Update Data Protection No. 28
Art. 20 GDPR – Right to data portability
The right to data portability, regulated in Art. 20 GDPR, will be directly applicable in every EU member state with effect from May 25, 2018. The generally well-intentioned idea is aimed at strengthening "data sovereignty": if it is possible to demand that major social media providers return one's own social media account in a "commonly used format", this enhances the ability of individuals to switch from one provider to another (possibly in the hope of better protection of data). The downside of this well-intentioned idea from the European legislator creates an (partly) unsolvable challenge for many companies. If the used software does not offer the possibility of exporting all relevant data in a commonly used format - as it is currently the case with many software products - companies can at best export the data in a commonly used format through complex, partly manual worksteps. However, violation of Art. 20 GDPR can be sanctioned by administrative fines of up to 20 million EUR or 4% of the turnover annual, companies will not be able to avoid the challenge at the right to data portability.
Claim to receive data - "Strengthening data sovereignty" as an unreasonable demand on companies
Art. 20 GDPR grants data subjects a claim to return personal data that they have provided to a controller. Specifically, Art. 20 GDPR covers situations such as, for example, where the data subject wishes to change provider without major effort and loss of data. If a data subject wishes to "transfer" his or her profile on one social network to another, or to activate the old email account with another provider, the right to data portability therefore enables a smooth "relocation" - at least in theory. To enable this, Art. 20 GDPR stipulates that the data must be provided to the data subject in a "structured, commonly used and machine-readable format".
Direct transmission of data between controllers
Alternatively, it is possible for a data subject to demand that the data be returned to a third party (e.g. a competitor). Art. 20 (2) GDPR expressly formulates the right of the data subject to return of his/her personal data by enabling direct transmission between controllers, provided the technical prerequisites for this exist.
Art. 20 only applies to “provided” data
Art. 20 GDPR is applicable only to personal data that has been "provided" by a data subject. The central limitation of the scope of application of the rule can be found in the term "provision". Art. 20 does not therefore cover every item of data that a controller "possesses" concerning a data subject.
It is, however, not clear whether only personal data are covered which were provided to the controller actively and knowingly. Possible examples of data transmitted actively and knowingly include email addresses, details of age, posts and social-media blogs, or the user name. Some data protection authorities have, however, already expressed the view that the "data provided unknowingly", i.e. data such as user behavior analyzed on a website, the health data collected by a fitness tracker or location data collected "at the same time", should also be covered by Art. 20 GDPR. In future, clarification of this legal position will only be possible via case law.
The right to data portability does not apply unrestrictedly - approaches for easing the burden on companies?
The right to data portability is restricted by Art. 20 (3) and (4) GDPR. Art. 20 (4) GDPR ex-cludes the right to data portability in cases in which rights and freedoms of other persons are prejudiced. As such, account can also be taken of rights of a controller obliged to transmit data, for example his/her intellectual property or business secrets. In addition, personal data of third parties cannot be transmitted at the same time. This does, however, not reduce the workload for companies, but rather obliges them to check the data records thoroughly for indications of third-party data before returning them.
Summary - in most cases the bottleneck is the software
In most cases, the bottleneck preventing easy implementation of the right to data portability in practice, is likely to be the respective software that does not offer an export function. If export functions do exist and if the configuration is sufficiently flexible to allow the selection of specific data - depending on how the authority views the scope of the claim to return - and if the export function supports a "commonly used" format it could be easy to comply with Art. 20 GDPR. However, this is currently only, possible in rare cases, particularly as there is quite simply no commonly used format for many practical situations.
Even if it is blatantly obvious here that this rule from the European legislator's "ivory tower" encounters in practice a long standing software landscape that - thus far - provides hardly any pragmatic, fully automated solutions for data portability, this cannot be a reason for ignoring the rule. After all, a data protection supervisory authority can take the position that the two year implementation period could have been used to solve the implementation problems. With this in mind, companies should check their software in terms of whether data export is possible. Wherever this is not the case, own programmers or the external software provider should start looking for pragmatic solutions very soon.