The General Data Protection Regulation of April 27, 2016 and implemented on May 25, 2018, introduced a right to portability (Article 20):
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format those data to another controller, and have the right to transmit that data to another controller […]”.
First, the right to portability must be distinguished from the right of access, which allows the data subject to obtain data about them from the data controller. The right to portability allows the data subject to obtain their data from the controller “in a structured, commonly used and machine-readable format.”
The right of access, unlike the right to portability, is not intended to allow the transfer of personal data from one data controller to another, but only to obtain a copy of one’s processed data for information purposes.
In addition, the right of access concerns all the personal data of the data subject, whereas the right to portability concerns only data provided by the data subject and processed on the basis of his consent or the performance of a contract.
The very purpose of portability is therefore the transmission of data to another data controller for the purpose of mobility and control of one’s data, whereas the purpose of the right of access is more informational for the data subject on the use that is made of his data.
The search for control over personal data is not new. Indeed, Article 1 of the French Data Protection Act of 6 January 1978 already enshrined “the rights of individuals to decide and control the uses made of personal data concerning them“.
However, the right to portability is only rarely exercised in practice, as Alain Bazot, President of the “UFC-Que choisir” association points out, according to whom the right to portability “remains very little known today“. Despite an upsurge in requests for rights from affected individuals since the application of GDPR, the right to portability is only rarely invoked by them.
So, if it remains unknown and little exercised, the question of the effectiveness of the right to portability may arise.
In order to respect and implement this right, the data controller must provide internally for procedures to handle such requests for rights. The appointment of a Data Protection Officer (“Data Protection Officer” or “DPO”) may also be relevant to help you analyze the admissibility of requests and respond to them properly. DPO Consulting can support you as an outsourced DPO.
GDPR restricts the exercise of the right to portability that it has nevertheless enshrined. The aim is not to enshrine a general right to portability. Particularly sensitive situations (combating fraud and money laundering) or technically impossible situations remain outside the scope of portability in the interest of simplicity of implementation for data controllers.
On the other hand, if GDPR imposed portability, which is a complex technical process, in all situations, the difficulties of implementation would certainly be too great and costly for data controllers.
The right to portability is therefore only to be exercised when the processing is based on consent or contract. Moreover, it can only be exercised in relation to data provided by the data subject that is subject to automated processing. Finally, the right to portability must be technically feasible and must not infringe the rights and freedoms of third parties.
The right to portability applies only to personal data processed on the basis of consent or a contract.
In contrast, the exercise of the right to portability will not concern, for example, certain personal data processed by the human resources department of a company on the basis of the legitimate interest of the data controller (the constitution of a CV library, the management of internal directories and organization charts or the management of professional e-mail).
Similarly, the storage of data relating to accounting or tax obligations or relating to the management of pre-litigation or litigation will not be subject to portability. The data controller may base its two processing operations respectively on legal obligations and on its legitimate interest.
Conversely, data obtained in the context of a contract for the delivery of goods or the provision of a service may be subject to a request for the right to portability because their processing will be based on the performance of a contract. This is also the case for data obtained on the basis of consent for the purpose of commercial prospecting, for example.
The European Data Protection Board (EDPB) nevertheless encourages data controllers to implement good practices with regard to portability requests. For example, a public service providing a service for downloading personal income tax returns is not concerned by the right to portability since it can base its processing on a public interest mission. However, the EDPB calls on data controllers to establish procedures to best comply with portability as a matter of “good practice.”
Only data provided by the data subject can be subject to the right to portability. In order to remedy this restriction, the EDPB believes that this notion should include “activity data of the data subject” in the same way as “data generated by the controller“. This expansion intended by the EDPB would allow a data subject exercising their right to portability to obtain more information than just the data they have actively provided (activity data processed by a connected object, website usage history, search activities, etc.).
On the other hand, so-called “derived” or “inferred” data remains excluded from the scope of this right.
