and further suggests the best practice of recommending appropriate formats and encryption measures.
* * * * *
Alston & Bird is closely following EU guidance on data portability rights and is advising multinational organizations on how to implement portability requirements. For more information, contact Jim Harvey or David Keating.