Praktische Umsetzung des Rechts

auf Datenübertragbarkeit
Rechtliche, technische und
verbraucherbezogene Implikationen

Practical Implementation
of the Right to Data Portability
Legal, Technical and
Consumer-Related Implications

Studie

Seite — 1
 A. Gegenstand der Regelung in Art. 20 DSGVO

Practical Implementation
of the Right to Data Portability
Legal, Technical and Consumer-Related Implications

Dr. Nikolai Horn, Prof. Dr. Anne Riechert,

Stiftung Datenschutz

Page — 57
Page — 58
 Executive Summary

Practical Implementation of the

Right to Data Portability

Legal, Technical and Consumer-Related Implications

Executive Summary
With the reform of European data protection law, a legal instrument will be introduced which creates
new practical requirements for the processing of personal data. Article 20 of the European General Data
Protection Regulation gives every individual the “right to receive the personal data concerning him or
her, which he or she has provided to a controller, in a structured, commonly used and machine-readable
format”.

This means that in the future, users will have the right to transfer the personal data concerning them
to another organisation without being prevented to do so by the first organisation. The aim of this new
data protection instrument is to prevent monopolies and to “free” users from large networks. The legis-
lative authorities of this reform hope that this possibility of transfer for their “own” data will lower the
barriers for consumers to change their providers of digital services and will give them better means of
control over their personal data.

However, it has not been specified yet how this theoretically plausible mechanism can be implemen-
ted in practice. Until now, neither business enterprises nor regulatory authorities have any experience
because there are no previous regulations or existing development of the law by judges on this topic, as
is for example the case with the “right to be forgotten” which was developed by the European Court of
Justice and which is referred to in this regulation.

Because of this, Stiftung Datenschutz has examined legal, technical and consumer-related implications
of the new legislation in this study and gives recommendations on the practical utilisation of this new
instrument. First of all, we will explain the subject matter of Art. 20 GDPR and illustrate essential prob-
lem areas in the implementation of the regulation. After this, we will present national and international
solutions suggested for data portability and assess the submissions which reached us after our Call for
Papers 1 as well as the recommendations of external experts. Finally, the study gives recommendations
with respect to the objectives of the regulation, the determination of its scope of application as well as
to possible implementation strategies and its technical realisation.

With respect to the objectives of the regulation, it is illustrated how the right to data portability can
basically give the users better means of control over their personal data. However, if the interpretation
of the regulation is too broad, data protection risks could even increase and it could result in a dispro-
portionately high amount of work for the data controllers regarding the categorisation and extraction of
data sets. Therefore, the interpretation of Art. 20 GDPR should only include such data where portability
actually serves the protection of data privacy (“informational self-determination”). The efforts and ex-
penses required for the implementation of the regulation have to be proportionate, also with respect to
its actual benefits for the consumers.

1 https://stiftungdatenschutz.org/themen/projekt-datenportabilitaet.

Page — 59
Regarding the issue of the legal scope of application, we suggest that the regulatory authorities should
precisely specify and narrow down the meaning of the concept “data provided” in addition to the sta-
tement of the Article 29 Working Party. Concerning the issue whether the scope of application includes
contract as well as user data, it should be decided for each individual case and for each specific service
whether this would actually improve the possibilities of control for the person concerned. In addition, it
is very important to guarantee sufficient transparency with respect to data processing by the previous
and the new controller and to distinguish this clearly from the right of access to the data. With respect to
the data format and the requested interoperability, issues of competition law have to be considered, as
well. All decisions must be based on the protective purpose of the regulation, which is intended to make
a switch to another provider easier. To support an orientation, it is important to achieve a European
harmonisation for the country-specific interpretation of Art. 20 GDPR.

In our analysis of suitable implementation strategies for the right to data portability, we illustrate that
a framework can especially be established with approaches of “regulated self-regulation”, in which
regulatory authorities, NGOs, and businesses develop implementation strategies and standards for
data portability. For an effective definition and arrangement of data portability and realisation of legal
compliance, companies and industries which will presumably be particularly affected should be invol-
ved in formal consultation processes of the regulatory authorities from an early stage. For the practical
implementation of data portability, industry-specific as well as universal approaches to solutions can be
considered depending on the respective field of application and context of processing. For cross-secto-
ral approaches, Personal Information Management Systems (PIMS) could be used. In case there is only
a low demand for data transfers acc. to Art. 20 GDPR, an individual, direct transfer of data sets could be
applied.

Regarding the issue of the technical definition and arrangement of data portability and the requirements
for a suitable compatible and interoperable data format, we will explain that the minimum requirement
is to write the data into a basic CSV format and to add a simple description of how the data is arranged
in the file. For more complex solutions, XML or JSON would be suitable. Those two standards fulfil the re-
quirements of machine readability and interoperability. They contain the data as well as descriptive me-
tadata and have sufficient depth due to their structure so that they are able to represent even complex
data structures. In addition, the contained information can be read by the concerned persons themsel-
ves using standard software, which also supports the exercise of information rights by the users. In any
case, it will be necessary to encrypt the transferred data. The technical implementation of data portabi-
lity will also have to ensure that different solutions are generally interoperable due to open interfaces.

