Out-Law News | 04 May 2018 | 11:40 am | 2 min. read
The Information Commissioner's Office (ICO) clarified the issue in new guidance on the data portability rules that will apply under the General Data Protection Regulation (GDPR). The GDPR will apply from 25 May.
Under the GDPR, data controllers must make the personal data they possess available to consumers in "a structured, commonly used and machine-readable format" so that those consumers can share that data with rival companies "without hindrance" and to transmit that data direct to other businesses at the request of consumers where it is "technically feasible".
Those data portability obligations only apply to data controllers that process personal data based on customer consent or to perform a contract involving the data subject and if the processing takes place by "automated means". Only information that the individual provides to the data controller is subject to the data portability rules.
The ICO said, though, that businesses that pseudonymise data will not be exempt from the obligations.
"The right to data portability only applies to personal data," the ICO said. "This means that it does not apply to genuinely anonymous data. However, pseudonymous data that can be clearly linked back to an individual (e.g. where that individual provides the respective identifier) is within scope of the right."
In its guidance, the ICO also explained that personal data that an individual has 'provided' to a controller may include not just obvious information such as their mailing address, username and age, but also data that results from observation of their activities. This could include "history of website usage or search activities; traffic and location data; or ‘raw’ data processed by connected objects such as smart meters and wearable devices", the watchdog said.
However, the ICO said that data subject to the portability requirements will not include information business create that is "based on the data an individual has provided", such as profiling information. Individuals may still request disclosure of that information to them under the subject access request rules that will apply under the GDPR, however, it said.
The ICO also confirmed that businesses can meet their data portability obligations by making automated tools available to individuals that allow them to extract requested data themselves, and said businesses that develop application programming interface (APIs) will be able to "facilitate data exchanges with individuals and respond to data portability requests in an easy manner".
Businesses are not required, under the GDPR, to "adopt or maintain processing systems which are technically compatible with those of other organisations", but they are encouraged develop interoperable formats that enable data portability and should not "create a barrier to transmission" of information, the ICO said.
The ICO's guide provided examples of open data standards that businesses can conform to to comply with the data portability requirements.
It said: "CSV, XML and JSON are three examples of structured, commonly used and machine-readable formats that are appropriate for data portability. However, this does not mean you are obliged to use them. Other formats exist that also meet the requirements of data portability."
Further guidance on the time limit that businesses must adhere to for responding to data portability requests was outlined by the watchdog.
"You must act upon the request without undue delay and at the latest within one month of receipt," the ICO said. "You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month."
"If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond. This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made," it said.
Businesses will be able to extend the deadline for meeting the portability requirements to three months in cases where requests from an individual are complex or multiple in number, according to the guide.