The Right to Data Portability is considered as one of the most path breaking rights that the GDPR can provide to the individuals i.e. the data subjects. In the various articles written on this topic, it has been given more reverence than the right to access and the right to erasure because this particular right is giving the power to the individual to not only get access to his/her personal data but also transfer it or get it transferred to another data controller.
To clarify further to the readers, data portability is nothing but transferring the personal data of a data subject from one data controller to another. This shall be opted for when the data subject wishes to avail of the services of another data controller due to various reasons such as better service, better quality, personal choice etc.
To understand the provisions of Article 20, let us analyse it in detail.
Article 20 of the GDPR states as follows:
- The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
- The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
Firstly, the right to data portability can only be exercised when the processing is being carried out by the data controller when the data subject has consented to it or the processing is based on a contract. This shall imply that processing for the purpose of fulfilling a legal obligation shall be excluded from the purview of Article 20.
Article 20 shall only apply when the processing is done by automated means. Any data collected by any manual methods such as notes, diary entries, paper forms shall not need to be transferred.
A point of great significance is that the data shall be provided to the data subject in a structured, commonly used and machine readable format. As per the official website of the European Union this format shall be any one of the following: XML, JSON, CSV, etc.. This is to ensure that the data subject can easily submit and get his/her data transferred from one data controller to another without any technical hindrance.
Secondly, not just the data subject can get his/her personal data transferred. He/she can request the data controller to transfer the data to another data controller as per the preference of the data subject.
Thirdly, the data portability shall not affect the rights and freedoms of others. This point shall arise when the data subject’s data includes the data of other individuals too for instance, if the data subject wishes to transfer the contact details of his/her friends and family members from one website to another, the rights of the these friends and family members shall also be taken into consideration as their rights and freedoms should not be jeopardised solely for the sake of invoking Article 20.
The above 3 points do raise a lot of questions such as-
-What if the data provided by the transferor data controller is not compatible with the technological systems of the transferee data controller?
-Are there any specific machine readable formats that the data controllers should utilise? Are there any formats that cannot be utilised?
-What if the data controller does not have the technological strength to transfer the data?
-Can the data controller refuse to transfer the data when the rights and freedoms of third parties are at risk? Is this solely based on the data controller’s decision or does the data subject have a say in this?
It can be seen that although Article 20 is very empowering to the individual, there are many loopholes that a data controller can make use of so as not to comply with the data subject’s request. Moreover, Article 20 has placed a lot of obligations on the data controller. An organisation that operates on a small to medium scale might not be equipped with the technical know-how to comply with Article 20 fully let alone partially.
It shall be seen how well the organisations are able to comply with Article 20 and what action shall be taken against the defaulting companies.
References: