EU data protection regulators have issued guidance on a new principle that businesses will have to consider when they process data about people: the right to data portability. The new right is part of a package of new rules in the EU General Data Protection Regulation, which takes effect in May 2018. The right is intended to give people more control over their personal data, allowing them to switch service providers more easily. This is good news for individuals, but brings new compliance issues for many businesses, particularly those that are consumer-facing.
How will the new right work?
The new right has two limbs:
- the right to receive personal data from a data controller in a structured, commonly used and machine-readable format; and
- the right to transmit personal data to another data controller without hindrance.
It doesn’t apply to all personal data – just data that the person has given to the data controller. The guidance says this covers data that the person has actively given to the data controller (eg by filling out an online form) and also ‘observed’ data resulting from the person’s use of a service or device (eg search history or raw data collected from a fitness tracker). But it doesn’t cover data that the data controller infers or derives, like credit scores or results generated by a data controller’s own algorithm. So any analysis or profiling by a data controller won’t need to be disclosed in response to a portability request.
The right applies only if the data controller derives its right to process the data from the person’s consent or as part of a contract (eg via a music streaming service). There’s no right to data portability where the data controller processes data on other legal grounds (eg the public interest ground).
The guidance says that, once a data controller has answered a portability request, it’s not responsible for how the data is handled by the data subject or the recipient data controller. But the data controller must ensure that any transmitted data is securely delivered to the correct recipient (eg by encryption).
The recipient data controller must comply with data protection law for the data it receives. The guidance says this includes ensuring that the data is relevant and not excessive for the purposes for which the recipient will be processing the data; also the recipient must clearly tell the person how it will process his or her data before the request to transmit the data is made. In practice, this may place a significant compliance burden on recipient data controllers to review all personal data received and delete irrelevant data.
What should businesses be doing to prepare?
The guidance give some practical advice on how to give effect to the new right. It recommends that businesses offer both a direct download option and the ability to transmit data directly to other controllers. But it recognises that appropriate formats will differ across sectors, and encourages industry and trade associations to work together to develop a common set of interoperable standards.
Businesses will have to give clear information about the new right, so they should update their data protection notices on this as part of their general preparation for the GDPR.
You can read the full guidance here and the FAQs here. You might also like to read our commentary on the new guidance on appointing Data Protection Officers and on idenitifying the ‘lead supervisory authority’.
And if you’d like to receive our checklist on preparing for the GDPR, please contact us.