The right to portability is effective “where technically possible.” This is a new pitfall into which the right to portability seems to fall. The right to portability is only conceivable if the extraction and then transfer of data from one data controller to another is technically possible. The effectiveness of the right to portability necessarily involves the issue of interoperability, at the heart of technical issues.
This is, according to Isabelle Da Silva, President of the French Competition Authority, the keystone of the right to portability: “the effectiveness of the right to portability will require IT solutions that allow websites and applications to communicate with each other” (webinar organized by the CNIL, “Portability: an event to develop rights and uses” of October 22, 2020).
Yet GDPR places no obligation on data controllers “to adopt or maintain processing systems which are technically compatible” to implement the right to portability. It only “encourages controllers to develop interoperable formats that enable data portability” (Recital 68).
Furthermore, only “automated” data processing falls within the scope of the right to portability. Personal data contained in paper files are therefore not affected. While this restriction seems minor in practice given the proportion of automated processing compared to non-automated processing, it again restricts the exercise of this new right for data subjects.
Finally, the right to portability may not be exercised if it infringes on the rights and freedoms of third parties. The EDPB’s Guidelines on the right to data portability state that the right to portability must not allow for the receipt of identifying data of third parties (e.g. contact list) without their consent.
In other words, GDPR wants to avoid the case where the transfer of personal data from one controller to another would restrict or even make impossible the exercise of rights of third parties, data subjects, such as their right of access or opposition.
It is also possible that third party rights and freedoms other than those provided for by GDPR could be affected by the right to portability. This is particularly the case for business secrecy and intellectual property rights.
The EDPB thus specifies that “the right to data portability is not a right that allows a person to misuse information in a way that could be qualified as unfair or that would constitute an infringement of intellectual property rights.”
This raises the question of the protection of intellectual property law, and more specifically of the copyright on the software that may be used by the data controller.
Indeed, how can data processed by a software be extracted and transmitted without revealing its functioning and possibly the specificities that make this software a commercial asset for the controller? The risk would be that the data controller receiving the data would discover or deduce how his competitor does it, which would undoubtedly call into question the right to portability from a purely competitive point of view.
Furthermore, once information is considered to be business secret, the right to portability may not apply to it. This is any information that is not generally known or easily accessible to persons familiar with such information, that has commercial value and that is subject to reasonable protection measures (French Commercial Code, Article L. 151-1).
By granting the data subject’s request for portability, a data controller could see itself transmitting data revealing its commercial but also technical practices to potential direct competitors. The latter could then discover or deduce certain practices of the original data controller thanks to portability.
While the right to portability sees its scope particularly restricted by GDPR itself, it is nonetheless a relevant right in light of the challenges of tomorrow.
The right to portability, and GDPR as a whole, aims to allow citizens to control their personal data. Its introduction into GDPR therefore makes sense in that it could in the future allow for greater control by citizens over their data and foster healthier and more open competition.
GDPR is part of a movement to involve citizens more in the control of their personal data. This movement is not just European. The California Consumer Privacy Act, passed in 2018, also introduced the notion of data portability to further involve data subjects.
Similarly, the Law for a Digital Republic of October 7, 2016had created the right to informational self-determination of individuals. In fact, the notion of informational self-determination was somewhat defined by Article 1 of the French Data Protection Act of January 8, 1978, which already reinforced “The rights of individuals to decide and control the uses that are made of personal data concerning them” which relates to its main principles.
Charly Berthet, head of legal and institutional relations at the National Digital Council, and Célia Zolynski, Professor at the University of Paris I Panthéon-Sorbonne emphasize this control of personal data by citizens. According to them, “its most immediate declination concerns the right to data portability”.
Thierry Breton, European Commissioner for Internal Market, believes that the right to portability will make it possible to “avoid lock-in effects“, i.e. situations where consumers would be locked into a service, unable to change operator or data controller, or only with great difficulty.
As such, if GDPR can become a marketing and commercial asset for companies, the right to portability should allow citizen-consumers to evolve more freely in a competitive economic fabric by having more choice regarding their consumption.
– Gabriel Privat