New data protection law: Will I be able to demand a company sends my personal data directly to its rival in an easy to use format?
The right of “data portability” is one of the key new rights to be ushered in when the new General Data Protection Regulation (GDPR) takes effect sometime in 2018, and it will have important implications for both businesses and individuals.
In a nutshell, individuals will have the right to transfer personal data from one business to another and, indeed, to require that the business holding the data transmits it directly to the receiving business. This sounds good in principle, but the right is limited in some important ways.
Let’s fast forward to 2018 when the GDPR comes into force. Imagine you are a gym owner; a customer tells you of her desire to take advantage of the new portability right in order to have all of her personal data that you hold transferred to a rival gym. (While we use the gym as an example, the same principles will apply to all sorts of businesses.)
The data held by the gym
The gym holds contact details like name, address, email, telephone, date of birth and bank card details, as well as some data on the customer's weight and height and limited medical information. The customer has also provided to the gym some details of the kind of activity she wants to do (e.g. weights or cardio-vascular etc.) or the results she want to achieve (e.g. losing weight, building muscle or maintaining general health).
But there is other data too. There are also records that the gym has kept of the dates and times of the customer's visits. Moreover, one of the gym’s instructors has worked with the individual to produce a detailed and customised exercise plan.
Is all of that data “portable”?
The short answer to this appears to be “no”. The portability right only attaches to data relating to a data subject "that he or she has provided to the controller" (emphasis added). So, it seems that any data not given to the gym – which in this case would include the personal exercise plan and the records the gym has of the dates and times the customer has visited – are excluded from the data portability right. These will be covered by a separate right, the right of access. That right, however, is only a right for the individual to receive an electronic copy and therefore stops short of entitling the individual to require a direct business-to-business transmission of data.
Looking at the data which was indeed provided to the gym by the customer, can the customer insist on a business-to-business transfer to the gym’s rival?
The answer in this case is, “it depends”.
Yes, the data subject “should have the right to obtain that the data is transmitted directly from controller to controller”. But, that right only applies where such transmission is “technically feasible”. What that will mean in practice, and how much pressure data controllers, like the gym in this example, will be under to enable such direct transmission of personal data to rivals and other businesses, is of course open to interpretation. No doubt guidance will be forthcoming.
In the meantime, we must satisfy ourselves with the conclusion that the “technically feasible” proviso will restrict the impact of the new data portability right. At the same time, as we have already observed, the right will only bite on data that were provided to the business in the first place. Given these limitations on the data portability right, we may only have, if not a mere shadow of the right many campaigners were hoping for, then certainly a materially diminished version.
Please sign up on the right hand side to receive future SportsDataProtection.com blog posts by email.