With the coming into application of the General Data Protection Regulation (GDPR) n°2016/679 on May 25th, 2018, the right to data portability will occupy a broader scope within the legislation regarding data protection.
As a reminder, data portability is a data subject’s “right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance” (article 20 of the GDPR). It can only be exercised under four specific conditions. Mathias Avocat wrote an article on the subject.
An important question concerns data controllers’ liability and the form in which the data must be transferred when a data request is made. In other words, what are the data controllers’ duties under the GDPR regarding the right to data portability? And to what extent can the data controller be held liable for the processing by another data controller or by the data subject himself or herself ?
Although the United-States has a patchwork of federal and State legislations, whereas the GDPR will harmonize the Member States’ data protection legislation, it is interesting to compare both systems and the standards set. The Health Insurance Portability and Accountability Act (HIPAA) offers a similar right to data portability and has similar standards to those of the GDPR.
Is the data controller liable ?
It must be kept in mind that the right to data portability does not apply to data controllers exercising a mission of public interest. Requests of data portability are free unless a request is blatantly unfounded or excessive (article 12, 5° of the GDPR).
The data controller receiving personal data subsequently to a data portability request is solely responsible for the processing of the data. The receiving data controller must comply with the principles and obligations set out in the GDPR such as lawfulness of the processing, accuracy of the personal data, or ensuring the security of the personal data. If a data subject requests that his or her personal data be communicated directly to him or her, he or she will be solely liable for any processing undertaken by him or her. As such, the data controller sending or transferring the personal data is no longer liable for the processing of that data.
Furthermore, the data controller has a limited time to answer a data portability request. Under article 12, 3° of the GDPR the data controller must answer “without undue delay” to the request and, in any event, “within one month of receipt of the request”. This will be the case even if the data controller denies the request. The data controller will still have to answer within a month and explain why he or she is denying the request. The delay may be extended to 3 months if the request is complex. The data controller will still have to answer within a month to inform the data subject of the postponement and the grounds for the extended delay.
Finally, the data controller must inform data subjects of their right to data portability (article 12, 1° of the GDPR) and, according to the WP29, put in place authentication procedures certifying the identity of the requesting data subject (Guidelines on the right to data portability of April 5th, 2017).
Under the HIPAA, (45 C.F.R.164.524 c) and d), the entity must also answer in a “timely manner” within a month of the request. The request can be subject to a “reasonable, cost-based fee” under certain conditions. The Act is enforced by the Office of Civil Rights within the Department of Health and Human Services. It can launch investigations and, if the data controller is found to be in violation of the HIPAA, he or she can be fined for up to $1.5 million in civil penalties (45 C.F.R. 160.404) and up to $250,000 in criminal penalties and/or up to 10 years in jail (45 U.S.C. 1320d-6).
How must the data be transferred ?
Article 20 of the GDPR specifies that the data must be provided or transferred in “a structured, commonly used and machine-readable format”. The data controller is free to choose the way or methods in which he or she provides or transfers the personal data as long as these requirements are met. They warrant a format which can be re-used by either the data subject or the receiving data controller.
A machine-readable format is a “file format that is structured in such a way that software applications can easily identify, recognize and extract specific data from it” (recital 21 of Directive n°2013/37).
The WP29 recommends that data controllers choose interoperable formats to facilitate the transfer of data between them. According to the International standard regarding information and security management ISO/IEC 2382-01 interoperability is “the capability to communicate, execute programs, or transfer data among various functional units in such a way that requires the user to have little or no knowledge of the unique characteristics of those units”.
To continue the comparison, under the HIPAA, (45 C.F.R. 164.524 c), the personal health data must be accessible in the format requested by the individual or in a readable format agreed upon between the entity and the data subject.
Practical implications of the right to data portability
Data controllers must start thinking about interoperability and efficient ways to transfer, share and secure personal data when a request is made. If the data controller is unable to answer a data portability request, he or she may be held in violation of the GDPR.
They should also consider the extent of their liability concerning the right to data portability and ensure that they will be able to inform data subjects and answer their needs.
The right to data portability is a key element of the GDPR and should not be disregarded.