About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline

3 Eur. Data Prot. L. Rev. 119 (2017)
Bringing Your Data Everywhere: A Legal Reading of the Right to Portability

handle is hein.journals/edpl3 and id is 125 raw text is: 


Reports | 119


Bringing Your Data Everywhere: A Legal Reading Of The Right To

Portability

       Lucio Scudiero*


The  General Data Protection Regulation introduces
a brand new  right to data portability that should en-
able the data subject 'to transmit those data to anoth-
er controller without hindrance from the controller
to which the data have been provided'. This brief ar
ticle sheds light on the legal and technical limitations
to this new right, also in the light of the recent guid-
ance provided by Article 29 Working  Party: without
standards which  lead to interoperability the right to
data portability is destined to remain more a decla-
ration of principle than a real and effective tool for
individual self-determination in the digital environ-
ment.


1. Introduction

In April 2016, the European  Union  (EU)  legislator
adopted  Regulation  679/2016 on  the protection of
natural persons with regard to the processing of per
sonal data and on  the free movement  of such  data
(General Data  Protection Regulation or GDPR),  in-
cluding a new  right to data portability (RDP), so as
to enable the data subject 'to transmit those data to
another controller without hindrance from  the con-
troller to which the data have been provided'. The
main  scope of the RDP  is to strengthen the control
of individuals on their personal data, as stated in
Recital 68 GDPR and  to enable the data subject to ex-
ercise the freedom to transfer personal data from one



   Lucio Scudiero, Lawyer, Executive Director at Lex Digital, Rome
   (Italy), Researcher at Archimede Solutions, Geneva (Switzerland).
   The author acknowledges that the first version of this report was
   drafted with the support of the Istituto Italiano per la Privacy, lFP
   Rome, and wishes to thank his former colleague Camilla Bistolfi,
   a researcher in the project Privacy Flag, for her initial contribution
   to it. For correspondence: <lscudiero@lexdigital.it>.
   DOL  10.21552/edpl/2017/1/19
1  European Commission, 'Fact Sheet Questions and Answers -
   Data protection reform' (2015) <http://europa.eu/rapid/press
   -release MEMO-1 5-6385_en.htm> accessed 10 April 2017.
2  See also Article 29 Data Protection Working Party (A29 WP),
   'Guidelines on the right to data portability' (13 December 2016)
   16/EN WP 242, 4 <http://ec.europa.eu/information-society/
   newsroom/image/document/2016-51/wp242_en_40852.pdf> ac-
   cessed 8 March 2017.


data controller to another. An ancillary scope pursued
by the European  Commission  when   proposing such
a right was also to ease for start-ups and smaller com-
panies the access to data markets dominated  by 'IT
giants' and attract more  consumers  with  privacy-
friendly solutions.
   From a data protection law standpoint, the RDP is
   an evolution of the right of access as granted by
   the Data Protection Directive currently in force. Its
   foundations can be retrieved in Article 12 thereof,
   which states that: Member States shall guarantee
   every data subject the right to obtain from the con-
   troller: (a) without constraint at reasonable inter
   vals and without excessive delay or expense: [...] -
   communication   to him in an intelligible form of
   the data undergoing processing and  of any avail-
   able information as to their source [... ].2

This report will present the new RDP  as enshrined
in Article 20 GDPR.


11. The  Scope   and   Conditions of the
   Right   To Data   Portability

Concerning  the scope of the new RDP Article 20 stip-
ulates that:
   1. The data subject shall have the right to receive
   the personal data concerning him or her, which he
   or she has provided to a controller, in a structured,
   commonly  used and machine-readable  format and
   have the right to transmit those data to another
   controller without hindrance from the controller
   to which the personal data have  been provided,
   where:
   (a) the processing is based on consent pursuant to
   point (a) of Article 6(1) or point (a) of Article 9(2)
   or on a contract pursuant to point (b) of Article
   6(1); and
   (b) the processing is carried out by automated
   means.

This first paragraph of the provision refers to sever
al different elements. According to the norm the out-


EDPL  1|2017

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Contact us for annual subscription options:

Already a HeinOnline Subscriber?

profiles profiles most