The Article 29 Working Party’s final guidance on implementing the right to portability is a significant improvement on the previous draft. The Working Party appear to have recognised the significant risk involved in making large collections of personal data available through on-line interfaces, and that other approaches will be more suitable for most data controllers.
The suggestion of providing an API as a portability interface is now restricted to “information society services that specialise in automated processing of personal data”. This might, for example, include banks and social networks that are already familiar with how to design and implement secure interfaces. The Working Party now stress the need for these to be secure, noting that a portability request, which gives access to all of an individual’s personal data, may require additional authentication such as a one-time token, in case the user’s normal login details have been compromised. Protocols that will encrypt the exported data as it passes over networks are recommended.
For other data controllers – likely to be the vast majority – less high-tech implementations now seem to be envisaged. Although the Regulation requires that data be provided in industry-standard formats, the guidance recognises that in many cases the best available option will be comma-separated values (CSV) accompanied by the metadata required to interpret them. The thought that portability requests from these organisations will be handled through a manual process, involving spreadsheet exports and human checks, is very reassuring to this particular data subject.