Page — 60
 Index

Index
Page
A. Subject Matter of the Provisions in Art. 20 GDPR 62

I. The Right to Data Portability 62

1. Objective of the Regulation 62
2. Contents of the Regulation 62
3. Expectations and Reactions 64

II. Recommendations by the Article 29 Working Party 66

1. Summary of the Recommendations 66
2. Comparison of the Versions from December 2016 and April 2017 68
3. Effects of the Changes 72
4. Statements Regarding the Recommendations 71

III. Issues Needing Clarification 72

B. Implementation of the Provisions in Art. 20 GDPR 74

I. Statements 74
1. Research 74
2. Data Protection and Consumer Protection Organisations 79
3. Other Governmental and Non-Governmental Institutions 80
4. Industry Associations and Companies 82

II. Existing Solution Approaches 86

C. Assessment and Recommendations for Action 89

I. Assessment 89
1. Objectives of the Regulation 89
2. Determination of the Scope of Application 91
3. Implementation Strategies 96
4. Technical Realisation 99

II. Recommendations for Action 102

1. Objectives of the Regulation 102
2. Determination of the Scope of Application 102
3. Implementation Strategies 104
4. Technical Realisation 104

D. Annexes 107

I. External Statements 110

II. Technical Report – SCRC e.V. Leipzig 226
III. Legal Analysis Regarding the Scope of Application – Prof. Dr. Anne Riechert 246

Page — 61
 A. Subject Matter of the Provisions in Art. 20 GDPR

A. Subject Matter of the Provisions

in Art. 20 GDPR

I. The Right to Data Portability

1. Objective of the Regulation

In late May 2018, the citizens of the EU will be given a new legal instrument – the right to transfer their
personal data between different service providers (Art. 20 GDPR). While the existing data protection law
only contained a disclosure obligation for the responsible bodies in this regard, the new regulations
shall make it possible for a person “to receive the personal data concerning him or her, which he or she
has provided to a controller, in a structured, commonly used and machine-readable format” or to have
the data directly transferred to another data controller. The idea behind this regulation is to allow the
users to freely choose between competing internet services so that they are not “locked in” by their
previously selected service (so-called “lock-in effect”). The aim of the regulation is that such personal
data which is made available to a controller within the scope of a contract or otherwise with the consent
of the user, can be transferred to another controller upon the user’s request and without any fees or
obstacles. This is mainly meant to remove any asymmetries which prevent the customers from switching
to another service provider. The aim is to loosen customer retention by means of proprietary processing
formats – for example inside the “Apple ecosystem” – 2 and to allow the users more freedom of choice
in their decision between different service providers in terms of “data sovereignty”. The right to data
portability is meant to allow for a transfer of personal data as it is for example already the case for mail
forwarding, porting of mobile phone numbers, bank account changes or transfer of the no-claims bonus
when switching car insurances. This means that in the future, situations would be possible in which for
example a lessee of a car could request the information about his driving behaviour to be transferred to
another lessor in order to benefit from better conditions. 3

2. Contents of the Regulation

The right to data portability shall give users the possibility to transfer their personal data, which they
have provided to one institution, to another organisation without being prevented to do so by the first
data recipient. In detail, there are the following essential requirements for the right to data portability
according to Art. 20 GDPR:

> The data has to be personal data in terms of Art. 4, para. 1 GDPR and the right is limited to individual
persons.

> Data processing is based on the user’s consent or a contract with the user (Art. 20, para. 1a GDPR).

2 Sperlich, T., Das Recht auf Datenübertragbarkeit, DuD 6/2017, p. 377.

3 Schätzle, Ein Recht auf Fahrzeugdaten, PinG 02.16, p. 73.

Page — 62
 I. The Right to Data Portability

> The user has “provided” the concerned data to the controller, i.e. such data over which the person
has control and which they access themselves: The regulation does not apply to data which has been
generated by the data recipient by means of data processing.

> The processing is carried out by means of automated processes (Art. 20, para. 1b GDPR).

With respect to technical feasibility, the regulation emphasises that the transfer of data has to take
place in a “structured, commonly used and machine-readable format” (Art. 20, para. 1 GDPR), and that
“data controllers should be encouraged to develop interoperable formats that enable data portability”
(Recital 68). In addition, the person concerned can demand that the transfer takes place directly from
one controller to another “where technically feasible” (Art. 20, para. 2 GDPR).

The right to data portability shall also not affect the right to erasure according to Art. 17 GDPR (Art. 20,
para. 3, sentence 1 GDPR; Recital 68). Therefore, the right to data portability is no direct right to erasure
and hence does not result in a separate duty to delete data. This means that there is basically a right to
keep a “copy” 4 of the personal data provided. Furthermore, the request for a data transfer by the user
does not constitute an implied termination of an existing contract. 5

Art. 20, paragraph 3, sentence 2 GDPR also clarifies that the right to data portability does not apply
to any processing “necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller”. This means, if the personal data is processed for
the fulfilment of public services (such as archiving, statistic or research purposes), this right cannot be
exercised with respect to the responsible controller. 6 In addition, the right to data portability does not
apply to personal data of third parties (Art. 20, para. 4 GDPR) because in this case, the informational
self-determination of other persons is concerned.

According to Art. 13, para. 2b and Art. 14, para. 2c GDPR, respectively, the controller is obliged to inform
about the right to data portability. According to Art. 13, para. 2b GDPR, the information must be given at
the time of the data collection.

If the person concerned exercises their right to data portability, this does not affect any applicable sto-
rage periods. Their right of access to personal data (Art. 15 GDPR) shall remain unaffected, as well. This
right refers to any personal data even if the person concerned did not provide them in terms of Art. 20
GDPR. This way the right to data portability and the right of access according to Art. 15 GDPR can com-
plement one another.

If the person concerned asserts their right to withdraw their consent according to Art. 7, para. 3 GDPR
or their right to object according to Art. 21 GDPR, they can exercise their right to data portability as long
as the controller processes the data and provided they are not at the same time subject to a request
for erasure. According to the recommendations of the Article 29 Working Party, the persons concerned
should therefore be expressly advised of their right to data portability before they terminate an account.

4 Schätzle, Ein Recht auf Fahrzeugdaten, PinG 02.16, p. 74.

5 cf. Hennemann, Datenportabilität, PinG 01.17, p. 7.
6 Recital 68 GDPR.

