Author: Alexander Dix 

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point

(b) of Article 6(1); and (b) the processing is carried out by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

 

A. Preliminary remarks

By providing for a right to data portability the Union legislature has created an entirely new legal instrument which strengthens the data subject’s rights to influence the processing of his data. This – in a positive sense – disruptive right[1] is one of the modern elements of the Regulation and links data protection law with consumer protection, antitrust[2] and employment law.[3] The Article 29 Working Party sees Art. 20 as an opportunity to re-balance the relationship between data subjects and data controllers.[4] The European Data Protection Supervisor furthermore states that through portability individuals could „benefit from the value created by the use of their personal data: it could allow them to use the data for their own purposes, or to license the data for further use to third parties, in exchange of additional services, or for cash value.“[5] Other authors see in Art 20 the opportunity „to develop more and more user-centric platforms for the management of personal data.”[6] Even if the right to data portability was originally intended to remedy the “lock-in” effect primarily leading to an intensive user retention in social media[7] the basic idea can be applied to other forms of automated data processing as well. However, the provision as it stands is unlikely to effectively overcome any lock-in effects especially in social media since a user who wants to move to another platform with his profile will have to leave behind his “friends”. This could only be solved by rules on interoperability and communication between providers and services which are currently missing (→ mn. 8). The use of different data formats considerably inhibits the moving of personal data from one platform to another.[8] The Directive on contracts for the supply of digital content guarantees the right to data portability of digital content in European civil law as well for online-services and e-commerce.[9] The supplier shall provide the consumer with technical means to retrieve all content provided by the consumer and any other data produced or generated through the consumer’s use of the digital content to the extent that data has been retained by the supplier. The consumer shall be entitled to retrieve the content free of charge, without significant inconvenience, in reasonable time and in a commonly used data format. Data portability is of particular importance in the area of cross-border health care. Although secondary law[10] recognizes the need for patients to share their health records with healthcare providers of their choice in any Member State there is still no legally binding framework for an exchange format for electronic health records in Europe (→ mn. 8).[11] In its first evaluation of the GDPR the European Commission recognised that the right to data portability has „a clear potential, still not fully used, to put individuals at the centre of the digital economy by enabling them to switch between different service providers, to combine different services, use other innovative services and to choose the most data protection-friendly services. This will indirectly, foster competition and support innovation.”[12] With regard to the free flow of non-personal data Union law obliges the Commission “to encourage and facilitate the development of self-regulatory codes of conduct at Union level in order to contribute to a competitive data economy, based on the principles of transparency and interoperability and taking due account of open standards”.[13]

B. Legislative history

The Directive 95/46 does not contain a provision equivalent to Art. 20. In its Communication of 2010 on a comprehensive approach on personal data protection in the European Union[14] the Commission had proposed a right to portability. This had been prompted by users of social media platforms who complained that they had problems to get their data back from the platform providers. The European Parliament supported this idea in its Resolution of 2011 and expressed the expectation that this right would “facilitate the smooth functioning of both the single market and the internet and its characteristic openness and interconnectivity”.[15] The Commission had originally proposed a more comprehensive right compared to the text of the Regulation as adopted. In cases of electronic processing the data subject should have the right to receive a copy of data referring to him in a commonly used electronic and structured format (Art. 18 para. 1 of the Commission‘s proposal). This was later integrated in the right of access (Art. 15 para. 3).[16] In the relevant Recital social media are mentioned as an example for transmitting personal data from one automated processing int another, although the Commission did not intend to limit the scope of portability to these cases. In the adopted text of the Regulation neither Art. 20 nor Recital 68 refer to social media. The exception of portability for processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority (Art. 20 para. 3, 2nd sentence) was proposed by the Council. Directive (EU) 2016/680 does not contain a right to data portability. However, there may be cases where a local authority offers a social network of its own. Here as in other situations where a citizen asks a public authority to receive his personal data which he had provided a long time ago it may be considered good administrative practice to apply Art. 20.

C. Right to receive and transmit data (Art. 20 para. 1)

The right to data portability under para. 1 has two elements. On the one hand the data subject is entitled to receive the data referring to him in a certain format (“vertical portability”), on the other hand he is entitled to transmit those data to another controller without hindrance (“horizontal portability”).[17] These rights are particularly relevant in – but not limited to – a situation where a provider – for whatever reason – discontinues his service[18]. The right to data portability is provided simultaneously with the right to deletion. The porting of data does not automatically lead to their deletion[19] since the controller may be legally (e.g. on a contractual basis) be empowered or even obliged to retain the data. The right to portability is not a right to “removal” of the personal data in question.[20] If the data subject has a right to have the data deleted under Art. 17, he can ask for the reception or transmission as well as the subsequent deletion of the data.[21]

I. Prerequisites

To begin with the right to portability is limited to personal data. This may be data relating to items or titles such as playlists in a music streaming service which have been provided by the data subject and may be linked to him via metadata. Whereas anonymous data are not portable, pseudonymous fall within the scope of this right.[22] Furthermore only those data are portable which refer to the data subject exercising the right to data portability. This appears to be consistent since the data subject cannot dispose of the data referring to third persons. This applies to data processed by a cloud service provider which are to be moved to another provider. It may also concern the use of fitness trackers, smart watches or smartphone apps, which facilitate the storage of activity or health data (e.g. heart rate) on servers of providers or manufacturers. Furthermore the data subject under Art. 20 may request to receive the playlists from music providers and of data stored for customer cards or similar loyalty programs.[23]Also an e-mail account with a web service provider, telephone communications data or transaction data in connection with online-banking may be received and transmitted in this way. Some of these data may also refer to third parties (senders and addressees of e-mails, communications partners or recipients of money transfers). According to Recital 68 Art. 20 is to be applied in these situations as well subject to Art. 20 para. 4.[24] The Art. 29 Working Party has therefore supported an extensive interpretation of the right to data portability.[25] The Working Party points out that the data subject should be able within the household exception (Art. 2 para. 2 lit. c) to correspond or create directories of contact details and change the provider in this context.[26] However, this requires the processing of data by the new provider to be restricted: he may only process the data for personal („household“) purposes of the data subject who has requested the data to be transmitted.[27] The processing of data by the new provider must be limited to the purpose pursued by the data subject and must comply with the principle of data minimization.[28] The use for any other purposes (e.g. marketing purposes) would unlawfully affect the rights and freedoms of other persons under Art. 20 para. 4 (→ mn. 13).

When using social media and similar platforms – for which the right to data portability originally was designed for – in most cases data on the data subject may not easily be severed from the data referring to others (“friends”).[29] Furthermore the right to data portability shall not adversely affect the rights and freedoms of others (→ mn. 12). This does however not justify the limitation of the right to data portability to the data subject’s profile data (name, date of birth, e-mail address)[30], because this would miss the primary regulatory purpose of Art. 20. Therefore the data subject may also request the transmission of posts by third persons which he has “liked” as well as pictures of third persons which he has uploaded on the original platform. However, the new provider may only use these data in such a way that they remain under the control of the person who has requested the transmission. The Article 29 Working Party has called on controllers to implement consent mechanisms as tools for other data subjects involved in order to ease data transmission in cases where data subjects are willing to consent.[31] Such tools would however not entirely compensate for the missing rules on interoperability (→ mn. 1).

 

 

 

[…]

 

 

 

[1]Kühling/Martini, EuZW, 2016, 448 (450).

