Does the Right to Data portability limit the free flow of data ?
Introduction
The digital market has given rise to a new world of possibilities for data collection, processing, storage, sharing and analysis.[32] Legal uncertainty within the digital market most certainly leads to reduced competition along with customer security and privacy being exposed to potential breaches. As a result of individual privacy and security concerns, the GDPR was introduced as an attempt to restore individual confidence and give control an individual’s own personal data.[33] The GDPR lays an obligation of data controllers to store personal data in a manner which does not go beyond necessity.[34] The rights of the data subject were developed with the right to erasure[35] and the RtDP.[36] These rights are not absolute rights, subject to third party interests.[37] The background and adoption of the GDPR was based on the individual’s right from denying controllers the possibility to misuse or mismanage their personal data. The OECD Privacy Experts[38] are of the view that challenges to traditional personal privacy principles in the current data environment are ever more pertinent due to the introduction of connected devices and these complications are intensified which leads to the deterioration of individual security and privacy rights.
The basis of the introduction of the GDPR lies in the EU Charter of Fundamental Rights [hereinafter the Charter] Article 8(1) which expresses that “[e]veryone has the right to the protection of personal data.” The qualifying right mentions within Article 8(2) that “[s]uch data must be processed fairly for specified purposes.”[39] Finally, article 8(3) states that “[c]ompliance with these rules shall be subject to control by an independent authority.” Supervisory authority is mentioned in article 51 of the GDPR “responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union”. The Working Party (WP29)[40] has published draft guidelines clarifying the conditions under which the RtDP is applicable.[41] The introduction of the RtDP came about as so as to enable users to switch services provided by controllers easily, with the domino effect that this may generate competition between service-providers.
Conditions for Protection
Article 20 of the GDPR specifies: “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance” In other words, The scope of the RtDP is two-folded: (i) a right to receive and transfer personal data[42] (indirect portability), and (ii) a right to have it transmitted directly from one controller to another[43] (direct portability), “without hindrance.”
Article 20(3) specifies that the RtDP is “without prejudice to the right of erasure” and thus the personal information about the data subject may remain with the original controller after the RtDP request is made. This is, however unlikely since the GDPR is founded on seven core principles of which one stipulates that the controller shall only keep the information about the data subject only if necessary as per the principle(s)[44] of data minimisation.[45] The requirement of the data being in a “machine-readable” format cannot be underestimated as the RtDP “should not create an obligation for controllers to adopt or maintain processing systems which are technically compatible” as per recital 68 of the GDPR. This may prompt the controller to anonymize the raw data which may limit the data subject’s RtDP. Article 20(4) provides that the above rights are qualifying rights and these should not limit the “interests of third parties.” Furthermore, the RtDP as per the same provision only applies to data that is processed by automated [46]means and thus precludes data collected manually, including hand-written notes.
Before the RtDP can be exercised by the data subject the grounds for data processing must be satisfied Article 6 of the GDPR. Processing thus needs to be based on consent[47] or on a contract[48] or data processed on any other legal ground including legitimate interest under article 6(1)(f) of the GDPR. The exception here for the data processing is the other grounds than legitimate interest.[49] Then, are controllers able to prevent data subjects from relying on the RtDP by invoking a legitimate interest as a ground for processing personal data? Article 20(3) and even recital 68 of the GDPR respectively, exclude portability of data when processing is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
The data has to be ‘personal data’
The RtDP consists of two main elements: Firstly, the right to obtain a copy of data, and secondly the right to transmit data to another controller provided that they do not limit the interests of third parties. The GDPR article 4(1) consists of broad list of factors specific to “personal data”. Within the article “personal data” is defined as ‘any information relating to an identified or identifiable natural person’ or the ‘data subject’. Any data which is anonymous may be rejected for a portability request; however this does not preclude pseudonymous data[50]. An “identifiable natural person” is a person who “can be identified, directly or indirectly”. Not only name and ID are characterised as “personal identifiers” but “location data, an online identifier or (…) factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity’ are also classified as personal data. In addition Article 4(13)-(15) of the GDPR mentions genetic data; (ii) biometric data; and (iii) data concerning health are also included in the list of personal data. Since the forgoing list is somewhat exhaustive, recital 26 of the GDPR specified that in determining whether data falls in the category of personal data a “test of reasonable likelihood of identification” ought to be applied.[51] The costs of and the amount of time required for identification is a matter to be considered in determining whether a person is identifiable. [52] In a CJEU it has been established that an IP address can be classified as ‘personal data’ from an Internet Service Provider’s (hereafter ‘ISP’)[53] for the purposes of the GDPR. Therefore a data controller is obliged to port or provide the access to this ‘data’ at the request if the data subject.
