Is the right to data portability causing confusion?

May
30

With data portability being one of the key provisions, it seems that some companies are struggling to fully understand it.

The new European privacy regulations went into effect on Friday that will force companies to be more attentive to how they handle customer data. This created ramifications from day one, as major U.S media outlets were forced to shutter their websites in parts of Europe.

With dozens of emails going out, privacy activists wasted no time in taking action against U.S. tech giants for allegedly acting illegally by forcing users to accept intrusive terms of service or lose access.

The European Union General Data Protection Regulation (GDPR) replaces the bloc’s patchwork of rules dating back to 1995 and heralds an era where breaking privacy laws can result in fines of up to 4 percent of global revenue or €20 million ($23.5 million), whichever is higher, as opposed to a few hundred thousand euros.

Many privacy advocates have hailed the new law as a model for personal data protection in the internet era and called on other countries to follow the European model.

The GDPR clarifies and strengthens existing individual rights, such as the right to have one’s data erased and the right to ask a company for a copy of one’s data.But it also includes entirely new mandates, such as the right to transfer data from one service provider to another(data portability)and the right to restrict companies from using personal data.

Activists are already planning to use the right to access their data to turn the tables on internet platforms whose model relies on processing people’s personal information.

That means companies have had to put in place processes for dealing with such requests and educating their workforce because any non-compliance could lead to stiff sanctions. Studies suggest that many companies are not ready for the new rules. The International Association of Privacy Professionals found that only 40 percent of companies affected by the GDPR expected to be fully compliant by May 25.

One key provision of GDPR, the right to data portability, is causing particular confusion. “I think the data portability rights are pretty significant and are going to take a while for people to figure out what the bounds of them are and how to go about complying with them,” said David Hoffman, associate general counsel and global privacy officer at Intel.

For example, music streaming services such as Spotify create playlists for users based on their music preferences. While a user seeking to exercise the data portability right would be able to move playlists he or she created, the situation becomes fuzzy if the playlists are created by the streaming service using algorithms.

EU data protection authorities said individuals should be able to transfer data provided by them but not “derived data” created by the service provider such as algorithmic results.

“It’s not obvious that you can necessarily migrate the data from your system to somebody else’s system,” Tanguy Van Overstraeten, of Linklaters, said.

On the business side, companies are rushing to renegotiate contracts with suppliers and service providers because GDPR increases their liability if something goes wrong.

Data processors which only process or store the data on behalf of their clients, for example cloud computing providers, will be directly liable for sanctions and could face lawsuits from individuals, and that needs to be reflected in contracts.

Find out how IDLink can help you understand data portability and help your business have access to it.  www.idlink.eu

Kristina Lund
Partner at SafeOnline