‘My Data, My Rules’ – The Right to Data Portability

By Aditya Singh Chawla

Nandan Nilekani has recently made news cautioning against ‘data colonization’ by heavyweights such as Facebook and Google. He laments that data, which is otherwise a non-rival, unlimited resource, is not being shared freely, and is being put into silos. Not only does this limit its potential uses, users end up with very little control over their own data. He argues for ‘data democracy’ through a data protection law and particularly, one that gives users greater privacy, control and choice. In specific terms, Nilekani appears to be referring to the ‘right to data portability’, a recently recognized concept in the data protection lexicon.

In the course of using online services, individuals typically provide an assortment of personal data to service providers. The right to data portability allows a user to receive their data back in a format that is conducive to reuse with another service. The purpose of data portability is to promote interoperability between systems and to give greater choice and control to the user with respect to their data held by other entities. The aim is also to create a level playing field for newly established service providers that wish to take on incumbents, but are unable to do so because of the significant barriers posed by lock-in and network effects. For instance, Apple Music users could switch to a rival service without having to lose playlists, play counts, or history; or Amazon users could port purchasing history to a service that provides better recommendations; or eBay sellers to a more preferable platform without losing their reputation and ratings. Users could also port to services with more privacy friendly policies, thereby enabling an environment where services must also compete on such metrics.

The European Union’s General Data Protection Regulation (GDPR) is the first legal recognition of the right to data portability. Art. 20(1) defines the right as follows:

“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided”

Pursuant to this right, Art. 20(2) further confers the right to directly transmit personal data from one controller to another, wherever technically feasible.

The first aspect of the right to data portability allows data subjects to receive their personal data for private use. Crucially, the data must be a in a format necessarily conducive to reuse. For instance, providing copies of emails in pdf format would not be sufficient. The second aspect is the ability to transfer data directly to another controller, without hindrance.

There are certain prerequisites for the applicability of this right:

a) it applies only to personal data that the data subject ‘provided’ to the controller. This would include data explicitly provided (such as age, or address, etc., through online forms), as well as data generated and collected by the controller on account of the usage of the service. Data derived or inferred by the controller would not be within the scope of this right.

b) the processing must be pursuant to consent or a contract. Personal data processed for a task to be performed in public interest, or in the exercise of official authority is excluded.

c) the processing must be through automated means. Data in paper files would therefore not be portable.

d) the right must not adversely affect the rights and freedoms of others.

The GDPR does not come into force till May 2018, so there remain ambiguities regarding how the right to data portability may come to be implemented. For instance, there is debate about whether ‘observed data’, such as heartbeat tracking by wearables, would be portable. Even so, the right to data portability appears to be a step towards mitigating the influence data giants currently wield.

Data Portability is premised on the principle of informational self-determination, which forms the substance of the European Data Protection framework.  This concept was famously articulated in what is known as the Census decision of the German Federal Constitutional Court in 1983. The Court ruled it to be a necessary condition for the free development of one’s personality, and also an essential element of a democratic society.  The petitioners in India’s Aadhaar-PAN case also  explicitly argued that informational self-determination was a facet of Art. 21 of the Indian Constitution.

Data portability may also be considered an evolution from previously recognized rights such as the right to access and the right to erasure of personal data, both of which are present in the current Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. TRAI’s recent consultation paper on Privacy, Security and Ownership of Data in the Telecom Sector also refers to data portability as a way to empower users. The right to data portability may be an essential aspect of a robust and modern data protection framework, and India is evidently not averse to taking cues from the EU in this regard. As we (finally) begin to formulate our own data protection law, it may serve us well to evaluate which concepts may be suitably imported.

Aditya is an Analyst at the Centre for Communication Governance at National Law University Delhi

New EU-US Data Protection Agreement Imminent

Written by Siddharth Manohar

Data exchange flowing from the EU (specifically the European Economic Area) to the US currently has no legal framework regulating it. Does it mean that any data transfer from EU to US is illegal?  In my previous post on the issue I mentioned that the old agreement regulating the data transfer had been struck down at the Court of Justice of the European Union (CJEU). National data protection authorities in the EU have taken a pragmatic step by holding back on attacking all data transfer, until a new agreement is reached to replace the old Safe Harbour Agreement.