Lastly, as per the GDPR, only personal data, relating to a natural person who is identified or identifiable can be subject to a data portability request. Anonymous data is excluded. Pursuant to article 11(1) of the GDPR data controllers are not required to maintain data in an identifiable form for the purposes of meeting a portability requests. When read together, articles 20 and 11 GDPR may motivate controllers to opt for processing pseudonimysed datasets so as to avoid the obligations of data portability when they are unwilling to share for the purposes of sharing their datasets. As specified in article 11(2) GDPR, when data is pseudonymous, data controllers are not obliged to re-identify, unless the data subject “provides additional information enabling his or her identification” which is likely to be the case in a portability request.
The data needs to be ‘provided to’ the controller
Controllers may only port data that has been ‘provided to the controller’ under Article 20(1) of the GDPR. The GDPR does not provide an explanation as to the meaning of ‘provided’ and thus, this provision is subject to interpretation. The interpretation includes all data processed by the controller on the grounds of contract or consent to which the data subject has agreed. According to the WP29, ‘provided data’ is “data actively and knowingly provided by the data subject” and “observed data provided by the data subject by virtue of the use of the service or the device.”[54] WP29 is of the view that ‘provided’ data should be limited to certain constraints and that personal data should preclude personal data that has been “inferred” and “derived”.[55]Health assessments and credit scores are “created” by the controller by for example an “analysis” of data and therefore the data subject has not themselves “provided” such data. In short, “provided by” should not include subsequent analysis of the first observance of data subject activity.
The OECD privacy experts[56] distinguished between data that is provided, observed, derived, and inferred. The difference between derived and inferred is that data is derived and created in a “mechanical” way “to detect patterns . . . and create classifications” in a manner “not based on probabilistic reasoning,” while inferred data is “product of probability-based analytic processes.” The distinction and fine line between the data that is inferred, derived and provided may make it difficult for data subjects to invoke their RtDP. The extent of controller involvement into the “alteration” of the raw personal data is unclear from what has been communicated by the OECD and WP29.
Processing by means of consent or contract
Article 20(1)(a) specifies the conditions under which information should be supplied to the data subject: [When] the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1). If the data has been shared under contract or consent of the data subject then it is covered by the data portability requirement. Article 4(11) of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” The previous definition and criteria of consent is also dependant on the lawful ground of processing as stated within Article 6 of the GDPR. The WP29[57] stated that the data subject should be able to withdraw their consent as freely as they have provided it. Where data is collected by automated means or by sensors, issues related to processing grounds and consent are intensified.
Portability and ‘rights and freedoms of others’
The RtDP is subject to limitations in the interests of third parties as laid down in Article 20(4) GDPR. These could be data protection rights of other platform users[58] but also IP rights, rights of others, and more. It can be deduced that the RtDP is closely linked to the right of access. A limitation to the right of access under Article 15(4) of the GDPR is stated within recital 63 “A data subject should have the right of access . . . and to exercise that right easily and at reasonable intervals… That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject.” The interplay between IP and the Right to portability will be discussed further in chapter five of this thesis. The WP29 comments about the forgoing recital in a manner which is unclear as to the limits and scope of releasing information by data controller that may be protected by IP to the data subject. Thus, they merely state that data controllers may transfer the personal data “in a form” that does not infringe any IP right.[59]
The ‘provided to the controller’ criteria in connected devices
Likewise, data comprising of ‘personal data’ under the GDPR is comprehensive. Within connected devices, any personal data may be a part of collection of independent materials since data may be useful for the attainment of the database separately[60] and also in the combination of datasets.[61] Therefore, the dataset independently and combined or both can contain personal and non-personal data.
