The Article 29 Working Party (“WP29”) has issued new guidance on three important aspects of the new General Data Protection Regulation (“GDPR”), which comes into force in May 2018.
This first salvo of GDPR-focused guidance concerns:
- the new “Right to Data Portability”, an obligation on companies and public authorities to build tools that allow users to download their data or transfer it directly to a competitor (the guidance is here, and an FAQ is here);
- the new obligation for organizations to appoint a “Data Protection Officer”, a quasi-independent role within companies that will be tasked with internal supervision and advice regarding GDPR compliance (guidance/ FAQ); and
- the new “One Stop Shop” mechanism – helping companies identify which “lead” data protection authority will be their main point of contact for multi-country regulatory procedures (guidance / FAQ).
Despite the guidance having formally been “adopted”, the WP29 is nevertheless inviting stakeholder comments on the new guidance, until the end of January 2017. Indeed, the guidance takes a number of positions that could attract large volumes of comments ahead of the January 31 deadline.
For example, the WP29 argues that the right to data portability, which covers data “provided” by an individual, includes data generated by observing the user – for instance, data about her/his use of a website, service or device. The WP29 uses raw sensor data collected by a health app as an example of data that would need to be downloadable or directly transferable; but a more conservative reading of the law would be that data is “provided” by individuals only when, for instance, they complete a form, or upload their address book.
The data portability guidance also states that the receiving company cannot make its own of use third party information contained within the ported data – presumably, even where it has a legitimate interest in doing so, or the submitter’s consent.