Data portability as a new means of data protection? Examining the right to data portability in the EU General Data Protection Regulation

On 25 May 2018, the General Data Protection Regulation (GDPR) came into effect across the European Union. This new Regulation has a number of innovations, notably including a new right for the data subject to port personal data out of a processing system and reuse it elsewhere. Data portability has an immediate impact on data flows across systems and has been sought as a catalyst for competition, consumer welfare, innovation and institutional efficiency. The issue of how data portability furthers the objective of data protection appears not straightforward. This thesis primarily examines the legitimacy, coherence and added value of the right to data portability in the EU data protection regime. In recognition of its wide-ranging implications, it also explores how the GDPR right interacts with many other areas of law and ‘interfaces’ with user-centric technologies devised to better protect our personal data. The thesis is divided into six chapters. Before analysing the GDPR right, Chapter 1 first maps a wide array of similar schemes that have emerged over two decades (1995-2019), whether they be industry-initiated projects, government-led initiatives or statutory schemes. Particular attention is paid to the legacy of early attempts that predate the GDPR, as well as the recent developments in the wake of the GDPR. Chapters 2 provides a detailed account of the right to data portability in the GDPR. It inquires whether the new right can legitimately sit within the EU data protection framework, act in harmony with other components, and bring added value to the imperative of data protection. The EU data protection regime has a dual purpose, that is, the protection of personal data and the free movement of personal data in the EU. Whereas Chapter 2 examines the right through the lens of data protection, Chapter 3 ventures to explore the right’s link to the free flow of personal data. Beyond data protection, the GDPR right may also have an impact on the economic welfare of the data subject. This is especially the case when data protection, consumer protection and competition law converge around the objective of promoting individual welfare. Chapter 3 examines whether the GDPR right may legitimately pursue consumer welfare (an overarching goal pursued by consumer protection and competition law), and how it interacts with similar schemes recently developed in those interrelated areas of law. Chapter 4 focuses on the potential barriers to individual-led data flows, resulting from a set of information rights relating to intellectual property, trade secrets, and database protection. The extent to which the GDPR right contributes to data protection depends upon the applicability and effects of these counteracting rules. It is argued that a rough line exists between different types of data to which the data protection and information rights respectively apply. That said, grey areas do exist at the boundaries of data taxonomies, and Chapter 4 examines the rules developed for balancing the rights in conflict. To ensure that datasets smoothly flow between systems and are well adapted to a new environment, the GDPR lays down some requirements concerning data interoperability. Chapter 5 draws knowledge from the field of data science and builds a conceptual model of interoperability to elucidate those legal requirements. Since data interoperability relies upon layers of specifications, this chapter reconstruct the EU Guidelines accordingly in order to clarify the legal issues associated with each layer of interoperability. The GDPR right’s impact on data transmission and reuse is immediately noticeable; its contribution to data protection is, however, not. Basically, this right promotes data protection by channelling data into alternative systems where our data is supposedly better protected. Chapter 6 surveys the user-centric technological systems that have emerged over the last two decades (1999-2019). By revealing their attributes, development and potential interplay with the legal rights examined above, this chapter considers the extent to which a joint effort of law and technology could make a difference to our quest for data protection.