| Glossary | Politics & Regulation | Data portability

Definition and delimitation

In the General Data Protection Regulation (GDPR), the right to data portability (RDP) is one of the rights of rectification and erasure of the data subject. A distinction must be made between the two approaches of Article 20 (1) and (2), which concretise the right to data portability, as follows:

“1. the data subject shall have the right to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used and machine-readable format, and he or she shall have the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided, provided that,

a. the processing is based on consent pursuant to Article 6 (1)(a) or Article 9 (2)(a) or on a contract pursuant to Article 6 (1)(b); and,

b. the processing is carried out by automated means.

2. When exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to obtain that the personal data be transferred directly from one controller to another controller where technically feasible.”

The first approach, Art. 20 (1) GDPR implies a two-step data transfer, where users first request a data export from their current online service provider (OSP) and then a data import of exactly these data from a new OSP. Art. 20 (2) GDPR, on the other hand, combines these two steps into a direct data transfer without the need for the user as an intermediary.

No precise definitions were provided by the legislator for individual components of the GDPR, which is why a precise delimitation is difficult. For example, it is unclear whether the wording “provided to a controller” in Article 20 (1) of the GDPR only covers received data (data entered consciously, such as a restaurant review) or received and observed data (data recorded via sensors, such as the location of the restaurant).[1] Furthermore, there is a lack of a precise specification on the “structured, common and machine-readable format” Art. 20 (1) GDPR. Only the term “machine-readable” was defined by the EU as a format that is structured in such a way that it makes certain data, such as individual factual representations and their internal structure, easily identifiable, recognisable and extractable for applications.[2]

History

The introduction of the GDPR, and thus also the right to data portability, serves the purpose of strengthening individual data sovereignty and the protection of personal data. The theoretical intentions of the GDPR are to reduce transaction costs and lock-in effects, to strengthen user choice and privacy, and consequently to intensify competition in the highly concentrated market of OSP.[1]

Application and examples

Direct data porting from one OSP to another in the sense of Art. 20 (2) GDPR is currently hardly possible due to the lack of infrastructure.[3] The development of such an extensive infrastructure is a time-consuming and complex undertaking, which various projects have taken on, such as:

Alternatively, individuals can resort to indirect data portability in the sense of Art. 20 (1) GDPR. In this case, a request for data export must first be submitted to the previous OSP in order to subsequently order the import of these data from the desired new provider or to carry out the import manually. However, the requirements of the right to data portability regarding the duration, format, and scope of the data of a data export are largely not met: Only 28.6% of a sample of 182 OSPs met all requirements and are thus compliant with Art. 20 (1) GDPR. At the same time, most of the providers in this sample did not provide import options (76.8%).[3]

Criticism and problems

The right to data portability fails to live up to its high potential to drive digital competition and strengthen users’ privacy and control over their data.

It is both the least known right of the GDPR [4] and the most difficult to grasp and understand. As a result, although individuals may, in some cases, have an interest in switching their current OSP, many fail to do so – often due to insufficient knowledge of comparable alternative providers, lack of switching experience, or fear that porting is very complex and data and information could be lost.[5]

Furthermore, the more restrictive approach of the term “provided” of Art. 20 (1) GDPR implies a conscious action of the user so that only received data provided directly by the individual can be taken into account. However, a more comprehensive approach that includes both received and observed data would do more justice to the overall objective of the GDPR. Moreover, there is not only a lack of a clear definition of the required “structured” data, but also a lack of a clear definition of the required “structured” data[n], common[n] and machine-readable[n] Format” Art. 20 (1) GDPR, but rather these specifications are a required minimum, as the overall objective is to facilitate the interoperability of data.[6]

The question of how a direct transfer between services should work from a technical point of view also remains unresolved, as the exact implementation of the GDPR has not been clearly defined by the legislator. The lack of standardisation, compatibility, and interoperability complicates the transfer of data between different OSPs and creates additional room for identity theft or abuse, as bypassing a single authentication step can already allow access to extensive and sensitive user data.[7][8] In addition, ensure that the user interface and design decisions ensure ease of use and reliability to avoid tempting people to choose unintended and potentially harmful options.[9][10] Interdependent privacy considerations are another challenge, as they involve data linked to multiple individuals, e.g. social connections.[11][12]

Research

At bidt, the project “Awareness, Motivation and Implementation of Data Portability – Strengthening Radical and Disruptive Innovations through Improved Data Portability” investigates,

  • how psychological factors influence awareness and acceptance of data portability,
  • what preference and acceptance users have for data portability solutions,
  • how economic incentives affect users and OSP,
  • which design principles are necessary,
  • what possibilities there are for applying the RDP,
  • what solutions are proposed for the practical challenges of the law.

Sources

[1] De Hert, P., Papakonstantinou, V., Malgieri, G., Beslay, L., & Sanchez, I. (2018). The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Computer Law & Security Review, 34(2), 193-203.

[2] Richtlinie 2003/98/EG über die Weiterverwendung von Informationen des öffentlichen Sektors.

[3] Syrmoudis, E., Mager, S., Kuebler-Wachendorff, S., Pizzinini, P., Grossklags, J., & Kranz, J. (2021). Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20. Proceedings on Privacy Enhancing Technologies, 3, 351-372.

[4] Special Eurobarometer 487a: The General Data Protection Regulation.

[5] bidt-Blog: Datenportabilität – Bedeutungsvoll, aber kaum bekannt.

[6] Article 29 Data Protection Working Party: Guidelines on the right to data portability.

[7] Di Martino, M., Robyns, P., Weyts, W., Quax, P., Lamotte, W., & Andries, K. (2019). Personal Information Leakage by Abusing the {GDPR}’Right of Access’. Paper presented at the Fifteenth Symposium on Usable Privacy and Security.

[8] Grossklags, J., Christin, N., & Chuang, J. (2008). Secure or insure? A game-theoretic analysis of information security games. Paper presented at the Proceedings of the 17th international conference on World Wide Web.

[9] Bridges, F., Appel, L., & Grossklags, J. (2012). Young adults’ online participation behaviors: An exploratory study of web 2.0 use for political engagement. Information Polity, 17(2), 163-176.

[10] Mathur, A., Acar, G., Friedman, M. J., Lucherini, E., Mayer, J., Chetty, M., & Narayanan, A. (2019). Dark patterns at scale: findings from a crawl of 11K shopping websites. Proceedings of the ACM on Human-Computer Interaction, 3(CSCW), 1-32.

[11] Pu, Y., & Grossklags, J. (2017). Valuing friends’ privacy: Does anonymity of sharing personal data matter? Paper presented at the Thirteenth symposium on usable privacy and security.

[12] Weidman, J., Aurite, W., & Grossklags, J. (2018). On sharing intentions, and personal and interdependent privacy considerations for genetic data: A vignette study. IEEE/ACM transactions on computational biology and bioinformatics, 16(4), 1349-1361.