[Update: Jisc has responded to the Working Party’s invitation to comment on these guidelines]
The General Data Protection Regulation contains one new right for individuals – data portability (Article 20). Some commentators have suggested that this is just a digital form of the existing subject access right, but the Article 29 Working Party’s new guidance describes something much more radical. Indeed, rather than data protection, the main purpose of the right is described as to “facilitate switching from one service to another, thus enhancing competition between services” (p.4) and “prevent[ing] lock-in” (p.5). This competition law issue is likely to concern only a small minority of vary large data controllers, but the Working Party appear to give it priority over a number of traditional data protection principles: data minimisation, control of personal data, and even security.
The new right entitles data subjects to request that digital personal data they have provided by consent or contract (note, not all the data that would be available under a subject access request) be provided to them or transferred to another data controller of their choice. Any receiving controller must apparently accept all the data, even if it has no use for it (p.10): reversing the usual minimisation rule that controllers should only process data they need. While data protection authorities have, in the past, required data controllers to spend hours redacting information about others before responding to subject access requests, now they “must not take an overly restrictive interpretation of the sentence ‘personal data concerning the data subject'” (p.7) and should include information about other individuals involved in transactions or relationships while (somehow) “implement[ing] consent mechanisms for the other data subjects involved” (p.10). Finally, the question “how can portable data be secured?” is only raised on the very last page of the document (p.15).
The Working Party encourage all data controllers to provide “download tools and Application Programming Interfaces” (APIs) to their computer systems, through which individuals can download or transfer their data online. While a very small number of data controllers (for example banks) may already allow users to view their account and transaction details on demand, for most organisations this information will be held on internal databases, securely firewalled off from the internet. Providing internet access into these databases will require a new and significantly more complex security model for these organisations. Each data subject will need their own account on this API; since the vast majority are unlikely to ever use it this will create a large number of idle accounts, likely to have simple or default passwords. Good security practice for many years has been to remove such accounts, not create thousands of new ones. Securely distributing passwords or stronger authentication credentials to all those remote users is another area known in security circles to be hard and error-prone for both organisations and individuals.
Many organisations – from Ashley Madison to TalkTalk – have recently and publicly demonstrated how difficult it is to set up and maintain access to user accounts. And those are large organisations whose core business is providing secure on-line services. Even if a data controller can manage that, there is a global criminal business sector dedicated to persuading users to give up their passwords. At present that is largely funded by stealing credit card and bank account numbers: how much more valuable (and damaging to the individual) would complete transaction histories be?
The competition problem identified by the Working Party seems to concern a very small number of data controllers. Evidence on the exercise of existing data subject rights suggests this one will be used by only a small proportion of data subjects. Data Protection Regulators should think very carefully before encouraging or requiring all the other organisations and individuals to expose themselves to those threats.