European Commission, experts uneasy over WP29 data portability interpretation
- by 7wData
The European Commission has written to EU Privacy regulators to express concern over their interpretation of the data portability clause in the General Data Protection Regulation.
Specifically, the Commission appears to be worried that the regulators have interpreted too broad a scope for the GDPR's Article 20. The Article 29 Working Party (WP29), the group that represents EU Privacy regulators, issued guidelines earlier this month in which it said "the right to data portability covers data provided knowingly and actively by the data subject as well as the personal data generated by his or her activity."
The guidelines went on to specify that this could include "observed data provided by the data subject by virtue of the use of the service or the device," such as the subject's search history, traffic data and location data – and even "raw data such as the heartbeat tracked by a wearable device."
The WP29's guidelines are supposed to harmonize the approaches of regulators across the bloc as they handle complaints about the GDPR's application, once it goes into effect in May 2018.
"We value the work of [WP29] on [the guidelines], but also have certain concerns that the guidelines might go beyond what was agreed by the co-legislators in the legislative process," a commission spokesperson told The Privacy Advisor. "The scope shouldn't go beyond what was agreed in the trilogues."
The spokesperson would not be drawn on the commission's specific concerns. However, the issue of "observed data" was one of the most controversial aspects of the draft guidelines that the WP29 issued in December, and it was still there in the revised version that came out on 5 April.
Article 20 itself states that "the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided."
The accompanying Recital 68 explains: "That right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract.
[Social9_Share class=”s9-widget-wrapper”]
Upcoming Events
From Text to Value: Pairing Text Analytics and Generative AI
21 May 2024
5 PM CET – 6 PM CET
Read More