19th Mar 2018


New EU right to data portability to cause headaches

  • EU citizens will have the right to download the personal data they have provided, but also to have it directly transferred to a competing service, if 'technically feasible' (Photo: John Trainor)

As of 25 May 2018, EU citizens will have a new legal right that will help them switch digital services.

It is called the right to data portability.

Thank you for reading EUobserver!

Subscribe now for a 30 day free trial.

  1. €150 per year
  2. or €15 per month
  3. Cancel anytime

EUobserver is an independent, not-for-profit news organization that publishes daily news reports, analysis, and investigations from Brussels and the EU member states. We are an indispensable news source for anyone who wants to know what is going on in the EU.

We are mainly funded by advertising and subscription revenues. As advertising revenues are falling fast, we depend on subscription revenues to support our journalism.

For group, corporate or student subscriptions, please contact us. See also our full Terms of Use.

If you already have an account click here to login.

  • Social media will be required to allow users to download the personal data users provided, like posts or comments (Photo: Kyra Preston)

The idea is that all personal data you provided to a certain service, for example posts on a social network like Facebook, should be available for you to download and transmit to a competing service.

The rationale behind the right to data portability – which is part of a much broader regulation on data protection – is that consumers will no longer feel that they have no choice but to remain a user of a service in which they have invested so much time.

Several digital services already offer portability, but one year before the new rules go into force, a lot is still unclear.

Dutch company TomTom says it already complies with the new rule, one year in advance.

“We have built, developed and delivered it to our community, this capability,” said Simon Hania, the company's data protection officer. As of next year, each company that handles personal data will be required to provide data portability.

TomTom sells navigation devices and related services, as well as watches that measure users' activities related to sports.

“In both cases, users are able to submit their navigation data or their fitness data to TomTom, what we call MyDrive and MySports, where we store the data on their behalf, and allow them to also extract it or transfer it to others [other platforms],” Hania told EUobserver.

He said that the company's decision to open up the data also had “a commercial reason”.

“We offer sport watches, and people may want to engage in teams with others who may not have a TomTom product,” he said.

Complying with the upcoming right to data portability made TomTom's product more attractive.

Evernote, a company that offers a service for note-taking, has had the option of data portability for several years.

"Our philosophy is that if you’re confident that you can leave Evernote at any time, then you’ll be confident enough to want to stay," the company said in its blog.

However, not every company will be as well prepared. This is in part because the data some companies collect is less straightforward than GPS locations, for which there have been long-existing standards.

A recent discussion in Brussels showed how much is still unclear about how to comply with the right to data portability.

It took place at the RightsCon conference, but was held under the so-called Chatham House rules, which means quotes may not be directly attributed to the speakers.

The session lasted for over an hour and was attended by some thirty digital privacy experts from civil society and businesses.

It's complicated

Some said that the task of complying with the rules is probably underestimated.

“This is a really huge thing, and we only have until May 2019,” said one speaker.

“It's really complicated,” said another.

As an example, there were differences of opinion on whether a reputation score, attained by users of apps such as ride-sharing service Uber, should be considered a part of the personal data available for portability.

Reputation scores are commonly used features in the digital economy, based on reviews by users.

If it should, it would mean that an Uber driver should have the right to take their reviews and transfer them to a competitive service – like Lyft, for example.

However, a great deal depends on whether the reputation score is so-called observed data, or inferred data.

Observed data is something that is measured, for example search history, traffic data or location data. Inferred data is instead calculated by the service itself, based on the observed data.

Inferred data is excluded from the right to data portability.

In one display of discontent, two speakers almost did not allow the other to finish their sentences.

“The reputation is inferred,” said one speaker.

“I think it's observed,” another interrupted.

“No, it's inferred,” the first one said.

A third speaker noted that the discussion showed how difficult the situation can be.

“Businesses and lawyers are scratching their head, which one is it?”

From banks to energy companies

It is difficult to say how many companies are ready for the right to data portability.

Facebook, Google, Instagram, and Spotify declined to comment on the record. Others, such as Twitter, Microsoft, LinkedIn, and Amazon, did not immediately reply.

But not only technology companies will be affected by the measures.

The rules will apply to all businesses and organisations that gather or observe personal data. Therefore, energy companies, banks, insurance companies, shops should also be able to offer data portability.

And as one of the RightsCon speakers noted, it is not only about being able to download data.

“That's easy-ish. But to be able to port it in a format that works in this new controller as well...” she noted.

The regulation said that EU citizens will “have the right to have the personal data transmitted directly from one controller to another, where technically feasible”.

So when is something technically feasible?

According to TomTom's Hania, technically feasible is if both services have enabled the data to be transferred.

“If you want it to transfer to someone else, than that someone else needs to be able to receive it,” said Hania. “We cannot be forced to transmit it to someone who can't receive it.”

“The transfer capability is optional, it's not mandatory,” he added.

The European Commission did not respond to a request to make someone available to explain how data portability would work in practice.

An EU working group that deals with data protection adopted guidelines on data portability last April. It lists some concrete examples of where the right to data portability would apply: raw data from smart meters; book titles purchased from an online store; songs listened to via a music streaming service.

However, the 20-page document is likely to leave some questions open.

