The Right to Data Portability in practice : Exploring the implications of the technologically neutral GDPR
MetadataShow full item record
Key Points The European General Data Protection Regulation (GDPR) introduces one new data subject right, Article 20’s right to data portability (RtDP). The RtDP aims to allow data subjects to obtain and reuse their personal data for their own purposes across different services. We investigate the RtDP by making 230 real-world data portability requests across a wide range of data controllers. The RtDP is interesting to study as it operates under a framework that aims to be technologically neutral while requiring specific technologies for implementation. Our objective is to assess the ease of the RtDP process from the perspective of the data subject and to examine the file formats returned by data controllers. From our results, including responses indicating that no personal data were stored, only 172 (74.8 per cent) of RtDP requests were successfully completed. However, compliance with the GDPR varied where not all file formats meet the GDPR requirements. There was also confusion amongst data controllers about data subject rights more generally. Based on our observations, we revisit the current guidance for data portability. We suggest new technical definitions to clarify how data should be made portable and determine the appropriateness of certain file formats for different data types. We suggest recommendations and future work for various stakeholders to address the legal implications derived from our study. This includes discussing possibilities for new data portability standards and codes, conducting further empirical research, and building technological solutions to ensure that the RtDP can be better understood in theory and exercised in practice.
Wong , J & Henderson , T 2019 , ' The Right to Data Portability in practice : Exploring the implications of the technologically neutral GDPR ' , International Data Privacy Law , vol. Advance article . https://doi.org/10.1093/idpl/ipz008
International Data Privacy Law
© 2019, the Author(s). Published by Oxford University Press. This work has been made available online in accordance with the publisher's policies. This is the author created accepted version manuscript following peer review and as such may differ slightly from the final published version. The final published version of this work is available at https://doi.org/10.1093/idpl/ipz008
Items in the St Andrews Research Repository are protected by copyright, with all rights reserved, unless otherwise indicated.