One needs to assess ‘personal data provided by the data subject’ as a condition of the RtDP under the GDPR is satisfied. The gap appears within this part of the analysis in that the connected device ‘observes’ the data and thus the data is not ‘provided’ by the data subjects. Drexl[62] argues that ‘observed’ data that is collected from the user of a connected device should be covered as data ‘provided by the data subject’ and thus this requirement within the GDPR should be interpreted broadly.[63] “One may argue that limiting the RtDP to “provided data,” as opposed to data that is “derived” or “inferred”, is a result of regulatory balancing of a data protection right and the IP rights conducted by the legislator.”[64]
The scope of the RtDP is limited since it has been established that still, the RtDP provision does not apply to ‘inferred’ or ‘derived’ data which is generated through additional steps of data analyses for example for ML purposes.[65]
Discussion
The RtDP allows for innovation through its free flow of data as switching between service providers. The scope of the RtDP is two-folded: (i) a right to receive and transfer personal data[66] (indirect portability), and (ii) a right to have it transmitted directly from one controller to another[67] (direct portability). The data subject is allowed port the data to another controller in a “structured, commonly used and machine-readable” format.[68] The WP29 has in their executive summary stated that the portability right is closely related to the right to access under Article 15 of the GDPR where the former may only be invoked by the data subject in limited circumstances.[69] Drexl agrees to the pervious account of the close proximity of the data access right (article 15) and the data portability right (article 20).[70] Article 20 can be invoked only in relation to the data being “provided” by the data subject to the controller, and only when processing is automated[71] and based on consent[72] or on a contract.[73] Hence, data control, sharing and reuse describe data portability in the best possible manner and enables free flow of data among controllers. RtDP should be considered as a tool of access which allows individuals to switch when access to data is crucial for competition.[74] The portability rights aspect of granting “control” over data has been under scrutiny by scholars since the inception of the GDPR. [75]
Further, recital 68 of the GDPR, states that the right should “further strengthen [data subjects’] control” over their personal data. Inge Graef et al concur that the RtDP may not belong within the scope of the fundamental right to data protection and ought to be perceived as a tool to stimulate competition and innovation.[76]
WP29 notes that “[t]he primary aim of data portability is enhancing individual’s control over their personal data and making sure they play an active role in the data ecosystem.”[77] As per WP29 and other than preventing service lock-ins, the RtDP “[i]n essence . . . is expected to foster opportunities for innovation and sharing of personal data between data controller . . . under the data subject’s control.”[78] The emphasis on data sharing and reuse is reinforced by the requirement for the format of transmitted data and in accordance with Article 20(1) GDPR, it has to be “structured, commonly used and machine-readable,” aiming to produce interoperable systems.[79]
WP29 suggests the use of Application Programming Interfaces (“APIs”) would enable automated data portability[80] and allow businesses in assisting individuals with their data management. It would also capitalize on reuse of personal data collected by others as the use of APIs “would enable individuals to make requests for their personal data via their own or third-party software or grant permission for others to so do on their behalf (including another data controller.)”[81]This would then have the effect of preventing lock-ins and promoting innovation by reuse.
Article 20(4) of the GDPR specifies that the RtDP “shall not affect the rights and freedoms of others,” which paves the way for uncertainty as to the breach of the RtDP. In the data controllers defence, they could argue that the refusal of switching to another data controller “affects the rights and freedoms of others”. Who these “other” people consist of is undefined, yet recital 63 provides that this may include IP rights holders, which will be further elucidated in below.
