SOCIETY | Oct 26, 2017

GDPR and data portability: a new risk for businesses?

Potential factor for promotion of competition but with specific technical and organizational measures

Article 20 of the General Data Protection Regulation (GDPR) introduces the new right of data portability. The importance of the news is even greater considering that it comes into effect immediately, with the result that economic operators and all other parties handling personal date must bring their corporate organizations in line in order to guarantee that those concerned have the possibility of requesting and obtaining the portability of their data.

In fact, the portability of data is not only intended to promote control by those concerned of their personal data, but also to facilitate the circulation, copying or transmission of data from one computer environment to another and facilitating the transition from one service provider to another.

In fact, from the perspective of the European legislator, the possibility of moving one’s own data is a factor in promoting competition, especially in the digital services market, because it facilitates the migration of user data from one economic operator to another.

The guidelines on the right to “data portability” clearly indicate that the ultimate goal is to increase control of interested parties over their personal data.

The right to portability is therefore an important instrument supporting the free movement of personal data in the EU and is aimed at encouraging competition by facilitating the switch from one service provider to another and leading to the creation of new services within the framework strategy for the single digital market.

What, in short, is the right to portability?

Under the new right, those concerned will have the option of requesting that personal data be handled by a controller on a structured, commonly used and readable format using an automatic device of their choice, as well as retaining the data requested on a personal medium and send them to another data controller of their choice without hindrance.

The GDPR sets out some requirements for the exercise of the right to portability: firstly, the processing of data is based on the consent of the subject concerned or on a contract to which the subject concerned is party. Secondly, the data that are the subject of portability must be personal data concerning the interested party (with some limitations in the case where these data also cover the personal data of third parties, especially as regards the processing that the new controller may put in place), insofar as the right to portability must not infringe the rights and freedoms of others and, finally, must be “provided” by the party concerned.

Although the literal wording can thus be considered to imply that this right is applicable only to data consciously and actively provided by the interested party, the European Guarantors point out that this should also be considered enforceable for data “provided by the interested party through the use of a service or use of a device”. According to the above-mentioned guidelines, the category of data “provided by the person concerned” must be understood in a broad sense, and must therefore also include data types such as access logs, navigation data, search history, music tracks listened to on a streaming music service, excluding only “inferential data” and “derivative data” which are instead created, deduced or derived from analysis by the data controller on the basis of data provided by the person concerned.

In organizational and economic terms, what implications will guaranteeing this right to data portability involve?

Unlike the right of access which can be easily standardized and requires a minimum organization by the controller, the right to portability requires significant burdens and costs for the sector’s economic operators and, in order to be adequately ensured, calls for effective and full-scale adjustment of business practices.

Before analyzing the activity of compliance that this new fulfillment requires be realized, it is necessary to examine the organizational implications that fulfillment of this new obligation imposes on controllers.

In order to comply with the new right to data portability, controllers must first inform the parties concerned of the existence of this right, updating the information in accordance with the provisions of Art. 13, paragraph 2 (b) and Art. 14, paragraph 2 (c) of the GDPR.1 that the controller must provide “in a concise, transparent, intelligible and easily accessible way, in a simple and clear language ”.

For example, it could be expected that data will be provided in the first instance in a synthetic format, by means of special “panels” (dashboards) that allow the person concerned to apply portability to subsets of personal data instead of to their entirety.

What emerges, therefore, is how it is essential to update their privacy policy which should be integrated in such a way as to make the interested parties aware of the new right to portability granted by the GDPR.

The most significant and burdensome obligations that controllers will have to take on, however, relate to the substantial profile. The GDPR wishes to ensure that the exercise of the aforementioned right is effective and, in fact, Art. 12 (3) expressly states that the controller shall provide the personal data to the party concerned “without unjustified delay” and in any case “within one month of receipt of the request” or, in cases of particular complexity, within a maximum of three months, so long as the party concerned is informed of the reasons for such extension within one month of receipt of the initial request.

The extremely short times required by European legislation therefore require controllers who manage information company services to have sufficient technical capacity to comply with future portability requests.

Thus, in order to meet the expectations of users, it may be good practice to indicate the timeline normally applicable to the handling of portability requests by informing interested parties in advance.

The GDPR does not explain how to respond to requests for portability in the presence of complex or structurally complex sets of data or when there are other technical problems that pose potential difficulties for the controllers or interested parties and it is therefore advisable that all controllers should immediately begin to study the corporate practices they consider most correct.

In this regard, it is necessary to consider the adoption of the necessary technological measures to secure this right: in this regard, the European Guarantor Group has suggested that “it would be good practice for processors to begin to develop tools that will facilitate the exercise of the right to portability – for example, data download tools and APIs (application programming interfaces)”.

In fact, it is up to controllers to ensure that personal data are transmitted in a structured, commonly used and mechanically readable format. Here, controllers should also ensure the interoperability of the formats with which data are made available in fulfillment of a portability request.

Is there a risk to the know-how of the business regarding organization and exploitation of the potential concerning the personal data provided and acquired?

Lastly, the most delicate aspect is undoubtedly the one concerning protection of the know-how of the company processing the personal data that are the subject of the request for portability: when data are released on a structured format there is, in fact, the risk of accidental disclosure of industrial secrets and know-how of the controller.

In this regard, the last paragraph of Art. 20 of the GDPR specifies that the right to portability should not infringe on the rights and freedoms of others.

The European Guarantor Group has, moreover, specified how the concept of the rights and freedoms of others referred to in Art. 20, paragraph 4, may also refer to “rights or freedoms of others, including industrial and business secrets and intellectual property, in particular the copyright protecting the software” referring to Art. 63 of the GDPR.

However, such considerations should not lead to a refusal to provide the party concerned with all the information insofar as, if the controller processes a considerable amount of information concerning the interested party, the former should have the right to request that the latter specify, before they are provided, the processing activities to which the request refers. The right to data portability cannot, in fact, entail the right of third parties to abuse data to the extent of incorrect practices or in violation of intellectual property rights.

Although it is appropriate to take account of the rights in question, before answering a request for portability “such considerations should not lead to a refusal to provide the party concerned with all the information”; on the other hand, the existence of a potential risk to entrepreneurial activity cannot, in isolation and as such, constitute the basis for refusing the request of portability.

Given the delicate nature of these profiles, it is therefore imperative that controllers adopt procedures and set up technical and organizational measures to meet the demand for portability of the data of the interested parties at the same time as avoiding the risk of disclosure of confidential business information or intellectual property rights.

Giacomo Conti e Sarah Ungaro