Copyright © Media Law International 2017. All Rights Reserved.
Specialist Guide to the
Global Leaders in Media Law Practice
The data protection laws were not limited to the European region. They set trends and standards for other countries as well increased the level of personal data protection elsewhere but especially in countries having strong ties with Europe (such as US).
The concept of data portability is not known to the Directive. When Directive was enacted the amount of data processed was substantially smaller. Also the technical means did not allow for such easy processing and also deriving personal data from our habits, activities etc. Not in the field of personal data but the concept of portability right has been known to other fields such as for example number portability in the telecommunication sector.
The subscriber of telecommunication services has a right to demand from the provider that the number is being transferred to another network. The provider cannot object and must make the process smooth and ease. This trend recognized the importance of a phone number is one of the main assets of a person or entity. Initially the number portability also caused many discussions and controversies. Now seems to be an obvious right of a subscriber.
The amount of personal data processed and the importance of this information to the trans-border market caused the European Union to rethink its data protection strategy. The General Data Protection Regulation (GDPR) will replace the Data Protection Directive from May 25, 2018.
The GDPR is directly applicable in each member state and it will harmonize the rules through EU member states. The GDPR’s goal is to increase the awareness of data protection importance by imposing more obligations on data processors and to strengthen individual rights.
All data sensitive products and services will have to implement the protective measures from the beginning and the controllers will be required to introduce procedures to monitor data processing at each stage of the service use. The controllers will be obliged to evaluate the risk of any infringements as well as to inform about any such infringements immediately.
Among others the GDPR introduces new rights for online services consumers, including the right of data portability. This right allows for data subjects to receive the personal data, which they have provided to a data controller (based on consent or agreement), in a structured, commonly used and machine-readable format, and to transmit those data to another data controller without hindrance.This right shall allow for easy access and change of place of the data.
Many commentators view the data portability as attempt to deal with the so called“Big Data”.Many services – based on our behaviors and activities in the Internet – gather information about us that we are not aware of.
Data portability could be a response to such practices allowing data subjects to have access to all such information and not only to information directly provided to the data controller. The Guidelines on the right to data portability made by Article 29 Data Protection Working Party stress:“this right also represents an opportunity to “re-balance” the relationship between data subjects and data controllers, through the affirmation of individuals’ personal rights and control over the personal data concerning them”.
The GDPR’s article 18(2) provides that: “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured and commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided, where:
(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9
(2) or on a contract pursuant to point (b) of Article 6 (1); and
(b) the processing is carried out by automated means”.
If controllers process personal data through “automated means the data subjects have right to receive the personal data concerning them. Controllers must provide the data in a commonly used and machine-readable format, and data subjects have the right to transmit that data to any other controller that they chose.It has not been so fat defined what “commonly used format” means and from the practical point of view may cause some constrains for data processors. The answer should be given in the nearest future in the regulations following the GDPR.
Currently data processors use different and not always compatible formats of data storage. Still, recital 68 clarifies that controllers will not be required to adopt systems that are technically compatible. This differences may prove especially complicated if one controller will be obliged to transfer data to another controller (sometimes being a competitor).
The practical implementation of “data portability” may be difficult due to the use by the provision of many undefined terms, such as “machine readable” means, "electronic and interoperable" format, a transfer which is "technically feasible and available".
Some definitions or guidelines to definitions may be found in other legal acts but most likely the interpretation will be done by industry standards and the technology available. The industry though should use formats that do not limit automatic processing and formats where data cannot be extracted.
The implications of the data portability on data subjects seems to be enormous. Data subjects nowadays are not aware of the amount of personal data being process. It is often being said that the processors know more about us than our family does or even we know about ourselves.
This is a powerful but dangerous tool in the hands of controllers. Individuals should have access to all such data (including “big data”) and should have a free right to transfer it elsewhere. It will allow individuals to unify all content stored by different service providers
As always there is another side of data portability – the view of data controllers. In many cases, especially in case of smaller providers, the investment both financial and organization may be disproportional. Moreover the obligation to transfer may expose the original controller to know-how and other intellectual property rights disclosure. It may also cause the substantial asset (data structured in certain ways) to be lost. On top of that the GDPR does not limit the data subject in the multiple use of such right.
This can be another organisational issue to cope with by controllers. Looking at the past activity of the consumer regulators it seems that this could be another field of intervention in case the controllers will try to impose limitations as to the number of request or try to introduce fees for the requests.
Data portability seems like a forward thinking of the regulator. A lot will depend on the industry standards. Therefore the industry should be encouraged to work on such standards before the regulators intervene and the consumers and competitors will start to abuse such right.
Agnieszka Wiercinska-Kruzewska is a co-founder and senior partner at WKB, head of intellectual property and TMT team, also closely cooperates with the M&A team. A graduate of the Faculty of Law and Administration at Adam Mickiewicz University in Poznań, As a holder of the Soros Foundation scholarship at the Central European University in Budapest she completed an LL.M course in international commercial law. She advises clients on all aspects of copyright, industrial property, consumer law, unfair competition, personal data protection, internet domains, press law and protection of personal rights. Agnieszka has also extensive experience in legal advisory services concerning sensitive product marketing and gambling. Within her areas of practice, apart from providing ongoing advice, she represents clients in litigation and arbitration proceedings. She has many years’ experience in the acquisition of companies on private market.
WKB Wiercinska, Kwiecinski, Baehr
The European Union has been the leader of personal data protection concepts for years. The governments realiSed the importance and value of such data back in the 90’s. It started with the European Union Data Protection Directive in 1995 (95/46/EC). Based on the Directive member states enacted their own legislations, more or less alike but still the coordination of trans-European data transfers caused a lot of problems.