June 18, 2019

June 17, 2019

Subscribe to Latest Legal News and Analysis

New EU General Data Protection Regulation Guidance: Data Portability, Data Protection Officers, and One Stop Shop

The Article 29 Working Party (“WP29”) – the representatives of national data protection regulators in the European Union – has issued new guidance on three important aspects of the new General Data Protection Regulation (“GDPR”), which comes into force in May 2018.

This first salvo of GDPR-focused guidance concerns:

  • the new “Right to Data Portability”, an obligation on companies and public authorities to build tools that allow users to download their data or transfer it directly to a competitor (the guidance is here, and an FAQ is here);

  • the new obligation for organizations to appoint a “Data Protection Officer”, a quasi-independent role within companies that will be tasked with internal supervision and advice regarding GDPR compliance (guidance / FAQ); and

  • the new “One Stop Shop” mechanism – helping companies identify which “lead” data protection authority will be their main point of contact for multi-country regulatory procedures (guidance / FAQ).

Despite the guidance having formally been “adopted”, the WP29 is nevertheless inviting stakeholder comments on the new guidance, until the end of January 2017.  Indeed, the guidance takes a number of positions that could attract large volumes of comments ahead of the January 31 deadline.

For example, the WP29 argues that the right to data portability, which covers data “provided” by an individual, includes data generated by observing the user – for instance, data about her/his use of a website, service or device.  The WP29 uses raw sensor data collected by a health app as an example of data that would need to be downloadable or directly transferable; but a more conservative reading of the law would be that data is “provided” by individuals only when, for instance, they complete a form, or upload their address book.

The data portability guidance also states that the receiving company cannot make its own of use third party information contained within the ported data – presumably, even where it has a legitimate interest in doing so, or the submitter’s consent.  This, too, might prove controversial.

© 2019 Covington & Burling LLP


About this Author

Philippe Bradley-Schmieg, Covington Burling, Data privacy and cybersecurity attorney

Philippe Bradley-Schmieg's practice covers a range of regulatory and commercial matters affecting the IT, internet media, e-health and telecoms sectors across the world.

Mr. Bradley-Schmieg advises on legislation, enforcement, advocacy and contracts relating to privacy, data protection, consumer protection, intermediary liability, copyright and databases, Big Data, medical confidentiality, cybersecurity, law enforcement data requests, and smart medical devices and apps.