Data portability under existing data privacy laws

Existing data privacy-related laws, such as the EU GDPR, UK GDPR, and newer US state consumer data privacy laws like the California Consumer Privacy Act, already provide individuals with various data portability rights for their personal data. In practice, however, the data portability rights under these laws have not always led to the benefits that may have been envisioned by lawmakers. For example, these data portability rights are subject to various restrictions, such as technical feasibility. Consequently, individuals may find it difficult to move their data from one organisation to another given different technical set-ups of the relevant services.

Data portability under newly enacted EU legislation

Under the Digital Markets Act (DMA), so-called ‘gatekeepers’ (ie, companies that provide core platform services, such as online search engines, online marketplaces and social networking services) must provide users with effective portability of data provided by the end user or generated through the activity of the user in the course of using the relevant service.

In particular:

• The DMA provides that these new data portability rights apply not only to individual end users but also to enterprise users of these services.
• Unlike its GDPR equivalent, the data portability right under the DMA is not restricted to personal data. Other types of data covered by the DMA may include technical or performance data without any personal reference to the user.
• Gatekeepers are required to provide free of charge tools to facilitate the effective exercise of data portability and the provision of continuous and real-time access to the data.

Another recent EU data access right, which could also be used by consumers to move their data from one service provider to another, is included in the Digital Content Directive. This specifically targets the relationship between consumers and organisations that act for purposes relating to their trade, business, craft, or profession in relation to digital content and digital services contracts (traders). In particular, if a B2C contract regarding the supply of digital content or a digital service is terminated, the trader must make available to the consumer any content other than personal data (since that is governed by the EU’s GDPR) that was provided or created by the consumer during the supply of the digital content or digital service. Such content may include user-generated technical or performance data.

Additional proposed data portability in draft EU and UK legislation

Data portability will also play a key role in various upcoming EU proposed laws that are part of the EU Digital Strategy.

The EU’s draft Data Act, aiming to facilitate data sharing between organisations, includes several mechanisms which look to ensure data portability by users, whether the users are consumers or businesses:

• Granting users of Internet of Things (IoT) products and related services the rights to access and use data generated by using IoT products and, if requested by the user, to share such data with third parties, eg, other IoT service providers.
• Requiring IoT products to be designed and manufactured in a manner that data generated by their use is, by default, easily, securely and, where relevant and appropriate, directly accessible to the user. Where such data cannot be directly accessed by the user, the relevant data holder must make available to the user the data generated by its use of a product or related service without undue delay, free of charge and, where applicable, continuously and in real-time.
• Obliging providers of certain data processing services (eg, those providing infrastructure, platforms or software as a service) to enable users to efficiently switch between these services. This includes obligations to remove commercial, technical, contractual and organisational obstacles that might inhibit customers from moving data, applications and other digital assets to another provider.

Closely connected to the Data Act, the European Commission envisages establishing so-called ‘Common European data spaces’ for several key sectors. For the health and finance sector, the European Commission has already published drafts regulating such data spaces. In line with the goal of granting patients and customers of financial institutions further control over their data, the drafts suggest sector-specific data portability rights.

(Source: UK Competition and Markets Authority)

Similarly, UK lawmakers are also considering various government-backed draft laws that seem likely to create new data portability rights and obligations, such as:

• The UK’s equivalent of the EU’s DMA, the draft Digital Markets, Competition and Consumers Bill. The Bill would create new powers for the UK competition authority, allowing it to make various interventions in digital markets to encourage competition, especially targeting larger companies designated as having ‘Strategic Market Status’ (SMS). The UK government has suggested those new powers might be used to require SMS businesses to allow greater interoperability or data access.
• The UK’s draft Data Protection and Digital Information (No.2) Bill, which would allow the UK government to introduce ‘smart data schemes’ across the UK economy in the hope of replicating the perceived success of the UK’s existing ‘Open Banking’ scheme. These new schemes envisage both business and consumer customers being able to require that traders share certain data with the customer or its third-party providers. The Bill’s Impact Assessment suggests the financial services (including pensions and insurance), energy and telecommunications sectors are likely to be early candidates for a UK smart data scheme.

Looking ahead

Lawmakers in the EU and the UK are currently introducing laws which include new data portability rights going beyond the data portability rights under existing privacy laws.

This is a trend other jurisdictions might follow, just as the EU GDPR led to reforms of data privacy laws in many jurisdictions.

The practical effects of each data portability right can be quite different, especially given their different scope and the possible limitations under each of the relevant laws.

Organisations should start assessing:

• the necessary updates to their processes to comply with these rights; and
• to what extent they might benefit from new data portability rights allowing them access to data they were previously not able to receive and use.

Back to top.