Data portability is cited as one of the key measures for ensuring fair competition among EU companies. However, there are concerns that small and medium enterprises might be disproportionally affected. Law experts warn that the adverse consequences of data portability could hit small companies hard.
What Is Data Portability?
Data portability is an obligation placed upon data controllers, and conversely, one of the GDPR rights of data subjects. They must be able to produce a copy of the individual’s data and hand it over in a commonly used, transferable format.
The requirement does not apply only to social sites (which is one of the first use cases that comes to mind), but to all other businesses that collect personal data, such as banks, online shops, medical institutions, retail outlets etc.
This data can be directly transferred to another controller of the data subject’s (the individual’s) choice, but data subjects can obtain this data even without the intention to switch controllers. The right for individuals to obtain a copy of their personal data directly complements the so-called right to access, as defined in Article 15 of the GDPR.
The lawmakers aimed to create a competitive environment that would let users easily switch from an inferior service to a better one, without being ‘held hostage’ by their data. As it stands, users are reluctant to switch services since the data they hold, such as calendars and e-mails, is not easy to transfer to another provider. Data portability aims to change that.
The Legal Background
Data portability was enacted in a bid to help foster competitiveness and prevent a single player from monopolising its market niche. It should, in theory, reduce the abuse of market power.
Having a large market share does not necessarily mean the company is doing anything wrong. Even at 40 percent of market share, the dominant company is in the clear as long as it is not abusing its dominant position – but it will certainly be more closely monitored.
The main issue is with the so-called ‘essential facilities doctrine’. Under this rule, large companies are forced to offer their services to its smaller competitors if they are the only player in the market that provides those services. The doctrine was primarily devised in the US for the use of infrastructure (ports, railways), where there are no feasible alternative options.
The Portability Connection
The essential facilities doctrine could serve as a way to force the monopolists to share their data with other fledgling companies. This works if, and only if, the data is indispensable for newcomers to the market. However, this would be very difficult to prove and no precedents of this sort have been set – yet.
The question of data portability is covered in Article 20 of the GDPR, however some questions were left open or insufficiently clarified. The Article 29 Working Party has recently issued guidelines on data protection that attempt to clarify at least some of the issues.
Scope of Data Covered
The right to portability covers data concerning the data subject and data provided by the subject. Anonymous and anonymised data does not fall under the scope of this right.
Looking at it closely, portability of data concerning the data subject is fraught with issues. This data can actually be generated by someone else. For example, messaging history can contain bits and pieces of data from various people.
So, what can one do?
The WP29 advises data controllers not to take a restrictive interpretation of ‘data concerning the data subject’. In other words, data from other persons that concerns that specific individual can be transferred and stored. However, the data should not be processed in a way that would have a negative effect on the rights and freedoms of these third parties.
What is considered data provided by the subject?
Aside from data that individuals directly input, data by the subject also comprises data observed from their activities. These include usage logs, browsing history, sensor data from wearables (such as FitBit or similar) etc.
Data resulting from observation of the individual’s activity is thus included, but the data derived from subsequent analysis on behalf of the data subject (profiling, personalisation) is not covered by this right.
Costs for SMEs
The right to data portability could create disproportional effects on small and medium enterprises. They will have to invest in dedicated online services that help ensure data portability. Also, responding to data portability requests will put a dent in their budget – but as of yet, it is unclear how large the impact will be.
The issue is with the proportionality of these costs. They are likely to be fixed, and thus represent a much smaller share of overall expenses for large companies.
IP presents an important consideration for the individual’s right to data portability. The WP29 argues, however, that protection of intellectual property is not in itself a valid ground to deny a data portability request. Instead, they suggest transferring the data in a from that does not ‘disclose trade secrets or intellectual property rights’.
This is a rather difficult provision for businesses to swallow. It could lead to companies being wary of collecting personal data for the fear of the data being leaked to its competitors.
This paper cites the example of True Fit, a service that collects personal measurements and then sells it on to other online clothes retailers to reduce returns and improve customer satisfaction. If they were to share their data, their entire business model would become virtually obsolete.
Only natural persons are covered by this provision. Small businesses do not have the right to data portability. This creates potential legal issues regarding the scope of this provision, since one-man-businesses and handicrafts could be adversely affected. Courts in each respective country will likely have to interpret the Regulation themselves, owing to substantial differences when it comes to business enterprises across the EU.
Aside from focusing on the sticking points from the section above, the WP29 guidelines also contain more general suggestions that are worth mentioning.
Companies have one month to answer individuals’ portability requests. This timeframe can be extended to three months in case of complex requests. The request must be answered: even if you plan to reject the request, you must inform the individual of the result.
The WP29 suggest the use of widely compatible, abstracted formats such as CSV, JSON or XML, depending on types of data. The data should be accompanied with appropriate metadata whenever possible.
Still, there is no real requirement that the data be exported in a format readable by all data controllers, and such a requirement would be impossible. The WP29 instead urges for dialogue and industry cooperation – a pipe dream in the era of litigation.
Data controllers must enact a reliable mechanism to verify the identity of the person requesting the data transfer. There are no explicit requirements in the GDPR, but the data controller should not have doubts about the identity of the person and does have the right to demand additional verification.
Most often, usernames and passwords that are used to authenticate oneself are proof enough, as long as the requests are made when logged in. In other circumstances, ID scans can be requested, for example. However, they must not be used for any other purpose.
The WP29 maintains that it is up to the data controller to prove the requests are manifestly unfounded or/and excessive. Then it becomes reasonable to charge a small fee covering the actual costs of fulfilling the request.
But the WP29 also holds that fees should be used as a last resort only, and that there are more elegant ways of ensuring a cost-free access to the data, such as via APIs, which would make answering to even repeated requests trivial and automatic.
The individual receiving the data must be in position to fully understand the structure and schematics of the data provided. To that end, a short overview or a table of contents could help individuals both navigate and understand the data provided – even if the data entries themselves are not easy to understand by a human.
It goes without saying that a data controller must ensure that the data is safe during transmission and initial preparation. Password protection, authentication, tokens, even one-time pads can be used to achieve that.
Controllers should not forget to educate the end-users about the importance of data security once they download the data to their computer. Even though it the responsibility of data subjects, they might not have sufficient knowledge on how to achieve that.
Data portability is a potentially beneficial principle, however there are certain problems which we hope will be ironed out in practice – or, preferably, will not turn out to be serious at all.
The issue of disproportionate costs for small businesses is the most serious one and should not be taken lightly. SMEs, with little knowledge and shoestring budgets, are expected to provide the same levels of portability as the larger companies. From the perspective of the consumer, this is great news, but the small businesses will certainly struggle. Perhaps in the future we will see certain exemptions being made for small companies.
Furthermore, there are no real assurances that cross-controller data transfers will be interoperable and compatible. Companies will have to expend some effort to ensure that data can be transferred, but it likely will not be high on their priorities list, especially among the big players. Forcing them to do so, since this would constitute an abuse of market dominance, is possible but the legal battles are lengthy and exhausting.
As it stands, however, all companies that collect personal data are required to set up a data portability mechanism by 25 May 2018, without exceptions.
You can access the full WP29 guidelines here (PDF document).