The Right to Data Portability

The Data Protection Regulation (GDPR) of 2016 aims at empowering natural persons, better referred to as data subjects, in their awareness regarding the processing of their personal data. For that reason, the GDPR provides for a number of rights that the data subject is free to exercise and that the controller of the processing has to, not only accept but also facilitate. Among those rights, data portability seems the most technical one and perhaps the easiest to implement. Yet, a number of issues arise when looking closely at the practical application of the right to data portability.

This essay aims to provide an overview of the concept of data portability and to question its application and regulation provided by the GDPR. The first part of the essay will be devoted to defining the concept of the right to data portability. The second part of the essay will focus on the positive scenario created and promoted by the use of the right to data portability, while the third part will analyze the negative sides of it. Finally, the essay will be focused on the attempt to draw some tentative conclusions on the tension between positive and negative consequences of the use of the right to data portability.

Definition and Legal Framework

The GDPR introduced the right to data portability under Article 20, according to which users have a right to receive from the controller data concerning them when the processing of data is carried out by automated means or based on their consent. The data shall be received in a structured, commonly used, and machine-readable format so that it can be easily moved from one controller to another, where technically possible. The provision also mentions, on the one hand, that the processing of data carried out in the public interest or by order of an official authority is a lawful limitation invokable by the controller, and on the other hand, the importance of not affecting others’ rights and freedoms in complying with data subjects’ requests.

Freedom to Leave

Article 20 of the GDPR represents the EU’s attempt to find a solution for the common tendency among controllers to store data in such a way that users have a hard time extracting it, forcing them to choose between leaving their data behind or giving up the idea of switching platform, a phenomenon known as “customer retention”(Engels, 2016). By means of this behavior, social media controllers ensure themselves higher profits, largely dependent on the number of users (Lanchaster, 2016). Article 20 permits to overcome lock-in scenarios created by social media and gives users control to decide when and where to transfer their data (European Commission, 2017). Furthermore, the provision’s reference to a user-friendly and common format provides additional control over data, minimizing the possibility of data not being suitable on other platforms.

Additionally, data portability reduces the chances of data being lost because of social media platforms ending their services or changing their policies (Castro, 2021). Once data is received in the required format users can easily backup it.

Is Leaving Safe?

While a smooth flow of data seems appealing, security concerns may daunt the picture. A recently conducted experiment showed that 24% of the controllers involved turned over data without verifying that the petition came from the data subject whose data was being transferred (Castro, 2021). This scary scenario in which users are exposed to high risks of data theft calls for efficient identity verification systems.

However, identity verification systems are not yet regulated by the GDPR or other EU regulations in terms of their use in data portability scenarios. This entails that the decision to implement them rests in the hands of controllers, most of them being private companies with little interest in the voluntary further efforts in the protection of personal data. In fact, it seems unlikely that private actors will decide to endure additional costs to implement identity verification systems if not obliged by law. This calls for an urgent intervention by EU legislators to fill a gap that only public bodies are suitable to fill.

Data Portability and Opposing Rights

A second problem arises when a user demands data from the controller that concerns another user, for instance, a picture of the two individuals together. As Article 20 provides, the right to data portability shall not jeopardize others’ rights, however, the balancing between opposing interests is not an easy task and the wording of the provision allows for a wide margin of appreciation that can hinder the chance of applying the right to data portability (De Hert, Papakonstantinou, Malgieri, Beslay, Sanchez, 2018). In such instances, the first user’s request to obtain data from the controller should be balanced with the user’s right to control data concerning himself and a case-by-case approach seems inevitable, resulting in a slower application of the right. In fact, in the absence of clear provisions on the matter, a case-by-case approach would be the only possible solution with consequences on the predictability of the law and with judges having an essential role in striking a balance between opposing interests. However, the European Union is mostly characterized by a civil law approach in which it is the role of the legislator to dictate the law and the role of the judge to implement it with little space for creativity.

A Narrow Scope of Application Hinders Efficacy

The third issue regards all that data that, although processed by the controller, was not provided directly by the user. Some data is acquired through the use of social media but is not directly provided by the user, e.g., cookies, preference settings, and location. Article 20 provides that the right to data portability can be exercised solely on data provided by the user to the controller, thus creating a rather narrow scope of application that can undermine its prominence. Consequently, important personal data cannot be controlled by the user even though provided indirectly through the use of social media or the acceptance of cookies. If these issues are not properly addressed the right to data portability may endanger privacy more than it protects it. In fact, large amounts of personal data would not be considered in the sphere of control of the data subject, in evident contradiction to the rationale and objectives of the GDPR. On this note, the recent Digital Markets Act covers the gaps left by the GDPR. In fact, the right to data portability will encompass not only data directly provided by the data subject, but also data generated during the use of online platforms and services (Kranz, Kuebler-Wachendorff, Syrmoudis, 2023). Yet, the Digital Markets Act will only apply to online platforms that meet a specific set of quantitative and qualitative criteria, leaving some controllers free to disregard the more effective provision contained in the Digital Markets Act (Gerardin, 2021).

The right to data portability was introduced with the GDPR as part of the set of rights attributed to the data subject. The ratio behind it is to empower natural persons by providing them with control over their personal data. In fact, the right to data portability attempts to overcome spread issues such as consumer retention and high switching costs. Yet, the GDPR was not successful in avoiding practical issues that arise in the exercise of the right to data portability.

The most notable problem concerns the lack of safety measures that are linked to the requests of data portability. Furthermore, the GDPR dedicates attention to opposing interests without clearly defining the criteria to solve possible tensions between parties' wishes. This leaves a legislative gap that judges are attempting to fill with creative judgments, in an anachronistic role for a civil law judge. The GDPR provision also lacks efficacy, being characterized by a rather narrow scope of effect.

The scenario that results from that is not as encouraging as the legislators of the GDPR thought it would be. Future EU legislation might put an end to the worrying issues that come with the application of the right to data portability. In the meantime, EU citizens are left in the hands of judges at best and in the hands of private controllers at worst.