Under the Data Protection Act 2018 (which implements the General Data Protection Regulation 2016) (“UK GDPR”), in certain instances individuals have the right to move or reuse personal data that they have provided to a company from one IT environment to another. This right only exists in relation to personal data which is processed by a controller:
- on the basis of the data subject’s consent or a contract with the data subject; and
- by automated means (i.e., electronically, rather than in hard copy e.g. paper records).
In this article, we look at this topic in greater depth and highlight what it means for you and your business.
This right is an attempt to promote further interoperability (as opposed to compatibility) between online services/systems and support user choice, user control and consumer empowerment.
So what is data portability? Under the UK GDPR, a controller must, free of charge, provide a copy of all personal data that it processes about the data subject (and which has been provided by the data subject) in ‘a structured, commonly used and machine readable format’ so that the data subject can transfer his or her personal data to another controller without hindrance.
To help controllers update their practices, processes and policies, the EU has issued detailed guidelines on interpreting and implementing this new right. The UK’s Information Commissioner’s Office has also provided guidance. The key points from these guidelines are as follows:
- What personal data is and isn’t caught?
The right covers data ‘provided by the data subject’. In defining what ‘provided by the data subject’ means (which must be interpreted broadly), the guidelines distinguish between:
- Data actively and knowingly provided by the data subject (e.g. user name and password) and data provided, or generated, by the data subject by virtue of his or her activity/use of the service or device (e.g. emails from an email service, travel data from the TomTom app, fitness data from a Fitbit or raw data generated by a smart meter). Data which falls within this definition must be portable.
- Inferred data and derived data which ‘are created by the controller on the basis of the data ‘provided by the data subject’’ (e.g. credit score, health assessment outcome or a user profile created by analysing the raw smart metering data). Data which falls within this definition doesn’t have to be portable. However, the data subject could still invoke his or her right to access a copy of such personal data under Article 15 of the UK GDPR.
Pseudonymous data would also be caught and must be portable.
The right doesn’t apply to anonymous data or data that doesn’t concern the data subject.
In relation to data that doesn’t concern a data subject, the guidelines state that controllers ‘must not take an overly restrictive interpretation of … personal data concerning the data subject’ if a request to port includes personal data relating to other (non-consenting) data subjects. But at the same time, there is a need to ‘avoid retrieval and transmission of data containing the personal data of other (non-consenting) data subjects to a new controller in cases where these data are likely to be processed in a way that would adversely affect the rights and freedoms of the other data subjects’. The guidelines give telephone records as an example ‘… telephone, interpersonal messaging or VOIP records may include (in the subscriber’s account history) details of third parties involved in incoming and outgoing calls. Although records will thus contain personal data concerning multiple people, subscribers should be able to have these records provided to them in response to data portability requests because the records are (also) concerning the data subject. However, where such records are then transmitted to a new controller, this new controller should not process them for any purpose which would adversely affect the rights and freedoms of the third-parties ….’.
To tackle this rather tricky issue, the guidelines recommend that to reduce the risk for other non-consenting data subjects whose personal data may be ported, the incumbent and new controllers should ‘implement tools to enable data subjects to select the relevant data they wish to receive and transmit, and exclude, where relevant, data of other individuals’. Additionally, they should ‘implement consent mechanisms for other data subjects involved, to ease data transmission for those cases where such parties are willing to consent, e.g. if they also want to move their data to some other controller. Such a situation might arise, for example, with social networks’.
The good news for the original controller is that the guidelines state that it isn’t responsible for ensuring that the new controller, or the data subject making the request, respects the data protection rights of these other (non-consenting) data subjects.
As the UK GDPR requires controllers to ensure that data subjects are aware of their rights under the UK GDPR, the guidelines recommend that controllers ‘clearly explain the difference between the types of data that a data subject can receive using the portability right or the access right’. This could be done in, e.g., an online privacy notice.
2. Consent and contract only
The right is not available to a data subject if its personal data is not processed on the basis of (i) their consent or (ii) a contract with them. The right therefore doesn’t apply where processing is being carried out by an controller which is carrying out a legal obligation, exercising its public duty or performing a task carried out in the public interest (i.e., the other ‘lawful processing’ grounds set out in Article 6 of the UK GDPR). The guidelines give an example of a government service which provides ‘easy downloading of past personal income tax filings’.
3. No lock-in!
The right complements a data subject’s right to access their personal data by giving them an easy way to manage and reuse personal data themselves. It essentially means that a data subject must not be prevented by an controller (or its systems) from ‘porting’ (i.e. moving, copying or transmitting) their personal data to another controller.
