GDPR: data portability is a false promise

MyData envisages being able to interconnect all service providers. The GDPR doesn’t.

Those who are hoping to give individuals more control over their own personal data have applauded the EU General Data Protection Regulation (GDPR), that comes into full force in May 2018. In particular they have praised the way in which the regulation tightens up the rules for obtaining a valid ‘consent’ from individuals and the provisions for data portability.

‘Data portability’, in accordance with the GDPR, is the right for an individual to require an organisation to give them back a copy of the personal data they previously provided or, crucially, to send this data to another organisation — which might be a competitor. The data has to be provided in a commonly used and machine-readable format, so that the new organisation can readily import and make use of the data.

This prospect puts power in the hands of individuals to swap to an alternative service provider, using the same personal data. It signals the possibility of using Personal Information Management Systems (PIMS) or having a distributed network of personal data stores and services. The Article 29 Working Party (often known as WP29), which is the official European body to advise on data protection and privacy, states that by affirming individuals’ personal rights and control over the personal data concerning them, data portability also represents an opportunity to “re-balance” the relationship between data subjects and data controllers[1].

It sounds good, but in practice it might be a false promise.

Portable data

The first question to consider is what data will be portable. The GDPR states that portability only applies to personal data concerning an individual that he or she has “provided to” a data controller (ie, to the organisation using the data).

This limitation clearly excludes any data which the organisation obtains indirectly. There is only an obligation on the first party to get the data (and any processor working under this organisation’s instructions). Personal data today rarely stops at a single organisation. Individuals would have no right to portability of data held by a third party even when they learn that this third party has their data.

The limitation also excludes any data which has been derived from the original data — such as analysis of health of a person who has provided their medical history or profiling on an individual based on their data history. This is some way from the rather idealist opinion of the WP29 in 2013 that data subjects/consumers should be given access to their ‘profiles’, as well as to the logic of the decision-making (algorithm) that led to the development of the profile[2]. In view of the need to balance legitimate business interests with the rights of individuals, this limitation if probably unavoidable. The intellectual property and added value of a business may well come from its algorithms and the clever uses it makes of data.

However, the limitations may not end here. Most organisations involved in processing personal data would like to interpret “provided to” as being limited to data “actively and knowingly provided by the data subject” — such as when an individual fills in a form to give their personal details. The WP29 has taken a stance on this which is somewhat controversial, asserting that “provided by” also results from the observation of an individual’s activity — for example, data that comes from a heart rate monitor, website search history or transactions on an online service.

The European Commission itself is reportedly concerned that the WP29 has interpreted this provision too broadly, stating that “that the guidelines might go beyond what was agreed by the co-legislators in the legislative process”. A representative of the Justice Commissioner was said to have commented that “data portability is a concept that is focussed primarily on social networks” (which rely primarily on data entered directly by users)[3].

This issue may not get resolved until the GDPR has been interpreted in a court of law. The WP29 guidelines do not have the force of law, but if they are ratified by this body once it has transmuted into the European Data Protection Board in 2018 (and has legal responsibility for consistency of application of data protection law across the EU), then there will be a strong presumption that their interpretation of the law is correct.

Nevertheless, this could all be moot (irrelevant, for those who prefer more modern English), since businesses may be able to avoid obligations of data portability altogether.

The GDPR’s split personality

A generic limitation on the user right of data portability is that it only applies if personal data is being processed as a result of consent or a contract.

Some parties who were behind the formulation of the GDPR had the goal of empowering individuals and giving them more control over the personal data that concern them. Intuitively, a non-specialist might assume that the best way to put people in charge would be to make any use of their data subject to explicit consent.

The GDPR certainly goes to length to ensure that any consent is valid — by specifying that it must be “freely given, specific, informed and unambiguous” and by backing up this definition with a number of detailed provisions that would invalidate consents if they do not meet these criteria. The requirements for getting consents become much more strict under the GDPR than under previous data protection legislation and most current practices for obtaining consent will become invalid.

In addition, once an organisation is processing data according to the consent given by an individual, it must provide the individual with data portability, as already discussed. The individual can withdraw their consent to use the data at any time, without needing to provide any justification, and it has to be “as easy to withdraw as to give consent”.

For those who want to give power over personal data back to the people, this all sounds great, but…

The GDPR allows other approaches to using personal data that do not require user consent. What is more, data protection authorities are actively encouraging businesses to bypass the whole consent process for personal data.

