How portable is portable? Exercising the GDPR’s right to data portability
Description changed:
Thanks to Janis Wong for agreeing to travel to present at this session.
As usual, we'll be starting around 19:00 BST.
The new European General Data Protection Regulation (GDPR) reinforces
existing data subject rights in an attempt to rebalance power between
citizens and the increasingly sizeable and international companies that
are collecting and exploiting data from them. The GDPR introduces one
new data subject right, and the focus of this talk, Article 20 the right
to data portability (RtDP). The RtDP aims to allow data subjects to
obtain and reuse their personal data for their own purposes across
different services.
As no empirical research has been done to assess the RtDP, we exercise
the right by making 230 real-world data portability requests across a
wide range of data controllers. The RtDP is interesting to study as it
operates under a framework that aims to be technologically neutral while
requiring specific technologies for implementation. Our research
assesses the ease of the RtDP process from the perspective of the data
subject and to examine the file formats returned by data controllers.
This talk will discuss the responses to 230 real-world data portability
requests, and examine the file formats returned and difficulties in
making and interpreting requests. We find variation in file formats, not
all of which meet the GDPR requirements, and confusion amongst data
controllers about the various GDPR rights. Legal and technical
recommendations and future work for various stakeholders are also be
discussed.