4. How and when to port?
The UK GDPR requires personal data to be provided ‘in a structured, commonly used and machine-readable format’, with such format being ‘interoperable’ (which is defined as ‘the ability of disparate and diverse organisations to interact towards mutually beneficial and agreed common goals, involving the sharing of information and knowledge between the organisations, through the business processes they support, by means of the exchange of data between their respective ICT systems’).
There will be no one size fits all format, with the guidelines acknowledging that formats will differ across sectors and that adequate formats may already exist. In selecting a format to use, controllers must consider how it will ‘impact or hinder the individual’s right to re-use the data’ and in some instances it could mean that (for example) metadata also has to be provided. The guidelines ‘strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability’.
Controllers must give the data subject different ways to port their personal data. The ability to port personal data between controllers must be done in a secure and safe manner (e.g. by using encryption), and under the control of the data subject.
If a data subject is porting data to its own personal storage system, controllers should inform them that such storage systems may not be as secure as the controller’s system so that the data subject can take steps to protect the retrieved personal data. As a best practice, the guidelines suggest that controllers recommend appropriate format(s) and encryption measures. Controllers will need to word their guidelines carefully so as to ensure that they don’t give rise to potential liabilities to data subjects.
The guidelines recommend that controllers ‘implement an authentication procedure in order to strongly ascertain the identity of the data subject requesting his or her personal data or more generally exercising the rights granted …’ (e.g. usernames and passwords).
Controllers must comply with a request to port data without undue delay and in any event within one month of receipt of a request. This can be extended up to 3 months for complex cases but the guidelines recommend controllers consider ‘alternative means of providing the data such as using streaming or saving to a CD, DVD or other physical media or allowing for the personal data to be transmitted directly to another controller’. The guidelines also recommend giving timeframes to data subjects (e.g. in an online privacy notice).
If an controller wants to reject a request to port data because it is manifestly unfounded or excessive it must notify the data subject no later than one month after receiving the request. This notice must set out its reasons for refusing and let the data subject know what its rights are (e.g. lodging a complaint with the ICO). Because of the very nature of controllers, the guidelines expect there to be very few cases where controllers will be able to refuse.
5. What happens after personal data is ported?
The right doesn’t mean that controllers have to retain personal data for longer than is necessary or beyond any specific data retention periods simply to service a potential data portability request. Furthermore, a data subject can still continue to use the controller’s services (if of course it wants to) even after its personal data has been ported to another provider and the porting of personal data doesn’t:
- automatically trigger a simultaneous obligation on the incumbent controller to erase the personal data from its systems (original data retention periods still apply) or
- give the incumbent controller the right to delay or refuse a request by a data subject to erase its personal data from its systems etc.
The guidelines also recommend that controllers ‘always include information about the right to data portability before data subjects close any account they may have. This allows users to take stock of their personal data, and to easily transmit the data to their own device or to another provider before a contract is terminated’.
6. What about the new controller?
It will still have to comply with all elements of the UK GDPR, including the principles relating to processing personal data in Article 5 of the UK GDPR. It must therefore ‘clearly and directly state the purpose of the new processing before any request for transmission of the portable data’ and the guidelines particularly highlight that it must ensure that such personal data ‘are relevant and not excessive with regard to the new data processing’. So, if it receives personal data that it doesn’t need, it must not keep and process it.
The guidelines consider it best practice for new controllers to ‘provide data subjects with complete information about the nature of personal data which are relevant for the performance of their services. In addition to underpinning fair processing, this allows users to limit the risks for third parties, and also any other unnecessary duplication of personal data even where no other data subjects are involved’.
As noted above, the new controller is responsible for ensuring that the data protection rights of other (non-consenting) data subjects are respected where their data is included in personal data which is being ported over by a (consenting) data subject. As a result, the new controller would not be able to, for example, use data about a new customers’ friends or contacts to target those friends or contacts with direct marketing.
7. What about personal data covered by IP and trade secrets?
Data subjects can’t use this right to misuse ‘information in a way that could be qualified as an unfair practice or that would constitute a violation of intellectual property rights’. Controllers can’t use such a potential business risk as a basis to refuse to port personal data. Controllers would therefore need to port personal data provided by the data subject ‘in a form that does not release information covered by trade secrets or intellectual property rights’. This may help in some situations, but not all, because, for example, the ‘form’ in which the personal data is stored might not be the most likely area where trade secrets or IPRs are relevant. Further guidance will be needed in this area.
What do controllers – incumbent and new – need to do?
Interoperable formats and, for example, APIs will need to be developed, as well as tools to enable (i) data subjects to select what data he or she wants to port and (ii) others whose data is included in a portability request to either consent or refuse.
Controllers should draft user guides and information for data subjects and make these readily available.
If you would like any further information or advice on data portability, or the UK GDPR generally, please contact us.
Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.