The reason why they are discouraging the use of the consent process is logical. Current ‘consents’ are typically a blanket approval for terms & conditions, so few people in fact take a “specific, informed and unambiguous” decision. Indeed, if all personal data usage were to require a consent process that meets all the legal requirements, it would be a burden on individuals as well as tough for organisations to implement. Most people don’t want to be bombarded by requests for approval and the information provided to the user would have to go a lot further than the current cookie banners — interrupting the fluid user experience for someone who just wants to get the benefit of an online service.

Therefore, we can expect that most businesses collecting personal data will never explicitly ask for permission. To stay compliant with the GDPR, they can use one of the other possible criteria for lawful processing. Aside from data collection from the purpose of a contract, most businesses will base their data collection on “legitimate interests”.

A legitimate interest essentially only needs to meet the criterion that the business in question (or maybe a third party) wants to use the data for legal purposes. For example, using the data to help the business make money is a legitimate interest. Some activities, such as using data for direct marketing, are explicitly recognised by the GDPR as a legitimate interest.

Note that it’s not enough, for compliance with the GDPR, to have a legitimate interest. The business has to carry out an assessment to evaluate whether its own legitimate interest will outweigh the interests and fundamental rights of the individual concerned, including consideration of whether the individual could reasonably expect their personal data to be used in this way. However, the business will be the judge and jury in these circumstances and will simply need to keep clear records to later justify any decision it takes. The business has to inform the person involved of the legitimate interest for which it is processing the data (but without having to explain how it judged the balance of interests until it receives an objection).

When a business has decided that it can legally process data due to its legitimate interest, it does not need to:

a) Ask for consent from the individual involved

b) Provide portability of the data collected

c) Give the individual the right to withdraw consent (although individuals can object)

Why would any business ask for consent, if it can assert legitimate interest? (Diagram: Xifrat Daten)

The GRPR’s split personality is that it has one approach based around consent and an alternative approach that lets organisations decide to process personal data without asking any permission.

In the first case, the organisation runs a major risk of not complying fully with the conditions for a valid consent — and therefore of having it invalidated later — and in addition it takes on extra obligations. In the second case, it might later be challenged, although individual disputes will be difficult to determine and a single person is unlikely to be well placed to match the arguments put forward by a business.

It’s not surprising, therefore, that most businesses lining up for the GDPR are indicating that they are going to use legitimate interest and not consent as their basis for compliance.

Whatever the legal basis for processing data, individuals get a number of rights under the GDPR, including the right to know what data is collected about them, to get a copy of the data free of charge and to understand details of how the data is being handled — the purpose, how long it will be held, to whom it will be disclosed etc — as well as the right to rectify data, to restrict its processing or to have it erased. However, the business has up to one month to provide the information (possibly up to two months in some circumstances), which can be by “electronic means where possible”. The general rules are a long way from portability.

This split-personality approach to user rights in the GDPR disappears when personal data is in a “special category” (in other words, sensitive data, which deal with racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, health, sex life or orientation, or biometrics used for personal identification). Apart from some exclusions, such data can only be processed on the basis of explicit consent from the individual involved.

Also, if data is being pursuant to a contract (which is essentially a special form of consent), then users get the benefit of portability (but not the ability to withdraw their data, depending on the terms of the contract).

However, this hardly helps for data portability. Any organisation wishing to escape broad obligations can process non-sensitive data on the basis of legitimate interest and then request additional sensitive data on the basis of consent. Businesses that later enter into a contract with a consumer may take the same approach of two-stage data. Only the part of the data that has been collected by consent would be subject to the data portability provisions — and it’s hard to see that it would be useful for individuals to ask for a download of only this subset of their data.

The net conclusion from this is that the GDPR can be seen as a step along the path to giving individuals control over their own data, but that it is seriously flawed — or, at best, the benefits of “data portability” have been oversold. Unfortunately, it would take a change in legislation for this to be fixed, so we are probably years away from a solution.

This need not stop enlightened companies from providing full data portability, even if not required by the law. Let’s see who steps up to the table…

Footnote: the proposed ePrivacy Regulation does not recognise the concept of “legitimate interest” as the basis for data collection and requires consent from individuals in nearly all cases. However, it does not provision for data portability.

[1] Article 29 Working Party “Guidelines on the right to data portability” (WP 242), revised 5th April 2017: http://ec.europa.eu/newsroom/document.cfm?doc_id=44099

[2] Article 29 Working Party “Opinion 03/2013 on purpose limitation” (WP 203), adopted 2nd April 2013: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf

[3] The Privacy Advisor, IAPP, 25th April 2017: https://iapp.org/news/a/european-commission-experts-uneasy-over-wp29-data-portability-interpretation/