The GDPR introduced a remarkable development in the form of the new data portability right under Article 20. Before the GDPR the EU data protection framework did not include personal data portability in any form whatsoever.
The idea behind the right to data portability was to give individuals more control over their data within the EU. Moreover, an added benefit of the ability to shift data around from one business to another is that the competition within the EU internal market would be more intense. This sounds well and good in practice but what is the practical reality of the right of data portability?
The Right to Data Portability
The right to data portability was born with the Data Portability Project that promised that users would be able to receive their data and transfer it to any compatible platform. The EU took notice of this concept, and became interested in providing such a right for the common market. The EU would ideally is essentially killing two birds with one stone. For one, it would increase the power individuals have over their own data, and improve competition within the common market.
The right may seem simplistic and somewhat useless at first glance, however, in practice this is not always the case. For example, the necessity to provide vast amounts of data when switching banks may become a very real disincentive for doing so. Imagine all the paperwork often provided to banks: employment records, payment histories and paychecks. The task of re-providing these may become a high threshold for changing a service provider. Hence, with data portability, arguably this situation would be rectified and the threshold lowered.
Nevertheless, it must not be forgotten that the GDPR only applies to natural persons, and therefore, legal persons i.e. companies will not benefit from the right. As a result, the new right to data portability does nothing to lower similar thresholds in relation to businesses or improve competition in this way.
Article 20: The Content of the Right
To break Article 20 down, the actual right of data portability is twofold, consisting firstly of a right to receive the personal data concerning the natural person which that data subject has provided to a controller. Secondly, the data subject has the right to transmit the data they have provided to another controller without impediment from the controller to which the data originally had been provided.
While this sounds good in practice, Article 20 (1) (a) limits the scope of the right to data portability in a critical way. Only data that has been provided based on consent or a contract is within the scope of the right to data portability. In addition, only data that has been “provided” by the natural person may be transferred.
These are key limitations as often a sizeable amount of useful information, especially behavioral information, that would be useful to transfer, is processed based on legitimate interests. Arguably, this would be the most useful data from the perspective of the customer, as it would allow the new platform to provide a specifically tailored service to the customer from the get-go.
On the other hand, from the other perspective, this limitation is a blessing from the entity transferring the data. In effect, any algorithms or other techniques used to draw conclusions from the private individual’s data are safe from their competitors. Therefore, this type of “inferred” data is completely out of the scope of the right to data portability.
In conclusion, the right to data portability may make swapping certain service providers more appealing. However, the amount of data that is eligible for such a transfer is critically limited. Therefore, arguably the overall usefulness of the right to data portability is somewhat limited.
