Skip to content

Research at St Andrews

The Right to Data Portability in practice: Exploring the implications of the technologically neutral GDPR

Research output: Contribution to journalArticle

DOI

Open Access Status

  • Embargoed (until 6/07/21)

Abstract

Key Points

The European General Data Protection Regulation (GDPR) introduces one new data subject right, Article 20’s right to data portability (RtDP). The RtDP aims to allow data subjects to obtain and reuse their personal data for their own purposes across different services.

We investigate the RtDP by making 230 real-world data portability requests across a wide range of data controllers. The RtDP is interesting to study as it operates under a framework that aims to be technologically neutral while requiring specific technologies for implementation. Our objective is to assess the ease of the RtDP process from the perspective of the data subject and to examine the file formats returned by data controllers.

From our results, including responses indicating that no personal data were stored, only 172 (74.8 per cent) of RtDP requests were successfully completed. However, compliance with the GDPR varied where not all file formats meet the GDPR requirements. There was also confusion amongst data controllers about data subject rights more generally.

Based on our observations, we revisit the current guidance for data portability. We suggest new technical definitions to clarify how data should be made portable and determine the appropriateness of certain file formats for different data types.

We suggest recommendations and future work for various stakeholders to address the legal implications derived from our study. This includes discussing possibilities for new data portability standards and codes, conducting further empirical research, and building technological solutions to ensure that the RtDP can be better understood in theory and exercised in practice.
Close

Details

Original languageEnglish
Number of pages19
JournalInternational Data Privacy Law
VolumeAdvance article
Early online date6 Jul 2019
DOIs
Publication statusE-pub ahead of print - 6 Jul 2019

    Research areas

  • Data portability, Data subject rights, General Data Protection Regulation, Technological neutrality

Discover related content
Find related publications, people, projects and more using interactive charts.

View graph of relations

Related by author

  1. How portable is portable? Exercising the GDPR's Right to Data Portability

    Wong, J. & Henderson, T., 8 Oct 2018, Proceedings of the 2018 ACM International Joint Conference and 2018 International Symposium on Pervasive and Ubiquitous Computing and Wearable Computers . ACM, p. 911-920

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

  2. Teaching data ethics: "We're going to ethics the heck out of this"

    Henderson, T., 9 Jan 2019, Proceedings of the 3rd Conference on Computing Education Practice (CEP'19). New York: ACM, 4 p. 4

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

  3. Data Protection, certification and the fourth industrial revolution

    Henderson, T. & Schafer, B., 2019, (Accepted/In press) Regulating Industrial Internet through IPR, Data Protection and Competition Law. Ballardini, R. M., Pitkänen, O. & Kuommamäki, P. (eds.). Alphen aan den Rijn, The Netherlands: Kluwer Law International

    Research output: Chapter in Book/Report/Conference proceedingChapter

  4. Employee surveillance: the road to surveillance is paved with good intentions

    Edwards, L., Martin, L. & Henderson, T., 6 Oct 2018, (Accepted/In press) Amsterdam Privacy Conference. 30 p.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

  5. Is WALL-E human? Introducing STEM and ethical decision-making to younger audiences

    Wong, J., 3 Oct 2018, p. 1. 1 p.

    Research output: Contribution to conferencePoster

ID: 259035782