The RtDP does not only act as a compliance instrument but also incentivizes firms to set up a business strategy which allows for data creation and reuse. Albeit, the RtDP’s introduction lies in “improving access to privately held personal data, access to data through portability has a flip side for the addressees—the private parties collecting, analyzing, and trading in the data.”[82]
References
[32]Commission, ‘Impact Assessment Accompanying the General Data Protection Regulation and the Directive on the Protection of Individuals with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and the Free Movement of such Data’ (Commission Staff Working Paper) SEC(2012)72 final 7. [33]Communication from the Commission to the European Parliament and the Council ‘Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation’ {SWD(2020) 115 final}. [34]GDPR article 5. [35]GDPR article 17. [36]GDPR article 20. [37]GDPR article 20(4). [38]Summary of the OECD Privacy Expert Roundtable on Protecting Privacy in a Data-driven Economy: Taking Stock of Current Thinking [2014], Available at >https://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=dsti/iccp/reg%282014%293&doclanguage=en> Accessed 24 May 2021. [39] GDPR articles 5(1) (a), (b). [40] WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016). [41] WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016). [42] GDPR article 20(1). [43] GDPR article 20(2). [44] GDPR article 5. [45] GDPR article 5. (The other principles are (1) lawfulness, fairness and transparency (2) purpose limitation (3) accuracy (4) storage limitation (5) integrity and confidentiality). [46]GDPR article 20(1)(b). [47]GDPR article 6(1)(a). [48]GDPR article 6(1)(b). [49]GDPR article 6(1)(f). [50]GDPR article 11(2). [51]Nadezhda Purtova, ‘The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law’ (2018) 10 (1) LIT 40, 44. [52] GDPR Recital 26. [53] Case C-70/10 Scarlet Extended [2011] ECLI:EU:C:2011:771 para 51. [54] WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016).At 10. [55] WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016).At 10. [56] Summary of the OECD Privacy Expert Roundtable on Protecting Privacy in a Data-driven Economy: Taking Stock of Current Thinking [2014], available at >https://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=dsti/iccp/reg%282014%293&doclanguage=en> Accessed 14 May 2021. [57] WP29 Data Protection Working Party Guidelines on consent under Regulation 2016/679 Adopted on 28 November 2017. [58]WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016).At 12. [59]WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016). [60]Herbert Zech, ‘A Legal Framework for a Data Economy in the European Digital Single Market: Rights to Use Data’ (2016) 11 (6) JIPLP 460, 467. [61]Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ (2018) BEUC >https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdfaccessed 9 June 2019> accessed 20 April 2021. [62] Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ (2018) BEUC >https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdfaccessed 9 June 2019> accessed 20 April 2021. [63] Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ (2018) BEUC >https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdfaccessed 9 June 2019> accessed 20 April 2021. [64] Inge Graef et al, ’Data Portability and Data Control: Lessons for an Emerging Concept in EU Law’ [2018] 19 GLJ 0, 1374 [65] WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016). At 12. [66] GDPR article 20(1). [67] GDPR article 20(2). [68] GDPR article 20. [69] WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016). At 10 [70] Josef Drexl, ‘Data Access and Control in the Era of Connected Devices – Study on Behalf of the European Consumer Organization BEUC’ (2018) BEUC >https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdfaccessed 9 June 2019> accessed 20 April 2021. [71] GDPR article 20(1)(b). [72] GDPR article 6(1)(a), 9(2)(a). [73] GDPR article 6(1)(b). [74] Josef Drexl, ‘Designing Competitive Markets for Industrial Data — Between Propertisation and Access,’ [2017] 8 JIPITEC 257, 286, para. 155. [75] Lucio Scudiero, ‘Bringing Your Data Everywhere: A Legal Reading Of the Right To Portability’ [2017]3 EDPLR, 127. [76] Inge Graef et al, ’Data Portability and Data Control: Lessons for an Emerging Concept in EU Law’ [2018] 19 GLJ 0, 1357. [77]WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016).At 4. [78] WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016).At 5. [79] WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016).At 5. [80]WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016).At 5. [81]WP29 Art. 29 Data Protection Working Party, Guidelines on the RtDP, 16/EN WP 242 (Dec. 13, 2016).At 5. [82]Inge Graef et al, ’Data Portability and Data Control: Lessons for an Emerging Concept in EU Law’ [2018] 19 GLJ 0, 1375
Comments