EU Data Protection Regulation consultation on "right to portability"


#1

The General Data Protection Regulation is coming online in May 2018 in Europe (but watch out for the extraterritoriality that will make it relevant worldwide). In anticipation national Data Protection Authorities are formulating guidelines regarding individual rights.

One of those new rights in the GDPR is the “right to data portability”. The Data Protection Authorities have issued guidelines and an annex, and are asking for comments by end of January 2017.

I think this is very relevant to OK, because:

  • I can easily imagine a service helping individuals turn their personal data into Open Data.
  • OKLabs has Frictionless data experience of high relevance, regarding the legal obligation to transfer personal data in a “machine-readable and interoperable format”.

I intend to comment on this formally on behalf of PersonalData.IO, but was wondering if anyone would be interested in doing so jointly. Meanwhile, I guess I will add my own comments here while I read the documents.


#2

Three points I found relevant or interesting:

  • “For information society or similar online services that specialize in automated processing of personal data, it is very unlikely that the answering of multiple data portability requests should be considered to impose an excessive burden. In these cases, WP29 recommends to define a reasonable time frame adapted to the context and to communicate it to data subjects.”
  • The second condition narrows the scope to data “provided by” the data subject. There are many examples of personal data, which will be knowingly and actively “provided by” the data subject such as account data (e.g. mailing address, user name, age) submitted via online forms. Nevertheless, the data controller must also include the personal data that are generated by and collected from the activities of users in response to a data portability request such as raw data generated by a smart meter. This latter category of data does not include data that are exclusively generated by the data controller such as a user profile created by analysis of the raw smart metering data collected.
  • To further help reduce the risks for other data subjects whose personal data may be ported, all data controllers (both the ‘sending’ and the ‘receiving’ parties) should implement tools to enable data subjects to select the relevant data and exclude (where relevant) other data subjects’ data. Additionally, they should implement consent mechanisms for other data subjects involved, to ease data transmission for those cases where such parties are willing to consent, e.g. because they as well want to move their data to some other data controller. Such a situation might arise with social networks."

#3

Hey @pdehaye

I could work on this with you. Shall we sync up after the new year?


#4

Sure, let me know. The guidelines are quite decent, but it might be good to share some experience from Frictionless Data nevertheless.


#5

Extremely relevant in deed! I will join, but I might need some kicking so that this does not fall between all other stuff.


#6

This is a note to self, and a bit outside of issues concerning OK and interoperability: I have some concerns with the language used around the word “identity”. Does the individual have to prove their legal identity, and link that to other identifiers actually used by the data controller? The way the guidance is written, it is not clear what “identity” actually means, which implies that the scope of requirements can be widened significantly, at the will of the controller. Right now, this makes it as difficult as the controller wants to make it to submit subject access requests, and presumably will make it hard to submit portability requests for what the controller is not willing to let go. (If we/I are going to comment on this, we might need to compare to guidance for requests for access.)


#7

(further note to self:) I just thought that actually portability and identity verification are not fully disjoint. In many cases when doing a portability request, sending providers will require some proof that you actually own some attribute that they use to identify you (for example: phone number with a business, Apple ID with an app provider, cookie value in adtech, or even IP address). That can be difficult to do, sometimes. When doing a portability request from sending controller X to receiving controller Y, based on identity tied to an attribute delivered by Z, one could establish the identity with X through a first portability request from Z to X.


#8

@apoikola, @pwalsh, still interested to contribute? we have until end of January.

@pwalsh, Open Knowledge should comment specifically on technical issues, maybe you can search the guidelines for the word “interop”? The guidelines justifiably don’t want to go technical, but there might be some comment that Open Knowledge could make that are useful. A suggestion could be that ALSO when exercising the portability right directly to the data subject, the format should be interoperable. In other words, we are not just talking about big companies getting together to decide on a very complex framework, but also about individuals being given the opportunity to act on the data they would get, and being able to create value out of this, either individually, in small associations outside of commercial networks, or even in startups. Strong cue there for datapackages. Even more specifically, a recommendation could be that the syntax of the data output should be extremely standardized, while the semantics can be much more complex. The two have to be kept out of each other’s way to maximize value to all.