Page — 63
 A. Subject Matter of the Provisions in Art. 20 GDPR

3. Expectations and Reactions 7

Positive Expectations
There have been different reactions to the introduction of the right to data portability. Supporters of the
new regulation consider Art. 20 GDPR a catalyst for a competition for data protection-friendly techno-
logies. 8 For example, the new right was evaluated as positive in the green paper “Digitale Plattformen”
(“Digital Platforms”) by the Federal Ministry of Economics and Technology (BMWi) because “the compe-
tition in innovation as well as the competition on conditions are promoted” when a change of platforms
is facilitated 9 (however, this would be subject to a practicable implementation 10 ). The Federation of
German Consumer Organisations also expressly appreciated the introduction of this regulation in their
statement regarding the BMWi green paper because it would – subject to an efficient realisation – create
an effective means to support data sovereignty in the digital world as well as the competition between
the platforms. 11 The first version of the guidelines by the Article 29 Working Party from 13 December
2016 emphasised that the regulation aimed for the promotion of new business models with more data
control. 12 The newly published report by the board of experts for consumer affairs (Sachverständigenrat
für Verbraucherfragen) also confirms the high relevance of the right to data portability for the exercise
of digital sovereignty. The report even called for considering the right to data portability a right of ter-
mination. 13

Not only in Europe, but also in the USA, the topic of data portability is considered very important. For
example, many stakeholders at the public consultation of the White House Office of Science and Tech-
nology Policy (OSTP) listed data portability as an important instrument for promoting competition and
improving the users’ control. 14

The positive expectations regarding the effects of data portability have also been emphasised by the de-
velopers of Personal Information Management Services (PIMS): According to them, data portability and
the reuse of already existing data sets allow for the expansion and increased efficiency of personalised
online services, while at the same time, the possibilities of data control for the users are improved. 15

7 Individual statements as well as statements regarding the guidelines of the Article 29 Working Party are illustrated in more
detail in Section B.
8 Albrecht, CR 2016, 88, 93.
9 Grünbuch Digitale Plattformen. Digitale Ordnungspolitik für Wachstum, Innovation, Wettbewerb und Teilhabe, p. 61. URL:
http://www.de.digital/DIGITAL/Redaktion/DE/Publikation/gruenbuch.pdf?__blob=publicationFile&v=10.
10 Weissbuch Digitale Plattformen. Digitale Ordnungspolitik für Wachstum, Innovation, Wettbewerb und Teilhabe,
p. 76 f. URL: https://www.bmwi.de/Redaktion/DE/Publikationen/Digitale-Welt/weissbuch-digitale-plattformen.pdf?__
blob=publicationFile&v=22
11 Grünbuch Digitale Plattformen, Stellungnahme des Verbraucherzentrale Bundesverbands, dated 26 September 2016, p. 18.
12 Article 29 Data Protection Working Party, Guidelines on the right to data portability, 13 December 2016, p. 5.
13 Sachverständigenrat für Verbraucherfragen, Digitale Souveränität, June 2017, p. 26.
14 White House Office of Science and Technology Policy. Request for Information Regarding Data Portability. 10/01/2017. URL:
https://obamawhitehouse.archives.gov/sites/whitehouse.gov/files/documents/OSTP-Data%20Portability-RFI-Responses_
for_humans.pdf.; Macgillivray, A., Summary of Comments Received Regarding Data Portability, 10/01/2017. URL: https://
obamawhitehouse.archives.gov/blog/2017/01/10/summary-comments-received-regarding-data-portability.
15 cf. Statement by ONECUB, see annex.

Page — 64
 I. The Right to Data Portability

Critical Reactions
There are also a lot of sceptical opinions regarding the new regulation. As the right is based on com-
petition law efforts to prevent “lock-in effects” 16, some are questioning whether it can be smoothly
integrated in the system of rights of affected persons as an instrument of data protection law. 17 In the
opinion of the Federal Council of Germany, the right to data portability “has the objective of allowing
the persons concerned to reuse their data in order to support competition rather than to protect their
privacy” 18. An analysis by the German Economics Institute in Cologne (Institut der Deutschen Wirtschaft
Köln) for example illustrates that while data portability might be supporting the data sovereignty of the
individual, it could in certain cases prove detrimental to the competition of start-ups and smaller busi-
nesses. 19 Some observers think that the hopes of the legislator that an increased self-determination of
the persons concerned over their data will result in an easier switch to other service providers and thus
break down market monopolies and “network effects” are not sufficiently justified. 20 In addition, it is
criticised that the original aim of the regulation, i.e. avoiding “lock-in effects” in social networks, is only
realised in Art. 20 GDPR to a limited extent, because this would mainly affect the rights of third parties
(for example “friends” on Facebook). 21

In addition, it is criticised that the scope of application of Art. 20 GDPR would also include industries
where the previously mentioned “lock-in effects” are not even an issue. Although the regulation would
be too “far-reaching” for these business models, it could nevertheless cause problems due to its imple-
mentation being required without exception. 22 Some parties also expressed concerns that the imple-
mentation of the regulation could involve high costs and risks (in particular for SME) while at the same
time being of little value for the users.