For example, the EU guidelines do not clarify whether Hania is right about data portability being “optional”. They only say that the technical feasibility “should be assessed on a case by case basis”.

Potentially, there are an infinite number of cases that need to be assessed.

Moving your e-mails from one service, like Gmail, to another, like Hotmail, or vice versa, is relatively simple.

But what about social networks? Facebook collects different types of personal data than LinkedIn, Twitter, or Google+.

Sometimes they collect very similar things, like Facebook's likes and Twitter's favourites. But who will determine if these two are the same and should be compatible?

“You are talking about the reflection of an architecture of a platform, how are you going to port that to anything else?” one of the RightsCon speakers said.

It is indeed a possible cause of some big headaches.

Column / Brussels Bytes

EU e-privacy proposal risks breaking 'Internet of Things'

EU policymakers need to clarify that the e-privacy should not apply to most Internet of Things devices. The current proposal require explicit user consent in all cases - which is not practical.

Stakeholders' Highlights

  1. Counter BalanceConmtroversial Turkish Azerbaijani Gas Pipeline Gets Major EU Loan
  2. World VisionSyria’s Children ‘At Risk of Never Fully Recovering', New Study Finds
  3. Macedonian Human Rights MovementMeets with US Congress Member to Denounce Anti-Macedonian Name Negotiations
  4. Martens CentreEuropean Defence Union: Time to Aim High?
  5. UNESDAWatch UNESDA’s President Toast Its 60th Anniversary Year
  6. AJC Transatlantic InstituteAJC Condemns MEP Ana Gomes’s Anti-Semitic Remark, Calls for Disciplinary Action
  7. EPSUEU Commissioners Deny 9.8 Million Workers Legal Minimum Standards on Information Rights
  8. ACCAAppropriate Risk Management is Crucial for Effective Strategic Leadership
  9. EPSUWill the Circular Economy be an Economy With no Workers?
  10. European Jewish CongressThe 2018 European Medal of Tolerance Goes to Prince Albert II of Monaco
  11. FiscalNoteGlobal Policy Trends: What to Watch in 2018
  12. Human Rights and Democracy NetworkPromoting Human Rights and Democracy in the Next Eu Multiannual Financial Framework

Latest News

  1. Selmayr case symptomatic, warns EU novel author
  2. Russia poisoning is not EU concern, Germany says
  3. Kiev wants EU sanctions on former German chancellor
  4. North Korea: time to put the 'E' in engagement
  5. Brexit and trade will top This WEEK
  6. Dutch MPs in plan to shut EU website on Russian propaganda
  7. Four years on – but we will not forget illegally-occupied Crimea
  8. Evacuated women from Libya arrive newly-pregnant

Stakeholders' Highlights

  1. Mission of China to the EUDigital Cooperation a Priority for China-EU Relations
  2. ECTACompetition must prevail in the quest for telecoms investment
  3. European Friends of ArmeniaTaking Stock of 30 Years of EU Policy on the Nagorno-Karabakh Conflict: How Can the EU Contribute to Peace?
  4. ILGA EuropeCongratulations Finland!
  5. EUobserverNow Hiring! Sales Associate With 2+ Years Experience
  6. EUobserverNow Hiring! Finance Officer With Accounting Degree or Experience
  7. UNICEFCyclone Season Looms Over 720,000 Rohingya Children in Myanmar & Bangladesh
  8. European Gaming & Betting AssociationEU Court: EU Commission Correct to Issue Guidelines for Online Gambling Services
  9. Mission of China to the EUChina Hopes for More Exchanges With Nordic, Baltic Countries
  10. Macedonian Human Rights MovementCondemns Facebook for Actively Promoting Anti-Macedonian Racism
  11. Nordic Council of MinistersGlobal Seed Vault: Gene Banks Gather to Celebrate 1 Million Seed Collections
  12. CECEIndustry Stakeholders Are Ready to Take the Lead in Digital Construction

Stakeholders' Highlights

  1. ILGA EuropeAnkara Ban on LGBTI Events Continues as Turkish Courts Reject NGO Appeals
  2. Aid & Trade LondonJoin Thousands of Stakeholders of the Global Aid Industry at Aid & Trade London
  3. Macedonian Human Rights MovementEuropean Free Alliance Joins MHRMI to End the Anti-Macedonian Name Negotiations
  4. Mission of China to the EUChina-EU Tourism Year to Promote Business and Mutual Ties
  5. European Jewish CongressAt “An End to Antisemitism!” Conference, Dr. Kantor Calls for Ambitious Solutions
  6. UNESDAA Year Ago UNESDA Members Pledged to Reduce Added Sugars in Soft Drinks by 10%
  7. International Partnership for Human RightsUzbekistan: Investigate Torture of Journalist
  8. UNICEFExecutive Director's Committment to Tackling Sexual Exploitation and Abuse of Children
  9. Nordic Council of MinistersState of the Nordic Region 2018: Facts, Figures and Rankings of the 74 Regions
  10. Mission of China to the EUDigital Economy Shaping China's Future, Over 30% of GDP
  11. Macedonian Human Rights MovementSuing the Governments of Macedonia and Greece for Changing Macedonia's Name
  12. Swedish EnterprisesHarnessing Globalization- at What Cost? Keynote Speaker Commissioner Malmström