What is Data Portability under GDPR?

Data Portability, under the General Data Protection Regulation (the "GDPR"), is a right given to data subjects (individuals) that allows them to request, receive, and reuse their personal data for their own purposes across different services. This means that they can secure and move, copy or transfer their data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

The aim is to enable consumers to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits. The right to data portability only applies to personal data an individual has provided to a data controller where the processing is based on the individual's consent or for the performance of a contract.

Which provision of GDPR speaks of data portability?

The right to data portability is outlined in Article 20 of the General Data Protection Regulation (GDPR). This provision allows individuals to either obtain a copy of their personal data from the data controller (the person who collects and processes the data) in a format that is structured, commonly used and machine-readable, or have their personal data transferred from one data controller to another, if technically feasible. This provision is aimed at increasing the control individuals have over their personal data.

Are there any data protection and privacy risks associated with data portability?

Yes, there are potential data protection and privacy risks associated with the right to data portability under GDPR. A few of them are:

  1. Data Security: Providing or transferring large volumes of data securely can be challenging. In case of any breach during the transfer process, sensitive information could be exposed.
  2. Misidentification: Misidentification of individuals can lead to the sharing of someone else's data, which is a significant privacy violation.
  1. Third-Party Misuse: Once the data is transferred to a new service provider or entity, ensuring this third party adheres to data protection regulations can be problematic.
  2. Incomplete Data Extraction: Some systems may not support extraction of all data or in the required format, resulting in the user receiving incomplete or non-comprehensive data.
  3. Overload of Information: Users might obtain more information than required or they can understand, leading to potential confusion and poor decision-making.

These risks highlight the importance of having robust and secure processes for data portability in place.

What are the safeguards required under GDPR to make Data Portability safe and secure?

The GDPR outlines a number of safeguards and requirements to ensure data portability is safe and secure:

  1. Encryption: Data must be transferred in a secure, encrypted manner to prevent interception and protect the user's privacy.
  1. Verification: Before processing a data portability request, a verification mechanism should be in place to conclusively identify the person making the request, to avoid data being handed over to the wrong person.
  1. Privacy Impact Assessment: A Privacy Impact Assessment (PIA) should be carried out when developing tools to facilitate data portability. This helps determine potential risks and how to mitigate them.
  1. Mechanism for Data Transfer: The data controller should use a safe, structured and machine-readable medium for the data transfer.
  1. Duty of Care: The third-party recipient of transferred data has a duty of care towards that data, meaning they must take steps to ensure its security and confidentiality.
  1. Data Minimization: Only data necessary for the fulfillment of the service should be transferred to reduce the risk of unauthorized access to irrelevant personal data.

These measures collectively ensure that data portability is respected and executed in a way that maintains the safety and security of an individual's personal data.

Why do some nations shy away from implementing data portability as part of their privacy rights?

There are several reasons why some nations may not fully embrace data portability as part of their privacy rights:

  1. Technological Challenges: Implementing data portability requires robust and effective technological infrastructure. Some countries may lack these resources or the capabilities to manage them effectively.
  1. Security Concerns: Data portability does pose potential security risks. Some countries may be more apprehensive about these risks and therefore, reluctant to mandate data portability.
  1. Legal Limitations: Some countries may have legal restrictions or lack the necessary legislation to enforce data portability.
  1. Economic Impact: The cost of implementing data portability can be high for businesses, which could impact the economy, especially for smaller businesses.
  1. Competitive Advantage: Data is a valuable business commodity. Some nations may prefer to avoid introducing policies that could potentially diminish their businesses' competitive advantage.
  1. Cultural Factors: Different nations have different perspectives and levels of concern about data privacy. In some cultures, data portability is not seen as a necessity, which can influence the implementation of these rights.

Conclusion and Way Forward

Data Portability under GDPR is a crucial right that empowers individuals to request and transfer their personal data across different services, enhancing their control over their information, which is at a cost. However, implementing it is not without challenges, including potential data security risks, misidentification, and third-party misuse. To mitigate these risks, GDPR mandates various safeguards, including encryption, verification mechanisms, privacy impact assessments, and data minimization.

Data Portability is a futuristic right which does not find its place under India's Digital Personal Data Protection Act, 2023. Under the GDPR, the right is only enforceable where certain specified processing grounds are satisfied, such as carrying out official tasks, furthering the public interest, or advancing the legitimate interests of an organisation. As a result, it is possible that the said right was dropped for several reasons, including its inapplicability in the Indian context and the high costs associated with its implementation.

The Srikrishna Committee Report (the "Report") can be used as a model to implement data portability in India. The Report placed significant emphasis on the need to enable individuals to exercise control over their personal data by granting them access and the capacity to transfer their data in a format that is both machine-readable and interoperable. Further, to ensure a balanced and feasible application of the right to data portability, the Report also recommended that it should be exercised only when a data fiduciary can demonstrate that the required access or transfer is technically achievable. For this, the Data Protection Board should set a code of practice in order to standardise the technical feasibility of implementing data portability.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.