Another point of criticism is that the requirements regarding technical feasibility of data portability were
too vague. This refers on one hand to the legal uncertainty concerning the wording “where technically
feasible”, because it would be difficult to distinguish between a lack of practicability and unjustified
obstacles in individual cases. 23 On the other hand, the question is what could be considered a “com-
monly used format” and how interoperability between different formats which are “commonly used” but
not interoperable 24 should be guaranteed. 25

16 Herbst, in Kühling/Buchner, DS-GVO, Art. 20, marginal 4; Hennemann, Datenportabilität, PinG 01.17, p. 6.
17 Sperlich, T., Das Recht auf Datenübertragbarkeit, DuD 6/2017, p. 377; Moos, Datenportabilität – Eine Gefahr für daten-
getriebene Unternehmen?, eu-datareg as of 2/3/2016, available under: http://eudatareg.com/datenschutz-im-unternehmen/
datenportabilitaet-eine-gefahr-fuer-daten-getriebene-unternehmen/; Schätzle, Ein Recht auf Fahrzeugdaten, PinG 02.16, p. 74.
BITKOM, Statement concerning the right to data portability acc. to Art. 20 General Data Protection Regulation, 14/03/2017. p. 4.
18 Erläuternder Bericht zum Vorentwurf für das Bundesgesetz über die Totalrevision des Datenschutzgesetzes und die
Änderung weiterer Erlasse zum Datenschutz, 21 December 2016; www.ejpd.admin.ch/dam/data/bj/staat/gesetzgebung/
datenschutzstaerkung/vn-ber-d.pdf
19 https://policyreview.info/articles/analysis/data-portability-among-online-platforms; https://www.iwkoeln.de/studien/iw-
kurzberichte/beitrag/barbara-engels-nicht-immer-gut-datenportabilitaet-zwischen-online-plattformen-300089.
20 Kühling/Martini, EuZW 2016, 451; Hennemann, Datenportabilität, PinG 01.17, p. 8.
21 Hennemann, Datenportabilität, PinG 01.17, p. 8; Jülicher, Röttgen, v. Schönfeld, Das Recht auf Datenübertragbarkeit, ZD
8/2016, p. 359, 361.
22 Moos, Datenportabilität – Eine Gefahr für daten-getriebene Unternehmen?, eu-datareg as of 2/3/2016, available under:
http://eudatareg.com/datenschutz-im-unternehmen/datenportabilitaet-eine-gefahr-fuer-daten-getriebene-unternehmen/;
Jülicher, Röttgen, v. Schönfeld, Das Recht auf Datenübertragbarkeit, ZD 8/2016, p. 361.
23 Moos, Datenportabilität – Eine Gefahr für daten-getriebene Unternehmen?, eu-datareg as of 2/3/2016, available under:
http://eudatareg.com/datenschutz-im-unternehmen/datenportabilitaet-eine-gefahr-fuer-daten-getriebene-unternehmen/
24 Hennemann, Datenportabilität, PinG 01.17, p. 7.
25 Schätzle, Ein Recht auf Fahrzeugdaten, PinG 02.16, p. 74.

Page — 65
 A. Subject Matter of the Provisions in Art. 20 GDPR

II. Recommendations by the Article 29

Working Party

1. Summary of the Recommendations

On 13 December 2016, the Article 29 Working Party adopted recommendations concerning the right to
data portability and then passed a revised version on 5 April 2017.

In the opinion of the Article 29 Working Party, the right to data portability essentially includes the pos-
sibility for persons concerned to easily keep, control and reuse “their” data for their own purposes,
even when they switch between different service providers. According to the recommendations of the
Article 29 Working Party, this shall not only include the personal data of the persons concerned which
are automatically processed based on their consent or a contract and have been actively provided by
the data subjects (such as email address, user name chosen by themselves, age). The scope shall rather
also include data which is collected based on the user activities of a service or a device (e.g. protocols
of user activity or use of websites). However, the Article 29 Working Party underlined that the right to
data portability does not apply to user profiles because these are usually not provided by the persons
concerned but generated by the data controller. With respect to personal data of third parties, which are
affected by the data transfer, it is made clear that the recipient of the data is only allowed to process
them if there is a valid legal basis for this.

According to the recommendations of the Article 29 Working Party, data subjects should generally be
able to exercise the right to data portability without any obstacles and irrespective of the system, with
the possibility to copy data, save it to their own private devices or transfer it from one IT environment
to the environment of another data controller. As a consequence, data controllers shall establish appro-
priate processes which enable the persons concerned to request a data transfer and at the same time
ensure their authentication. The subsequent data transfer should either be carried out with a direct
transfer of the entire data set or by means of an automatic tool which allows for filtering out the relevant
data. In areas in which there are no commonly used formats, open formats should be used and be made
available with as much metadata as possible at the highest level of granularity. It is pointed out that a
format should be chosen which maintains all of the metadata that is relevant for an effective reuse of the
data. In this context, the data controller should consider whether the chosen format could prevent the
person concerned from reusing their data (for example a simple PDF from the inbox of an email account).

Apart from that, the Article 29 Working Party does not focus on one specific data format but rather on
an interoperable format; they do not require the systems of the data controllers to be compatible. They
consider the demand of the General Data Protection Regulation, to make data available in a structured,
commonly used and machine-readable format, the minimum requirement for the realisation of interope-
rability and urged industry and commercial associations to cooperate in order to develop interoperable
standards and formats.

Page — 66
 II. Recommendations by the Article 29 Working Party

With regard to time limits, the Article 29 Working Party recommends that the persons concerned shall
be able to exercise their right to data portability as longs as the data controller is processing the data.
Depending on the individual case, the data controller shall be given up to three months time from the
receipt of a request to provide information about the measures taken. Although Art. 12, paragraph 3
General Data Protection Regulation provides for a period of one month, this period could however be
extended for complex circumstances if the data controller notifies the person concerned about the delay
and its reasons within one month.

In addition, the Article 29 Working Party pointed out that the services of the data controller do not auto-
matically end with the data transfer but that the persons concerned could continue to use the respective
service. This would not entail the deletion of the data, nor did the exercise of the right affect the storage
period. Moreover, the controller is not allowed to delay or deny the exercise of other rights (such as
rights of access or withdrawal) if the persons concerned request a transfer of data.

