I am speaking about our empirical work on the right to data portability under the GDPR at the British and Irish Law Education and Technology Association (BILETA) Annual Conference 2021 as part of the ‘Human rights and technology’ session.
Abstract: The General Data Protection Regulation bolsters a number of the rights of data subjects but also introduces one brand new right - Article 20's right to data portability. This provides data subjects with the right to request their data in a structured, commonly used and machine-readable format, but also to have this transmitted directly from one controller to another.
In this paper we present an empirical study of Article 20(2) to show how direct transmission between controllers is poorly supported in a number of domains. First, we study the privacy notices of a large set of retailers and social network sites. We find that although portability is often mentioned, it is infeasible to directly transmit data between controllers.
Secondly, we study portability amongst academic research repositories, a domain where interoperable standards for machine-readable data exist and so one might expect to see feasible direct transmission. We find that again there is no mechanism to support direct transfers, despite the technical feasibility of this. We demonstrate this technical feasibility through the development of a tool for porting data.
We suggest some possible mechanisms for strengthening portability through tools and standards. Our findings may be useful as portability becomes more popular with legislators (e.g. through the forthcoming European Digital Markets Act).