The right to data portability in practice

Legal conditions for exercising the right to data portability

Looking at the legal text, there are already some concrete requirements for the right to data portability.

First of all, it must be the personal data of the data subject that the data subject has provided to a controller. This means that data which the controller has determined itself is already excluded from the scope of application. The same applies if he has drawn his own conclusions from the data provided.

Furthermore, the data controller must provide the data in a structured, common and machine-readable format. Machine-readable data is always electronic data. However, information on paper can also be machine-readable if it can be easily scanned and made machine-readable. Common formats are those that are not proprietary and can be processed without much effort. Data is structured if the original format remains in some form. If, for example, individual chat messages are summarised in continuous text, the structured nature is presumably no longer given, since another controller cannot simply continue to use this data.

In addition, data portability must only be guaranteed if the data processing is based on consent pursuant to Art. 6 (1) (a) UK GDPR or Art. 9 (2) (a) UK GDPR or is based on a contract pursuant to Art. 6 (1) (b) UK GDPR.

Data processing on the basis of legal commitments pursuant to Art. 6 (1) (c) UK GDPR and for the protection of legitimate interests pursuant to Art. 6 (1) (f) UK GDPR falls outside the scope of application. Likewise, this right does not apply to processing activities that are necessary to perform a task in the public interest or in the exercise of official authority. This is clarified in Art. 20 (3) sentence 2 of the UK GDPR.

However, the right to data portability only covers processing activities that are carried out with the help of automated procedures. This generally excludes processing activities that are not machine-readable and would have to be read in for data portability. Paper files are therefore generally excluded from the right to data portability.

Paragraph 3 also clarifies that in addition to the right to data portability, there is also the right to deletion. Simply because of existing retention obligations, especially in the context of contract processing, automatic deletion cannot take place upon transfer. Therefore, the data subject still has the right to erasure, independent of the right to data portability.

Finally, Art. 20 (4) UK GDPR states that the rights and freedoms of other persons must not be affected. This commitment is incumbent on the data subject, as the controller is usually unable to check whether the rights of other persons have been affected. In addition to data protection aspects, these rights and freedoms also include other intellectual property rights, such as copyrights and trade secrets.

Aim of the right and scope of application

In practical terms, Art. 20 (1) UK GDPR deals with the transfer of personal data from one controller (the providing controller) to another controller (the receiving controller). Although the data subject can also demand that the data be handed over to him or her, this right is very similar to the right to a copy under the right of access pursuant to Art. 15 (3) UK GDPR. However, the latter goes further, as it does not only cover data provided by the data subject himself. Therefore, a data subject is usually more likely to assert the right of access pursuant to Art. 15 UK GDPR.

In essence, the data subject right to data portability is intended to ensure the simple transfer of data to another controller. This may be necessary, for example, to enable or facilitate a change of provider. This is shown above all by Art. 20 (2) UK GDPR, which is intended to enable the transfer directly from the providing to the receiving controller. In addition, this should also prevent the so-called “lock-in effect”, i.e. being tied to one provider because a change is too inconvenient. In this way, the legislator has indirectly placed a focus on social networks, which could otherwise prevent a simple switch due to this effect.

Even if the exact practical scope of application is disputed in the literature, most commentators agree that Art. 20 UK GDPR is not applicable to many data processing operations. Besides social networks, other portals and systems are conceivable where a change of provider also depends on the data transfer. These include, for example, cloud providers or webmail providers. However, commercial clouds do not only contain personal data concerning the claimant, which is why the standard is probably not applicable here. The situation is similar for webmail providers.

Practical implementation of the right to data portability

In practice, when a request for data portability is made, the first thing to check is whether the legal requirements are met for the provider’s own services. If this is the case, the providing controller must release the personal data accordingly or, if this is technically possible and desired, forward it directly to the receiving controller.

According to Art. 12 (3) UK GDPR, this right of the data subject must also be fulfilled without delay, but within one month at the latest. In order not to be pressed for time, it makes sense to check in advance whether your own data processing activities fall within the scope of Art. 20 UK GDPR. If this is the case, the controller must ensure that it can release the data in a structured, common and machine-readable format. The release must take place via encrypted channels.

Conclusion: Right to data portability hardly plays a role

Due to the limited scope of application as well as the exceptions and the possibility of the right of access according to Art. 15 UK GDPR, the right to data portability will lead a shadowy existence and will only be relevant for a few data controllers. This will be the case at least until the legislator makes improvements that extend the scope of application to other practical cases.