Within the scope of the information requirements according to Art. 13, para. 2b and Art. 14, para. 2c
GDPR, the data controller shall expressly inform about the different types of data to which a right to
data portability or a right of access (Art. 15 and Recital 63) applies. The Article 29 Working Party on
Data Protection recommends that information about the right to data portability shall always factored
in by the data controller before the persons concerned close any existing account. To avoid any doubt,
the committee also explained in its recommendations that the data controller would not continue to be
responsible for complying with the principles of the General Data Protection Regulation with respect to
the transferred data after they have carried out the request for data portability. However, they had first
to make sure that only such data is transferred which the person concerned actually wanted to transfer.
Subsequently, the recipient of the data had to fulfil the duties according to Art. 5 GDPR as the new data
controller (fair and transparent data processing, purpose limitation, data minimisation, accuracy, inte-
grity and confidentiality, storage limitation and accountability). The previous controller shall also make
sure that only such data is made available which is relevant for the new data processing activities by
the data recipient and that the persons concerned are comprehensively informed about this procedure.
Finally, the data recipient has to inform about the purposes of the new data processing activities before
a data transfer is requested. In this context, the Article 29 Working Party used the wording “clearly and
directly” as well as “state”. 26 The question is, whether in the future these terms will be consistently
interpreted in all member states of the European Union or translated with the same basic meaning.

26 “Therefore, the ”new” receiving data controller must clearly and directly state the purpose of the new processing before any
request for transmission of the portable data in accordance with the transparency requirements set out in Article 14.”

Page — 67
 A. Subject Matter of the Provisions in Art. 20 GDPR

2. Comparison of the Versions from December 2016

and April 2017
Although the above summary of the revised version from 5 April 2017 still mentions the stimulation of
competition between the data controllers, this general issue has been removed from the recommenda-
tions of the Article 29 Working Party. Now, it is emphasised that the main objective of data portability is
to improve the control rights of the persons concerned over their personal data. Thus, the focus is clearly
shifted to data protection aspects. 27

The Article 29 Working Party justified their decision that data controllers were not responsible for the
further processing as well as the compliance with the regulation by the recipient after a data transfer
specifying that the previous controllers did not choose the recipient themselves (p. 5 and p. 6/new).

With respect to the exercise of the rights of the persons affected, they added that a contract for com-
missioned data processing (Art. 28 GDPR) had to include the obligation of the processor to support the
controller in carrying out data transfers with suitable technical and organisational measures. Therefore,
both of them had to jointly adopt processes for carrying out data portability requests. In case of their
joint responsibility, the individual tasks should be clearly assigned with respect to the processing of the
data portability request (p. 6/new).
Moreover, they pointed out that any bodies who are to receive data following a data portability request
of a person concerned would not be obligated to accept this request. Hence, there would be no obliga-
tion to process data (p. 7/new).

Regarding the application of the principles of data portability, the revised version emphasises that these
principles are not applied if it is clear that the person concerned does not wish to exercise this right but
another specific right to data transmission. As an example, it mentions EU directive 2015/2366 of the
European Parliament and the Council regarding payment services in the internal market (PSD2) (p. 7/8
new).

The new version was also supplemented by advice on the handling of employee data. The Article 29
Working Party pointed out that often, application cases had to be assessed individually. As examples
for a right to data portability, they for instance listed payment transactions or internal personnel recru-
itment (p. 8/9 new).

The recommendations of the Article 29 Working Party) also made it clear that data portability does not
apply to the B2B area (p. 8/new).

Furthermore, the obligations of the data recipient and thus the new data controller according to Art. 5
GDPR were emphasised by expressly listing them (p. 10/new: “fair and transparent processing, purpose
limitation, data minimisation, accuracy, integrity and confidentiality, storage limitation and accountabi-
lity”).

27 For example, statements such as the following were deleted: “Indeed, the primary aim of data portability is to facilitate
switching from one service provider to another, thus enhancing competition between services (by making it easier for
individuals to switch between different providers). It also enables the creation of new services in the context of the digital single
market strategy” or “This right aims to foster innovation in data uses and to promote new business models linked to more data
sharing under the data subject’s control.”

Page — 68
 II. Recommendations by the Article 29 Working Party

In addition, the Article 29 Working Party specified which data shall be included by data portability. In
detail, they listed protocols of user activities, chronicles of website usage or search requests (p. 10/
new). As an explanation, they added that the ability to enquire about their user activities would give the
person concerned knowledge about the protection of their privacy and would therefore enable them to
choose which data they want to provide for a similar service.

Any disadvantages for third parties involved in the transfer process had to be avoided. As an example,
the Article 29 Working Party pointed out that no user profiles of third parties shall be accumulated wi-
thout their knowledge or consent, nor shall information about them be queried or specific profiles be
created. The Article 29 Working Party carefully expressed the opinion that such data processing might
be unlawful and unfair (“is likely to be...”). This means that there is still a need for interpretation in this
regard (p. 12/new).

With respect to the information to be provided about the right to data portability, the revised version
by the Article 29 Working Party now differentiates more clearly between the provisions of Art. 13, para.
2b GDPR (if data was collected from the person concerned) and Art. 14, para. 2c GDPR (if data was not
collected from the person concerned). For the latter, it is clarified that the information has to be provided
at the latest within one month after receipt of the data. In contrast to the original version from December
2016, the Article 29 Working Party now recommends as “leading practice” (previously “best practice”)
that the persons concerned should be provided with data and not that the recipients of the data shall
provide information as the new controllers. 28 In general, it is emphasised that the provision of informa-
tion supports the procedure of fair data processing (p. 13/new).

In the revised version, a paragraph regarding the authentication of the user was added which again
emphasises that the corresponding processes were often already available and that for instance the
respective log-in data and password could be sufficient for the identification of the person concerned.
At the same time, it is pointed out that the data controller’s possibility to request additional information
in order to determine the identity of the person concerned should not result in a collection of personal
data.

In its revised version, the committee recommends two alternatives for data portability. While in the
original version, the section “Data Portability Tools” referred to different implementation possibilities,
for example the direct download, as well as to the application programming interface (API), the revised
version now expressly indicates two different ways of data transmission which are also free of charge:
The direct transfer of the entire data set or an automatic tool which allows for an extraction of relevant
data. The decision between these alternatives shall be made based on the individual case. The Article 29
Working Party explained that the second alternative could be more suitable for extensive and complex
data sets (p. 16/new).