[2]Cf. Article 29 Working Party, WP 242 rev. 01, 3; the EDPB has endorsed these Guidelines, cf. Endorsement 1/2018; Jülicher/Röttgen/v. Schönfeld, ZD 2016, 358, 360; Spiecker gen, Döhmann, in: Data Access, Consumer Interests and Public Welfare, 175, 192 et seq.; dissenting Dehmel/Hullen, ZD 2013, 147, 153, and Kühling/Martini, EuZW, 2016, 448, 450 et seq., who dispute the link of this new right to data protection. On the origins of the concept of data portability in U.S. antitrust legislation see Wong/Henderson, IDPL 2019, 173 (177). Nebel/Richter, ZD 2012, 407, 413, call it a concept alien to data protection law. On the relation between competition law and privacy generally Kemp, University of New South Wales Law Series (2020), 3 et seq. For a similar U.S. view see Swire/Lagos, Maryland Law Rev. 2013, 335, 338. For a positive view of the growing “osmosis” between data protection and competition law generally see Buttarelli, CPI Antitrust Chronicle February 2019. Cf. also Elfering, 52 et seq.

[3] Cf. Munteanu/Povey, EDPL 2022, 41, 47 et seq.

[4]See the proposals by Hornung in Hill/Schliesky (eds), Die Neubestimmung der Privatheit, 2014, 123, 142 et seq., which have so far not been taken up by the Union legislators.

[5]EDPS, Opinion 7/2015, 13.

[6]De Hert/Papakonstantinou/Malgieri/Beslay/Sanchez, CLSR 2018, 193, 203. See also Zanfir, IDPL 2012, 149 (152); Copetti Cravo, EDPL 2022, 52, 53 et seq.

[7]Hornung, ZD 2012, 99, 103; Article 29 Working Party, WP 242 rev. 01, 5.

[8]Laue/Nink/Kremer, 154.

[9]Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services, OJ EU L of 22.5.2019, L 136/1, Art. 16 para. 4. See Faust, Verhandlungen des 71. DJT, Bd. I, A 9 (A 40 et seq.); Spindler, MMR 2016, 219; Dix, ZEuP 2011, 2.

[10]Regulation (EC) 883/2004 of the European Parliament and of the Council of 29 April 2004 on the coordination of social security systems, OJ L166, 30.4.2004, 1; Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare, OJ L 88, 4.4.2011, 45.

[11]See the critical comments in a study mandated by the European Commission, Assessment of the EU Member States’ rules on health data in the light of GDPR, 141 et seq.

[12]European Commission, Data Protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation, p. 8.

[13]Art 6 Regulation (EU) 2018/1807 of 14 November 2018 on a framework for the free flow of non-personal data in the European Union.

[14]Communication of 4.11.2010, KOM (2010) 609, 7 et seq.

[15]Resolution of 6.7.2011, 2011/2025(INI).

[16]However the right to a copy of the data is no longer limited to electronic processing.

[17]The distinction between vertical and horizontal portability has been introduced by Chassang/Southerington/Tzortzatou/Boeckhout/Slokenberga, EDPL 2018, 296 (298).

[18]See the case of the social platform Google Plus.

[19]Article 29 Working Party, WP 242 rev. 01, 7.

[20]See v. Lewinski in BeckOK DatenschutzR, DSGVO Art. 20 mn. 115; dissenting Pauly in Paal/Pauly Art. 20 mn. 4.

[21]For the question of competing rights of different data subjects → mn. 12.

[22]Cf. Recital 29; Article 29 Working Party, WP 242 rev. 01, 9.

[23]Article 29 Working Party, WP 242 rev. 01, 5.

[24]Herbst in Kühling/Buchner, DSGVO, Art. 20 mn. 10.

[25]Article 29 Working Party, WP 242 rev. 01, 9.

[26]Article 29 Working Party, WP 242 rev. 01, 11.

[27]Article 29 Working Party, WP 242 rev. 01, 9 et seq.

[28]Article 29 Working Party, WP 242 rev. 01, 6.

[29]Cf. Van der Auwermeulen, CLSR 2017, 57, 71.

[30]Voigt/v.d.Bussche, 5.6.1.2; dissenting Jülicher/Röttgen/v. Schönfeld, ZD 2016, 358 (361).

[31]Jülicher/Röttgen/v. Schönfeld, ZD 2016, 358 (361) doubt whether consent can be validly given in the context of social media due to lack of specificity.