The Right to Data Portability
Article 20 has the purpose of making it significantly easier for citizens to have any data which is stored with one service provider transmitted directly to another provider. This means that providers of data processing services will have to store personal data in such ways that these can be “taken along” in a commonly used file format.
Up to now, so-called “lock-in” effects are still common: if changing to another service provider entails significant costs or obstacles for the customers, they often decide against any change altogether even if another provider is offering better conditions. Now, the new data protection regulation on portability has been developed to give the concerned persons better control over their personal data. Hence, the new right could also influence the market situation.
It is however still unclear how this theoretically plausible portability will be implemented practically, because there is no similar previous provision and there has been no development of the law by judges either as the right to data portability will only become effective with the European General Data Protection Regulation in May 2018.
In our project, the Stiftung Datenschutz (Foundation for Data Protection) will examine possible ways of practically implementing the right to data portability. The project aims to develop practically relevant suggestions for the detailed definition and arrangement of data portability, how narrowly or broadly the concept of the provision of data must be interpreted, how the transfer of a data set from one provider to another can be realised and which measures should be taken by the concerned companies with respect to the implementation of this right. In addition, Stiftung Datenschutz will give all of the concerned parties – regulatory bodies, the data processing industry as well as citizens – the possibility to join an objective discussion about the possible application of the legal provisions within the scope of events and publications.
Subject Matters of Data Portability
The purpose of Article 20 of the General Data Protection Regulation is to allow for the portability of data between different service providers and to strengthen the so-called informational self-determination of the user. Within the scope of the project, we will also analyse whether the user will in fact be given more control over their data: The legislation does require that the transferred data will not be automatically deleted. This could lead to data being distributed even wider.
Within the scope of the project, the following questions will be asked for clarification:
- How narrowly or broadly should the aspect of the provision of data be interpreted?
- Does the practical implementation of the regulation allow for better protection of data privacy (“informational self-determination”)?
- How is data portability related to interoperability between different systems?
With the right to data portability, the regulator mainly aimed at social networks such as Facebook or Google +. However, the scope of application of this right is not limited to such business models in any way. On principle, the right to data portability is relevant for all sectors.
This results in the following questions with respect to the economic assessment:
- In which sectors are lock-in effects an issue?
- How do industries for which “lock-in” effects are not an issue plan to implement Art. 20 GDPR?
- Which specific sectoral challenges does this pose for the individual business models?
- Which investments will the industries have to make?
One of the most important challenges in the implementation of data portability is posed by its technical feasibility. On the one hand, the European Commission’s Article 29 Working Party has clarified that the data will have to be made available in a structured, commonly used and machine-readable format. On the other hand, however, it remains unclear what this format should look like exactly and which standards shall be used.
Therefore, we would like to answer the following questions over the course of the project:
- What could be considered a “common interoperable format” for practical application?
- How can compatibility between different formats be achieved?
- Which specific requirements must be laid down for a compatible format?
- Which standards shall be used for the development of a format and who shall be responsible for defining them?