The provision of the original version that as much metadata as possible shall be made available at the
highest level of granularity was clarified in the revised version indicating that commonly used and open
formats shall be used, unless another format was customary in a certain industry or a certain context.
As examples, the formats XML, JSON, CSV were listed (p. 18/new).

With respect to the security of the data transfer, it was added that any risks should be minimised by

28 05/04/2017: “…as leading practice for “receiving” data controllers, the WP29 recommends that data subjects are provided
with complete information about the nature of personal data which are relevant for the performance of their services“.
13/12/2016: “…as a best practice for “receiving” data controllers, the WP29 recommends that they provide data subjects with
complete information about the nature of personal data which are relevant for the performance of their services.”

Page — 69
 A. Subject Matter of the Provisions in Art. 20 GDPR

using additional authentication information, such as a secret answer to a specific question or a one-off
password (p. 19/new).

3. Effects of the Changes

The changes in the revised version from early 2017 are mostly of a clarifying and explanatory nature, but
do not fundamentally change the basic meaning of the original text. For example, some reasons were
added which support or substantiate the original statements. This applies for instance to statements
regarding accountability, amendments to Art. 5 GDPR by listing the specific duties this includes, and
additions to the authentication measures or with respect to information duties.

In detail, the following changes are important:

The Article 29 Working Party put a stronger focus on the protection of the right of data subjects to
determine the use of their private data as the purpose of the right to data portability. Any statements
concerning the stimulation of competition were removed.

In addition, the revised version contains a recommendation for two possible alternatives for the imple-
mentation of data portability.

One clarification concerns the differentiation of the right to data portability from other legal provisions
in the individual member states. In this regard, clear criteria should be developed in the future in order
to determine to what extent the requirements of the right to data portability have to be fulfilled or will
not be applied, for instance within the scope of the PSD2 directive, which the Article 29 Working Party
mentions as an example.

This applies to employee data, as well, which are mentioned for the first time in the revised version. In
this case, too, there are still no clear criteria in which constellations the right to data portability can be
exercised.

The new version also clearly specifies that processors are obligated to support the controller in the
realisation of data portability by means of suitable technical and organisational measures and that this
obligation must be stipulated in a contract.

With regard to the information duties of the data recipient as the new controller, it is questionable
whether the modification of the wording from “best practice” to “leading practice” actually entails any
qualitative changes. The same applies to the grammatical rewording of an active obligation into an im-
personal passive construction. 29 Based on the wording in itself, the latter is however relevant because
now, the recipient of the data as the new controller is no longer required to provide the information
immediately.

29 See above: 13/12/2016: “…as a best practice for “receiving” data controllers, the WP29 recommends that they provide data
subjects with complete information about the nature of personal data which are relevant for the performance of their services.”
05/04/2017: “…as leading practice for “receiving” data controllers, the WP29 recommends that data subjects are provided with
complete information about the nature of personal data which are relevant for the performance of their services“ (p. 13 of the
recommendations).

Page — 70
 II. Recommendations by the Article 29 Working Party

However, it has to be taken into account in this context that elsewhere in the text, the data recipient is
obligated to inform clearly and immediately about the purpose of the new data processing (p. 7/new). 30

4. Statements Regarding the Recommendations 31

Most of the reactions came after the first version of the guidelines by the Article 29 Working Party from
13 December 2016 was published, also because the stakeholders had been invited during the public
consultation to explain their point of view with regard to the interpretation and implementation of the
new regulation. After this invitation, more than 90 statements were submitted (not all of them being
publicly available).

Many stakeholders expressed concerns due to the large number of strict requirements for the data
processor, while at the same time, no clear instructions were given how these requirements should be
handled. One of the central points of criticism of the statements referred to the interpretation of the
term “provide” because the GDPR does not give a legal definition for it. The critics claimed that it was
therefore unclear whether it only included data which is relevant for the functionality of the service (and
thus for a possible transmission) or if it also included traffic data such as search history, location data,
etc. 32 Several stakeholders requested a detailed clarification of what exactly was meant with personal
data “provided” by a person in contrast to “inferred”/”derived” data in the context of the regulation.

They also said it should be clarified that the right to data portability did not apply to sensitive company
data if this would disclose trade secrets of the company and might be made available to competitors.
There was also some uncertainty with respect to data which was collected within the scope of a busi-
ness relationship – such as surfing behaviour of employees at their place of work, business mail traffic,
video surveillance material, etc. 33 In addition, they asked for a clear specification that the regulation
would only apply to such data which actually contributes to the so-called informational self-determina-
tion of the user. 34

30 See above: “Therefore, the ”new” receiving data controller must clearly and directly state the purpose of the new processing
before any request for transmission of the portable data in accordance with the transparency requirements set out in Article 14.”
(p. 7 of the recommendations).
31 The individual statements will be discussed in detail in Section B.
32 cf. BITKOM. Position Paper. Bitkom views on Article 29 Working Party draft Guidelines on the right to data portability (WP
242), 31/01/2017, p. 2; https://www.nautadutilh.com/en/information-centre/news/2017/1/gdpr-series-part-4-the-right-to-data-
portability-including-article-29-working-party-guidelines/; Center for Information Policy Leadership, Comments by the Center for
Information Policy Leadership on the Article 29 Data Protection Working Party´s “Guidelines on the right to data portability”, p.
7.
33 cf. Center for Information Policy Leadership, Comments by the Center for Information Policy Leadership on the Article 29 Data
Protection Working Party´s “Guidelines on the right to data portability”, p. 7.
34 cf. Center for Information Policy Leadership, Comments by the Center for Information Policy Leadership on the Article 29 Data
Protection Working Party´s “Guidelines on the right to data portability”, p. 1-2.