In addition to the comments above, I would like to seek some clarification, and maybe that is relevant to @apoikola and MyData.

Data being personal data is not something you can decide once and for all and in isolation. You have to look at other types of information that can be combined, or how revealing weak signals are in the aggregate. You can also remove some information to anonymize and modify some information to make it pseudonymous.

For each of those situations I would like to know if and how the portability right applies, according to WP29.
For instance, it would be very valuable to explicit the reasoning behind this sentence, as corporate lawyers would almost certainly challenge it, in light of the wording of Art 20:
“However, pseudonymous data that can be clearly linked to a data subject (e.g. by him or her providing the respective identifier, cf. Article 11 (2)) is well within the scope.”

I am also curious to know whether data that has been provided thorough the use of the portability right directly from one controller to another is still subject to the portability right out of what was the receiving controller.

Let me know how to proceed and if you want to proceed jointly.


#9

We (Adaptant) will also contribute to this, I will try to get our comments combined and posted in the next few days.


#10

@pdehaye, @apoikola, @pwalsh Happy to help, I have been involved in legal research on privacy and dataprotection. If you are interested w ealso have a session on Text and datamining at CPDP conference in brussels this year. Join us if you are planning to attend !


#11

@pdehaye Hi. I’m having trouble getting the time to get back to you between other work commitments - sorry for the lack of response. I will try to take a loo this week. @freyja also works at OKI and it would be great to get her involved here.


#12

Thanks, @pwalsh, for your follow up. Maybe best is to leave OK out of the response then. There is actually little in the whole draft about technical standards for interoperability, but there is definitely long term relevance to Frictionless Data and those projects.

@freyja thanks for the help offer, maybe we can run the letter by you for advice when it nears completion?

@pmundt making any progress? this is becoming urgent!


#13

Dear Paul
Yes please don’t hesitate to contact me. Happy to give feedback

Best,

Freyja van den Boom,

Researcher and Project manager FutureTDM

Open Knowledge International http://okfn.org/

http://okfn.org/ | @okfn http://twitter.com/OKFN | Facebook
https://www.facebook.com/OKFNetwork | Blog http://blog.okfn.org/

Open Knowledge is a not-for-profit organisation. It is incorporated in
England & Wales as a company limited by guarantee, with company number
05133759. VAT Registration № GB 984404989. Registered office address: Open
Knowledge, St John’s Innovation Centre, Cowley Road, Cambridge CB4 0WS, UK.


#14

@pdahaye what is the status of this? Have you drafted some response document? I could spend some time over weekend to comment and advance this.


#15

Sorry, I didn’t have time to work on this over the weekend. Will write my “final” draft later today, then post here. If I get your input on time, I will include it before posting tomorrow.


#16

I am done with my “final” draft.
This is a “sharing” link:


Please respond to the suggestions below through Google doc comments.

If you are interested to join, please:

  • tell me where to find your logos;
  • suggest a standalone sentence describing your organization (I would then change the first sentence to give equal standing to all);
  • suggest any extra bullet point you might have;
  • suggest any change to a bullet point already there.

This needs to be sent by tomorrow, as per the deadline on the consultation. Let’s say noon is our internal deadline for this to be completed.


#17

I just noticed this now and it is late at night, I will check this in the morning of Tue 31st.


#20

@apoikola Are you done? Can I include your signature in some way? You could send me a picture of it on white paper and I can scan it to introduce it in the document. Or you can export the PDF and sign it directly yourself, then send it to me. What do you think?


#21

I’m happy with it, hopefully you have already sent, my signature in your mail. Can we publish this in OKFI blog?


#22

Just sent in (noticed as I sent that they extended the deadline by two weeks). Feel free to put it on the OKFI blog, for sure.