Well, here’s Article 20 of the GDPR, concerning the right to data portability. The first two paragraphs are as follows:
1) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
- the processing is carried out by automated means.
2) In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Of all the parts of the GDPR, this is one which really piqued the interest (and potentially ire) of many businesses. Paragraph one may be challenge enough for some, but marketers would be forgiven for reading paragraph two with a shade of reluctance.
Many companies see significant competitive advantage in their ability to collect and format personal data in a useful way. This isn’t the sort of thing they want to be passing to a competitor.
Fairly obviously it’s about choice for the individual
There’s no doubt this sounds great for the consumer though. Article 20 should give individuals control over their personal data, and allow more freedom of choice when it comes to choosing a service.
The Working Party guidelines state that previous legislation (the Data Protection Directive) gave individuals the right to data access, but that individuals “were constrained by the format chosen by the data controller when providing the requested information.” The GDPR changes this and is set to “enrich customer experiences”.
It levels the business playing field
PwC eloquently points out that the rationale of the right to portability is to create a level playing field “for newly established service providers that wish to take on more established providers.”
Perhaps a consumer wants to change insurance provider – in theory they may no longer have to request their details from their insurer (no claims proof, for example), but can request they are sent directly between the two companies.
What does all this look like to the consumer?
The guidelines give a couple of nice examples, saying “a data subject might be interested in retrieving his current playlist (or a history of listened tracks) from a music streaming service, to find out how many times he listened to specific tracks, or to check which music he wants to purchase or listen to on another platform. Similarly, he may also want to retrieve his contact list from his webmail application, for example, to build a wedding list, or get information about purchases using different loyalty cards, or to assess his or her carbon footprint.”
As to how this is achieved, here are some points to bear in mind:
- The means for data portability should include “download tools and Application Programming Interfaces”. One can imagine a self-service tool, as well as an API that deals with controller-to-controller portability.
- “Data portability can promote the controlled and limited sharing” of personal data. This implies individuals should be able to choose what data to download.
- “Documents encoded in a file format that limits automatic processing, because the data cannot, or cannot easily, be extracted from them, should not be considered to be in a machine-readable format.” This arguably includes PDF files.
- The guidance notes that “where no formats are in common use for a given industry or given context, data controllers should provide personal data using commonly used open formats (e.g. XML, JSON, CSV,…) along with useful metadata at the best possible level of granularity.”
What data is included?
As implied in the music streaming service example, this right to data portability covers not just data provided actively by the subject, but also generated by their activity (if this is recorded).
This should set marketers to wondering exactly what data they need to record about their customers.
Remember ‘legitimate interests’
Remember though, the right to data portability applies only where processing is based on consent or on a contract, and where data is processed automatically.
Marketers may already be fairly confident that activity such as website personalisation will be processed based on legitimate interests, and as such, the impact of data portability may be at least confined to those key areas that truly impact on a user’s ability to choose between services.
Note that this article represents the views of the author solely, and are not intended to constitute legal advice.