A breakthrough in this respect came about a couple of weeks back, with the European Commission announcing that they have agreed on a new framework to protect the rights of individuals who give data to US companies that process the data in their local servers. The agreement once finalised will replace the Safe Harbour principles in order to legalise the data transfer. This new framework, called the US-EU Privacy Shield, has three sets of strong obligations: data handling, transparency, and redress mechanisms.

The first major obligation is on US companies to make and publish commitments on data protection and individual rights. These commitments hold them accountable to US Federal Trade Commission (FTC), as well as the diktats of the European Data Protection Authorities (DPAs). The second consists of restrictions on surveillance practices by US state authorities. Any kind of surveillance will now be subject to clear limitations, safeguards and oversight mechanisms, and the methods will be only those that are necessary and proportionate. Mass surveillance has been completely ruled out, and meetings to review these practices have also been planned for future follow-up. The third part of this arrangement consists of a redress mechanism. European DPAs can refer cases to the US Department of Commerce and the FTC, and the option of alternate dispute resolution is also provided.

The parties are now working towards the measures required to put the new agreement in place, specifically the US, who will try to formalise the commitments made in the agreement. The European Commission on the other hand is preparing a draft for an ‘adequacy decision’ that member states can adopt to formalise the process on the EU side. The full text of the agreement is expected to be made available in the coming weeks.

The agreement has also come under criticism from privacy experts, who claim that the agreement suffers from the same weaknesses of the Safe Harbour agreement. They argue that this agreement is a mere political compromise that does not help protect the rights and data of users. This would require amendments to the national laws in both locations. Controversial provisions in US law that continue to authorise infringements on users’ rights are still effective, like Section 702, which allows for surveillance of data relating to non-US persons to be carried out in the US. Executive Order 12333, which deals with surveillance outside of the US, has no legal oversight mechanism whatsoever. It is these laws that will need amendments in order to make surveillance subject to conditions of necessity and proportionality.

The other persistent problems which have remained include the provision for self-certification, which provides inadequate protection against ensuring enforcement of privacy standards. A recent amendment to a Bill which would provide redress mechanisms for EU users to enforce rights over their personal data, also adds to the problems which plague the possible effectiveness of the new agreement. The long term solution to this situation does not look like it will arise from a single event or set of negotiations, and we now await the release of the full text of the agreement to see where we can go from here.


Can the EU beat Big Data and the NSA? An Overview of the Max Schrems saga

Written by Siddharth Manohar


The decision in the famous and controversial Schrems case (press release) delivered last month has created confusion with respect to the rules applicable to companies transporting data out of the EU and into the USA. The case arose in light of Edward Snowden’s revelations regarding data handling by companies like Google and Facebook in the face of extensive acquisition of user information by US security agencies.

The matter came up before the Court of Justice of the European Union (CJEU) on referral from the High Court of Ireland. The case dealt with the permissibility and legality of a legal instrument known as the Safe Harbour Agreement. The Safe Harbour Agreement regulates transfer of data from the EU to US by internet companies. The effectiveness of this regulation was thrown into serious doubt following revelations by Edward Snowden regarding large scale surveillance carried out by USA state agencies, such as the NSA, by accessing users’ private data.

The agreement was negotiated between the US and the EU in 2000, and allowed American internet companies to transfer data from the European Economic Area to other countries without having to undertake the cumbersome task of complying with each individual EU country’s privacy laws. It contained a set of principles that legalized data transfer out of the EU by US companies which demonstrated adherence to a certain set of data handling policies. More than an enforceable standard to protect users’ data, it was a legal framework which served the purpose of giving the European Commission a basis to claim that data transfer to the USA was legal under European laws.

The Safe Harbour Agreement was meant to simplify compliance with the 1995 Data Protection Directive of the European Union, which laid down fundamental principles to be upheld in processing and handling of personal data. A 2000 decision of the European Commission held that the Safe Harbour Agreement ensured adequacy of data protection and privacy of data as required by this Directive, and came to be popularly known as the “Safe Harbour decision”. Since then, over 4,000 companies signed on to the Agreement in order to register themselves to legally export data out of the EU and into the USA.