Page — 71
 A. Subject Matter of the Provisions in Art. 20 GDPR

With respect to the technical implementation, the most important area for further discussion were the
issues of standardisation and compatibility of formats as well as the issue of ensuring the interoperabi-
lity of data sets. 35

Here, a clear differentiation between compatibility and interoperability would be welcome. 36 In this con-
text, the stakeholders also asked for a better clarification of the concept “structured, commonly used
and machine-readable format”.

In conclusion, it can be noted that the provisions of Art. 20 GDPR have raised many questions, mainly
with regard to their scope of application. It seems that the coordination between different stakeholders
from the economy, data protection authorities and the EU commission will have to be improved and en-
hanced. The most important aspects will be problem-solving approaches from the economy as well as a
cross-sectoral discourse between stakeholders from different industries.

III. Issues Needing Clarification

The new data protection instrument of portability has been developed to give the users better control
over their personal data. However, it has not been specified yet how this theoretically plausible portabi-
lity can be implemented in practice. With respect to practical implementation, the following issues will
have to be resolved:

a) Objectives of the Regulation

• Is the new regulation practically suitable to actually improve the protection of data privacy (“informa-
tional self-determination”) for consumers?

• Will the regulation really be able to break down network and “lock-in” effects?

• Will it result in a locational advantage for data protection in Europe or will this in the worst case only
remain regulatory wishful thinking?

• Which advantages and disadvantages will the new regulation have for users and data processing
companies?

• What does the regulation entail for industries and companies, where “lock-in effects” are not an issue?

35 cf. https://medium.com/mydata/comments-on-data-portability-guidelines-2102d447f73b; https://

www.nautadutilh.com/en/information-centre/ news/2017/1/gdpr-series-part-4-the-right-to-data-portability-
including-article-29-working-party-guidelines/; BITKOM. Position Paper. Bitkom views on Article 29 Working
Party draft Guidelines on the right to data portability (WP 242), 31/01/2017, p. 3. https://www.google.de/
url? sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwifko_95uLUAhUCmrQKHSsQAmcQFgg
rMAA&url=https%3A%2F%2Fetno.eu%2Fdatas%2Fpositions-papers%2F2017%2F170131%2520ETNO_Data%2520Portability_
Memo%2F170131%2520ETNO_D ata%2520Portability_Memo.pdf&usg=AFQjCNHC5Cwe6fHkpMMcIYJw5Duq0y7IXw&cad=rja.

36 cf. Center for Information Policy Leadership, Comments by the Center for Information Policy Leadership on the Article 29 Data
Protection Working Party´s “Guidelines on the right to data portability”, p. 12.
cf. Center for Information Policy Leadership, Comments by the Center for Information Policy Leadership on the Article 29 Data
Protection Working Party´s “Guidelines on the right to data portability”, p. 12.

Page — 72
 III. Issue Needing Clarification

• Do we need clearer specifications from the legislator or other accompanying measures in order to
ensure the effectiveness of the regulation and its added value for the informational self-determination
of the consumer?

b) Determination of the Scope of Application

• How narrowly or broadly should the aspect of the “provision of data” in terms of Art. 20, paragraph
1 GDPR be interpreted? Can and should the types of data affected by the right to data portability be
categorised?

• In which cases would it be justified to deny a transmission of data (trade secrets)?

• How should cases where data transmission is practically impossible be distinguished from cases of
illegitimate hindrance with respect to the provision “where technically feasible”?

• Should an obligation to enable interoperability and compatibility be required? Where could this requi-
rement be incorporated?

• Is it helpful to limit the aspect of provision to the respective service and thus to data which is required
for the usage of a similar service?

• Should the aspect of provision be limited further and only include data which is necessary for a planned
switch to another service provider?

c) Implementation Strategies
• Which strategies for the structural implementation of the right to data portability would be appropri-
ate for individual enterprises and groups of companies? Which forms of cooperation would be helpful
(associations in terms of Art. 40, para. 2 GDPR, alliances/groupings, consortia)?

• To what extent would a platform-independent/cross-sectoral solution be possible? Would sector-spe-

cific approaches be more appropriate?

• Which special requirements could emerge for the data protection management of companies (e.g.
involvement of the data protection officer)?

d) Technical Realisation
• What does “commonly used format” mean precisely? Which specific requirements must be laid down
for a compatible format?

• How could a cross-sectoral integration of different services be reflected in the data format (e.g. auto-
motive industry/insurance industry: transfer of vehicle/driver data and insurance data)?

• Which technical tools could be used in order to allow for data portability?

• How should the verification of the identity of customers requesting a transfer be ensured?

Page — 73
 B. Implementation of the Provisions in Art. 20 GDPR

B. Implementation of the Provisions in

Art. 20 GDPR

I. Statements

1. Research
In answer to the Call for Papers by Stiftung Datenschutz, Armin Gerl and Dirk Pohl from the University of
Passau analysed the legal requirements and technical implementation solutions regarding the right to
data portability: 37

Legal Considerations
The authors differentiate between the right to copy the data (Art. 20, para. 1) and the right to transfer
the data to another controller (Art. 20, para. 2). In this context, the right to receive a copy is placed close
to the right of access according to Art. 15. Both entitlements are described as negotiation processes,
where Art. 20, para. 1 is called “Data Subject Negotiation” and Art. 20, para. 2 is called “Controller Ne-
gotiation”.

With respect to the legal requirements, the authors emphasised that a real right to data portability must
not be identical to the other rights of the General Data Protection Regulation such as the right of access
according to Article 15. Therefore, the authors argue in favour of a broader scope of application of the
regulation, because even non-personal data could have an economic value and thus should also be co-
vered by the right. In addition, competition law and interoperability are not the only important aspects
to be considered for the right to data portability. They argued that in fact, a consistent legislation was
required in the European Union which defines the legal characteristics of data and clarifies the right of
ownership over the data, in particular if more than one person is concerned. In this context, it had to be
considered that each data controller would have to decide which properties are categorised as personal
data and provided by the person concerned and which data would also refer to third parties.

