170131 ETNO Data Portability Memo
ETNO shared with the Article 29 Working Party the a legal memo noting that while the Guidelines provide many useful additions and clarifications, they also contain some suggestions that are particularly problematic for the industry, users and third parties.
PDF available here.
On 13 December 2016, the Article 29 Working Party published a set of Guidelines interpreting the notion of the right to data portability, as introduced by Article 20 of the General Data Protection Regulation (GDPR). While the Guidelines provide many useful additions and clarifications, they also contain some suggestions that are particularly problematic for the European telecommunications industry:
- The scope of the data portability right is expanded significantly. Specifically, the GDPR restricts the right to personal data “provided by” the data subject, while the Guidelines support an expansion of the concept to include “the personal data that are generated by and collected from the activities of users”. This expansion is not in line with the text, spirit or the intentions of the legislator, and creates new privacy risks for data subjects by increasing the dissemination of personal data to recipients that may have no use for it.
- The interests of third parties whose personal data may also be revealed by a data portability request in a telecommunications context are insufficiently protected by the Guidelines. While suggestions are provided on how this challenge could be handled, these do not seem realistically feasible or effective in plausible data portability scenarios for the telecommunications industry.
- The Guidelines do not clarify how data portability requests should be dealt with when there is no interoperable data format available in a given industry or context. While cooperation between industry stakeholders and trade associations is encouraged (both by the GDPR and by the Guidelines), this does not ensure that a compliant option is available.
- Finally, the Guidelines do not consider the specific context of the European telecommunications industry. Specifically, they do not take into account the fact that this industry is already subject to portability rights and change obligation that achieve the goal of avoiding lock-in and increasing competition; nor do they consider the impact of the upcoming changes in European e-Privacy legislation that create a specific framework for data protection in the telecommunications context.
PDF available here.