WP29’s revised guidelines on the right to “data portability”

In its plenary meeting held in April 2017, Working Party 29 (WP29) examined certain critical matters regarding the implementation of Regulation 2016/679, the s.c. General Data Protection Regulation (GDPR).

In that occasion, WP29 approved the Revised Guidelines on the right to “data portability”, wp242rev.01 (Revised Guidelines), substituting the Guidelines on the right to “data portability” (Guidelines).

Data portability allows data subjects to receive the personal data provided to a controller, “in a structured, commonly used and machine-readable format, and to transmit them to another data controller”. Data controllers shall develop “means that will contribute to answer data portability requests” and should guarantee that “personal data are transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request”. The Guidelines help data controllers to clearly understand their obligations and recommend best practices to comply with the right to data portability;

The Revised Guidelines on the right to “data portability”, wp242rev.01 bring the following changes to the Guidelines.

Competition is out of scope. The Revised Guidelines clarify that the “GDPR is regulating personal data and not competition.” Benefits to competition are incidental. “In particular, Article 20, GDPR, does not limit portable data to those which are necessary or useful for switching services.”

Data resulting from observation. Pursuant to Article 20(1), GDPR, to be within the scope of the right to data portability, data must be: (i) personal data concerning the data subject or (ii) data which the data subject has provided to a data controller. The Revised Guidelines acknowledge that, in addition to the personal data knowingly and actively “provided by” the data subject (e.g. mailing address, user name, age), there might be other data resulting from the observation of the data subject activities. To give full value to this new data portability right, “provided by” “should also include the personal data that are observed from the activities of users such as raw data processed by a smart meter or other types of connected objects, activity logs, history of website usage or search activities.”

Third-party data transmitted to a new controller may be processed only according to the GDPR. The Revised Guidelines clarify that the transmission of data following the exercise of the data portability right does not justify the new data controller to prevent third parties from exercising their rights as data subjects under the GDPR.

At the same time, controllers answering data portability requests from data subjects are not responsible for the processing handled by the data subject or by another company receiving personal data.

A “receiving” data controller’s processing third-party data would likely fall under the Article 6(1)(f) legitimate interest, particularly if the controller provides a service that allows the data subject “to process personal data for a purely personal or household activity. The processing operations initiated by the data subject in the context of personal activity that concern and potentially impact third parties remain under his or her responsibility, to the extent that such processing is not, in any manner, decided by the data controller.”

The Revised Guidelines clarify that the privacy of third parties will not be respected if the new controller uses the personal data for other purposes, such as (i) for marketing purposes; (ii) to “enrich the profile of the third-party data subject and rebuild his social environment, without his knowledge and consent” or (iii) to “retrieve information about such third parties and create specific profiles, even if their personal data are already held by the data controller.” The last two are examples added by the Revised Guidelines, which also specify that “A social networking service should not enrich the profile of its members by using personal data transmitted by a data subject as part of his right to data portability, without respecting the principle of transparency and also making sure they rely on an appropriate legal basis regarding this specific processing.”

No hindrance from old controller. The Revised Guideline included a section clarifying Article 20(1), GDPR, according to which data subjects have the right to transmit the data to another controller without hindrance from the controller to which the personal data have been provided. The Revised Guidelines describe the practices that may constitute “hindrance” of data portability, including “any legal, technical or financial obstacles placed by data controller in order to refrain or slow down access, transmission or reuse by the data subject or by another data controller. For example, such hindrance could be: fees asked for delivering data, lack of interoperability or access to a data format or API or the provided format, excessive delay or complexity to retrieve the full dataset, deliberate obfuscation of the dataset, or specific and undue or excessive sectorial standardization or accreditation demand.”

Technical guidance to data portability. The Revised Guidelines also provide guidance about technical feasibility limitations on data transfers and the technical paths that data controllers should explore for making portable data available to the data subject.

Data controllers are expected to transmit personal data in an interoperable format, although this does not place obligations on other data controllers to support these formats. Receiving data controllers are not obliged to accept and process personal data transmitted following a data portability request.

The Revised Guidelines suggest two different technical paths for making portable data available to the data subjects or to other data controllers:

– a direct transmission of the overall dataset of portable data (or several extracts of parts of the global dataset);

– an automated tool that allows extraction of relevant data

Data shall be made available through various means (such as, for example, secured messaging, an SFTP server, a secured WebAPI or WebPortal) and data subjects should be enabled to hold and store the personal data and grant permission to data controllers to access and process the personal data as required.

Data format. The Revised Guidelines clarify that where there is no available common use format in a certain industry, data controllers should provide personal data using commonly used open formats, along with relevant metadata.

Data transmission security. The Revised Guidelines highlight how data controller is responsible for (i) taking all the security measures needed to protect the personal data that remains in their systems, (ii) adopt transparent procedures for dealing with possible data breaches, and (iii) assess the specific risks linked with data portability and take appropriate risks mitigation measures.

For more information, Federica Romanelli.