Well, here’s Article 20 of the GDPR, concerning the right to data portability. The first two paragraphs are as follows:
1) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
- the processing is carried out by automated means.
2) In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Of all the parts of the GDPR, this is one which really piqued the interest (and potentially ire) of many businesses. Paragraph one may be challenge enough for some, but marketers would be forgiven for reading paragraph two with a shade of reluctance.
Many companies see significant competitive advantage in their ability to collect and format personal data in a useful way. This isn’t the sort of thing they want to be passing to a competitor.
Fairly obviously it’s about choice for the individual
There’s no doubt this sounds great for the consumer though. Article 20 should give individuals control over their personal data, and allow more freedom of choice when it comes to choosing a service.
The Working Party guidelines state that previous legislation (the Data Protection Directive) gave individuals the right to data access, but that individuals “were constrained by the format chosen by the data controller when providing the requested information.” The GDPR changes this and is set to “enrich customer experiences”.
It levels the business playing field
PwC eloquently points out that the rationale of the right to portability is to create a level playing field “for newly established service providers that wish to take on more established providers.”
Perhaps a consumer wants to change insurance provider – in theory they may no longer have to request their details from their insurer (no claims proof, for example), but can request they are sent directly between the two companies.
What does all this look like to the consumer?
The guidelines give a couple of nice examples, saying “a data subject might be interested in retrieving his current playlist (or a history of listened tracks) from a music streaming service, to find out how many times he listened to specific tracks, or to check which music he wants to purchase or listen to on another platform. Similarly, he may also want to retrieve his contact list from his webmail application, for example, to build a wedding list, or get information about purchases using different loyalty cards, or to assess his or her carbon footprint.”
As to how this is achieved, here are some points to bear in mind:
- The means for data portability should include “download tools and Application Programming Interfaces”. One can imagine a self-service tool, as well as an API that deals with controller-to-controller portability.
- “Data portability can promote the controlled and limited sharing” of personal data. This implies individuals should be able to choose what data to download.
- “Documents encoded in a file format that limits automatic processing, because the data cannot, or cannot easily, be extracted from them, should not be considered to be in a machine-readable format.” This arguably includes PDF files.
- The guidance notes that “where no formats are in common use for a given industry or given context, data controllers should provide personal data using commonly used open formats (e.g. XML, JSON, CSV,…) along with useful metadata at the best possible level of granularity.”
What data is included?
As implied in the music streaming service example, this right to data portability covers not just data provided actively by the subject, but also generated by their activity (if this is recorded).
This should set marketers to wondering exactly what data they need to record about their customers.
Remember ‘legitimate interests’
Remember though, the right to data portability applies only where processing is based on consent or on a contract, and where data is processed automatically.
Marketers may already be fairly confident that activity such as website personalisation will be processed based on legitimate interests, and as such, the impact of data portability may be at least confined to those key areas that truly impact on a user’s ability to choose between services.
For more on GDPR, see Econsultancy’s resources page or try our new GDPR online learning classes.
Note that this article represents the views of the author solely, and are not intended to constitute legal advice.
So PwC reckon that there will be a level playing field “for newly established service providers that wish to take on more established providers” ?
I’m not so sure.
If I was an established service provider and any company wanted my data I would seriously be tempted to levy a heavy admin charge to that service provider for my customer data. After all, I’ve gathered all that data at ‘great cost’ to my business and I am potentially losing a customer to a rival. Even more so now that I can’t charge the customer anymore for access to their data under GDPR.
So although the idea of a level playing field is a good one however, unless there is a standardised fee agreed between organisation, I think that in reality it won’t happen. Service providers will place significant barriers to each other to slow the pace of data portability and/or profit from each other by it.
@Morgan The guidance would seem to preclude any charging. Here:
“Article 12 prohibits the data controller from charging a fee for the provision of the personal data, unless the data controller can demonstrate that the requests are manifestly unfounded or excessive, “in particular because of their repetitive character”. For information society services that specialise in automated processing of personal data, implementing automated systems such as Application Programming Interfaces (APIs)27 can facilitate the exchanges with the data subject, hence lessen the potential burden resulting from repetitive requests. Therefore, there should be very few cases where the data controller would be able to justify a refusal to deliver the requested information, even regarding multiple data portability requests.
In addition, the overall cost of the processes created to answer data portability requests should not be taken into account to determine the excessiveness of a request. In fact, Article 12 of the GDPR focuses on the requests made by one data subject and not on the total number of requests received by a data controller. As a result, the overall system implementation costs should neither be charged to the data subjects, nor be used to justify a refusal to answer portability requests.”
Fair enough. However, while you or I will not be charged for our requests (which is a good thing) I can seriously see organisations creatively obfuscating data requests to each other to such a degree that they will seek to profit from each other. Employing an API or an open standard to a similar degree that financial institutions do when performing credit checks will come at a cost initially and they will look to pass that cost on somewhere.
Thanks for taking the time to reply.
@Morgan Will certainly be fascinating to see the extent to which portability is adopted. Thanks for reading and commenting.
While I’m not sure there is the risk Morgan suggests in terms of the financial side, all of the GDPR legislation suggests that companies must do what that can within their means without a significant financial or resource impact on them. As a result, most of the data requests initially will come in whatever format is easiest for the business which I can’t imagine will be that readable / uploadable for competitors and will vary across every company within an industry.
As a result, while there is an interesting concept of companies being able to get a customer’s back data post GDPR, I reckon it’s unlikely to come to fruition any time in the short term…
@Matt The scenario I’m thinking of is in automotive and particularly in fleet. This article (https://www.nytimes.com/2017/07/27/automobiles/wheels/car-data-tracking.html) highlights how much sensitive information is captured in the car.
This information is incredibly valuable to the manufacturer and comes at great cost i.e. development of in-car technology (usually bespoke to that manufacturer) and this in turn helps them build ‘better’ cars.
Now imagine I am a Fleet Manager who has been a Mercedes customer for x years. I have decided to terminate my contract with Mercedes and opt for Audi instead. In order for Audi to provide a better service to my fleet they require the data from Mercedes regarding my fleet’s driving habits (for insurance purposes, driving habits and other factors) to better supply their services to my fleet. This data is ‘unique’ to Mercedes because it is derived from their vehicles. However, the data they have is about the driver and subsequently falls under GDPR. A data request from the client (or Audi) would potentially represent a real headache as sensitive information not only about the driver but also about how Mercedes business operates is now being requested.
Mercedes are effectively being asked to give up intel about their customers and in the process reveal how they handle this information giving their rivals a valuable insight into how they operate. Even worse as it’s a fleet customer the data request could number in the hundreds (possibly thousands) and lets not forget there are numerous different operating systems that control the cars’s computers (https://humanizing.tech/the-new-battleground-car-operating-systems-609592e07a31) and exchanging that data represents a real headache.
And I haven’t even touched upon third party fleet firms:(https://www.fleetnews.co.uk/news/2015/2/9/uk-council-fleet-drops-below-50-000-vehicles/54766/) and the impact of GDPR on them.
This is where I think cost will play a part as I can’t imagine that this will go down well with any manufacturer and they will look to claw back anything they can out of this.
FYI. This area concerns me as I deal with many automotive clients (manufacturers and retail) and their customer comms and we are currently priming them for GDPR.
I completely get that Morgan.
I think this is where the ‘legitimate interests’ aspect may come in to play in terms of the argument being the data was captured to best provide a service to the customer rather than as a result of opt ins. As such (and I appreciate this is still a grey area) form what i’ve seen, this data wouldn’t necessarily need to be provided…
@Matt. Thanks for the reply. I’ll bear that in mind.