New EU General Data Protection Regulation Guidance: Data Portability, Data Protection Officers, and One Stop Shop
The Article 29 Working Party (“WP29”) – the representatives of national data protection regulators in the European Union – has issued new guidance on three important aspects of the new General Data Protection Regulation (“GDPR”), which comes into force in May 2018.
This first salvo of GDPR-focused guidance concerns:
the new “Right to Data Portability”, an obligation on companies and public authorities to build tools that allow users to download their data or transfer it directly to a competitor (the guidance is here, and an FAQ is here);
the new obligation for organizations to appoint a “Data Protection Officer”, a quasi-independent role within companies that will be tasked with internal supervision and advice regarding GDPR compliance (guidance / FAQ); and
Despite the guidance having formally been “adopted”, the WP29 is nevertheless inviting stakeholder comments on the new guidance, until the end of January 2017. Indeed, the guidance takes a number of positions that could attract large volumes of comments ahead of the January 31 deadline.
For example, the WP29 argues that the right to data portability, which covers data “provided” by an individual, includes data generated by observing the user – for instance, data about her/his use of a website, service or device. The WP29 uses raw sensor data collected by a health app as an example of data that would need to be downloadable or directly transferable; but a more conservative reading of the law would be that data is “provided” by individuals only when, for instance, they complete a form, or upload their address book.
The data portability guidance also states that the receiving company cannot make its own of use third party information contained within the ported data – presumably, even where it has a legitimate interest in doing so, or the submitter’s consent. This, too, might prove controversial.