Data Portability Under GDPR: Technical Challenges

Abstract

Right to data portability under GDPR enables individuals to request a copy of their personal data, also for exporting it to other service providers’ platforms. While WP29 has issued a guideline, there are many questions about how to implement this right effectively. In this paper, we will focus on some of the more technical challenges as well as some of the complex tensions that ensue due to existing descriptions of what the right should entail. The prior includes matters like determining the right format and implementing possibilities for direct transmission and API’s. The latter focuses on issues like distinguishing provided (raw) from inferred (derived) data; separating data obtained under consent or contract from other data collected under different legal grounds; determining harm against other individuals’ rights and freedoms and potentially redacting personal data automatically; and the challenge of implementing portability “without hindrance” while at the same time implementing “appropriate security measures” which are mostly obstructive by nature.