Out-Law News 4 min. read

New GDPR guidance: APIs can help businesses meet data portability obligations, says watchdog

Businesses should develop application programming interfaces (APIs) to help them transmit personal data directly to rivals at the behest of their customers under new EU data protection laws, a watchdog has said.

The Article 29 Working Party, which is made up of representatives of national data protection authorities based in the EU, made the recommendation in new guidance it has issued on the right to data portability (15-page / 389KB PDF) under the General Data Protection Regulation (GDPR).  The Working Party has also issued new guidance on data protection officers (18-page / 824KB PDF) under GDPR and on identifying a controller or processor’s lead supervisory authority (11-page / 491KB PDF) under the Regulation.

The three sets of guidance is the first specific guidance the Working Party has issued on aspects of the GDPR, which takes effect on 25 May 2018.

Under Article 20 of the Regulation, data controllers must make the personal data they possess available to consumers in "a structured, commonly used and machine-readable format" so that those consumers can share that data with rival companies "without hindrance" and to provide that data direct to other businesses at the request of consumers where it is "technically feasible".

Those data portability obligations only apply to data controllers that process personal data based on customer consent or to perform a contract involving the data subject and if the processing takes place by "automated means".

In its guidance, the Working Party said data controllers should "offer different implementations of the right to data portability".

"For instance, they should offer a direct download opportunity for the data subject but should also allow data subjects to directly transmit the data to another data controller," the Working Party said. "This could be implemented by making an API available. Data subjects may also wish to use of a personal data store or a trusted third party, to hold and store the personal data and grant permission to data controllers to access and process the personal data as required, so data can be transferred easily from one controller to another."

The Working Party also used its guidance to confirm that the right to data portability applies to personal data that people "knowingly and actively" provide to data controllers as well as data "generated by his or her activity". However, data that data controllers infer or derive from data provided to them by data subjects is not within the scope of the right to data portability, it said.

When providing data in accordance with the data portability rules, data controllers should attach "as many metadata with the data as possible at the best possible level of granularity" so as to preserve "the precise meaning of exchanged information", the Working Party said.

The watchdog said: "As an example, providing an individual with .pdf versions of an email inbox would not be sufficiently structured [to meet the requirements in the data portability rules]. E-mail data must be provided in a format which preserves all the meta-data, to allow the effective re-use of the data. As such, when selecting a data format in which to provide the personal data, the data controller should consider how this format would impact or hinder the individual’s right to re-use the data."

The Working Party also confirmed the right to data portability must be observed even in circumstances where data requested includes information about others too.

The Working Party said: "As an example, telephone records may include (in the subscriber’s account history) details of third parties involved in incoming and outgoing calls. Although records will therefore contain personal data concerning multiple people, subscribers should be able to have these records provided to them in response to data portability requests. However, where such records are then transmitted to a new data controller, this new data controller should not process them for any purpose which would adversely affect the rights and freedoms of the third-parties."

Data controllers that receive data about other people within the context of the data portability right "may not use the transmitted third party data for his own purposes" as it is "likely to be unlawful and unfair", the Working Party said. It also said there are steps data controllers can take to "further help reduce the risks for other data subjects whose personal data may be ported".

"All data controllers (both the ‘sending’ and the ‘receiving’ parties) should implement tools to enable data subjects to select the relevant data and exclude (where relevant) other data subjects’ data," it said. "Additionally, they should implement consent mechanisms for other data subjects involved, to ease data transmission for those cases where such parties are willing to consent, e.g. because they as well want to move their data to some other data controller. Such a situation might arise with social networks."

The Working Party said that data controllers should inform data subjects of their right to data portability, including when customers decide to close accounts with them. It also explained that data controllers will generally be unable to charge people that exercise their right to data portability.

"There should be very few cases where the data controller would be able to justify a refusal to deliver the requested information, even regarding multiple data portability requests," the Working Party said. "For information society or similar online services that specialise in automated processing of personal data, it is very unlikely that the answering of multiple data portability requests should generally be considered to impose an excessive burden."

"In addition, the overall cost of the processes created to answer data portability requests should not be taken into account to determine the excessiveness of a request. In fact, Article 12 of the GDPR focuses on the requests made by one data subject and not on the total number of requests received by a data controller. As a result, the overall system implementation costs should neither be charged to the data subjects, nor be used to justify a refusal to answer portability requests," it said.

Data controllers are not obliged to retain customer data "simply to service a potential data portability request", and they may not have to delete the personal data they hold on someone just because they have complied with that person's right to data portability, it said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.