After the Snowden leak however, it became clear that these principles were blatantly violated on a large scale. It was in this context that Maximilian Schrems, an Austrian law student, approached the Irish Data Protection authority complaining that US laws did not provide adequate protection to users’ private data against surveillance, as required by the Data Protection Directive. The Data Protection Authority dismissed the complaint, and Schrems then chose to appeal to the Irish High Court. The High Court, having heard the petition, chose to refer an important question to the CJEU: whether the 2000 EC decision, which upheld the Safe Harbour Agreement as satisfying the requirements of the EU Data Protection Directive, meant that national data protection authorities were prevented from taking up complaints against transfer of a person’s data as violating the Directive.

The CJEU answered emphatically in the negative, emphasising that a mere finding by the Commission of adequate data protection policy by an external country could not take away the powers of national data protection authorities. The national authority could therefore independently investigate privacy claims against a private US company handling an EU citizen’s data.

The CJEU also found that legislations authorising the interference of state authorities with data handling of private companies had complete overriding effect over the provisions of the Safe Harbour Agreement. This was based on a two-pronged reasoning – firstly, that the data acquired by state agencies was processed in ways above and beyond what was necessary for protecting national security. Secondly, users whose data had been acquired by the authorities had no legal recourse to challenge such an action or have that data erased. For these reasons, it ruled the Safe Harbour Agreement as failing the requirements of the EU Data Protection Directive.

This decision created a fair amount of deliberation regarding what made data transfer from the EU to the US legally valid, since the main legal basis for it had just been struck down. However, the interesting point to note here is that the Agreement is not the only legal basis for such data transfer. Further, for the data transfer to be held illegal, individual handlers of data would now have to be challenged at forums of national data protection authorities to be held as illegal. Thus the decision importantly does not pull a curtain down on all data transfer from EU to US; however, the legal machinery of the Safe Harbour Agreement has rightly been found to be ineffective.

Therefore, while internet companies do not need to shut down operations in EU, they do need to review their data handling practices, and adherence of these practices to other available norms, like the EU’s model clauses for data transfer to external countries. Some companies have even gone a step ahead and tried to come up with solutions to the vacuum left behind by the Safe Harbour Agreement, like Microsoft, as it does in this blog post by the head of its legal department.

That said, the EU has issued a statement that an agreement needs to be reached with US companies by January 2016, failing which it will consider stronger enforcement measures, such as coordinated action taken by each of the EU countries’ data protection authorities. The scenario is still an evolving one, and this shake-up can positively lead to better enforced privacy and data protection principles.

Digital Memory & Informational Privacy: Reflecting on the EU’s ‘Right To Be Forgotten’- Working Paper by Ujwala Uppaluri

As part of a complete overhaul of European Union regulations concerning Internet information stored electronically, a proposal for a ‘General Data Regulation’ was been passed by the European Parliament. The Regulation is intended to be read with the existing law as to data protection in the European Union, specifically the Data Protection Directive and the E-Privacy Directive. Inter alia, this legislative attempt made reference at its Article 17 to a data subject’s right to be forgotten. The proposal sparked a staggering amount of debate around the consequences of the grant of such a right, with particular resistance arising out of the potential burden that such a right could impose on intermediaries online.

Since that proposal was made, a ‘right to be forgotten’ has been articulated by the Court of Justice of the Eurpoean Union (CJEU). It used existing data protection law, including portions of the Data Protection Directive of 1995 to read in a right to be forgotten for data subjects, and a corresponding obligation to takedown for intermediaries, and search engines in particular. As with Article 17, Costeja has been the subject of a great deal of criticism.

This paper will cursorily consider the history and nature of machine memory, make the case for digital forgetting, describe the legal and conceptual sources of the right to be forgotten, and evaluate Article 17 and the CJEU’s iteration of the right, with the intention of contributing to this debate. Particular emphasis will be placed, in the process, on informational privacy on the fundamentals of data protection and on the many concerns that the present iteration of the right raises not only for Europe but for data protection law generally.

The Complete Paper can be found here: https://drive.google.com/file/d/0BwY1OLu_H1ICRTRaWEtTOVFFVlU/view?usp=sharing

(Ujwala Uppaluri was a Fellow at CCG from June 2014 to April 2015 and will be joining Harvard Law School to pursue her LL.M. from August 2015.)