In connection with the legal requirements, the authors also discussed whether an obligation to accept
the data would be desirable. They pointed out that the person concerned initiates the data transfer, but
the right would be overall significantly limited by the fact that there is no corresponding obligation for
the new controller to accept the data and that this was furthermore limited to cases of technical feasibi-
lity. For a balance of interests, they suggest that the controller should be obligated to announce which
formats the receiving bodies can use for the data import.

Technical Considerations
With regard to the technical feasibility of data portability, the authors believe that it is unlikely that the
transmission in itself would pose any significant technical problems. The authors define the term intero-
perability as the ability to exchange information and to use the use the exchanged information together.
However, interoperability as the minimum requirement in the General Data Protection Regulation would
not ensure compatibility or guarantee a result which allows for interoperable systems. For this, compe-
tition law aspects would have to be considered, as well.

37 See Section D.

Page — 74
 I. Statements

Therefore, the authors do not describe a concrete technical solution for a possible format in their sub-
mission, but develop different scenarios how the legal conditions should be harmonised with the techni-
cal requirements. The basis for this is their above-mentioned differentiation between Art. 20, para. 1 as
“Data Subject Negotiation” and Art. 20, para. 2 as “Controller Negotiation”. With respect to the process
“Data Subject Negotiation”, they suggest a user interface so that the person concerned can intervene
in the data transfer and support, check or correct it. However, this would require the format to still be
readable by humans.

The second case, “Controller Negotiation”, is described as negotiation between the controllers and the
authors believe that in this case, too, at least a “minimalist” user interface should be considered. As-
suming that there is a commonly used format, this format should generally be used in the negotiations
between the controllers. However, the authors stated with regard to a “commonly used” format that this
was not a technical property but would rather depend on market conditions. What is common could ra-
pidly change due to the fast-paced technical developments. In case there is no such format, the previous
controller and the new controller will have to agree on a format and correspondingly inform the person
concerned about the result of the data transfer. This information can also be given by both of them, with
the requirements for the previous controller being determined by Art. 12, para. 3 GDPR and those for the
new controller being determined by Art. 13 GDPR.

The authors describe these two negotiation processes based on several possible scenarios, which can
occur during data synchronisation or data transmission. In order to illustrate this, they sketch out a
database and describe the personal data stored there as units of attributes with individual identifiers
(such as: first name/last name/date of birth) and the corresponding concrete values (accordingly for
instance: Jane/Doe/12/08/1964). The attributes could then be further sub-categorised based on their
format (e.g. as “text” or “cipher”).

The authors pointed out that the most simple solution would be if the identifier of the attributes (“last
name”) and the format (“text”) were the same for both source and destination, because in this case, the
value of the source could be migrated without any changes. In case of differences between the iden-
tifiers of source and destination, a format for data transfer would have to offer various identifications
which can be extended by the controller at any time if the identifier is unknown. This would additionally
raise the question who is responsible for the maintenance and administration of such a centralised data
base.

Moreover, it was essential that a format for data transmission was able to separate the different concre-
te values of the personal data (e.g. subdivision of an address in “street name and number”) and/or to
combine them (e.g. combination of “street name and number” in one address), to incorporate semantic
relations between the identifiers (e.g. calculation of age based on birth date) as well as to allow for ch-
anges of the format (e.g. conversion of a text to a cipher). This would, amongst other aspects, require a
granular way of description of the attribute, including different “sub-identifiers” and “sub-formats”. In
addition, they mentioned the possibility that the respective sources and destinations would not neces-
sarily have to contain the same attributes, meaning that for this case, too, an appropriate handling had
to be ensured.

Page — 75
 B. Implementation of the Provisions in Art. 20 GDPR

Conclusions from the Legal and Technical Considerations

In general, the authors believe that the future of data portability is mainly driven by technical develop-
ments. For the technical realisation, it would be necessary to find a commonly used and expressly de-
scribed portability format with properties which enable and support the negotiation process for the
described scenarios. According to the authors, codes of conduct (pursuant to Art. 40 GDPR) are a hel-
pful instrument in order to support the right to data portability. In general, the interfaces will have to
be defined for the controllers in order to avoid proprietary solutions. Moreover, it is necessary that
there are enough metadata for the realisation of the negotiation process. With regard to informational
self-determination, it would also be positive to provide for readability by humans as a requirement for
the portability format in order to inform the persons concerned and to support the negotiation process
by manual interventions.

Nevertheless, the authors are critical with respect to the question whether the economic advantages
would be strong enough to ensure a corresponding market behaviour. They also critically questioned
whether it would always be possible (even) within one and the same industry to provide for mutual
data portability from a technical point of view. As an example, they mentioned the services Twitter and
Facebook. For instance, twitter limits its text length to 140 characters, while Facebook would allow sig-
nificantly longer messages.

In one analysis submitted after the Call for Papers by Stiftung Datenschutz, the association Technolo-
gie- und Methodenplattform für die vernetzte medizinische Forschung e.V. (TMF) dealt with data por-
tability in the field of medical research. They explain for example, to what extent an “empowerment”
of patients could be achieved with this regulation and which problems and open questions this would
entail. 38 The analysis describes that in medical research, very comprehensive and detailed data is col-
lected and that this collection goes far beyond a mere recording and description of medical conditions.
With regard to the “added value” for data sovereignty, they emphasised that the provision of their own
data for research or the transfer of data from one institution to another can generally be in the interest
of the persons concerned. Research results could have direct advantages for patients, in particular in
case of conditions for which there was no sufficient or standardised therapy – for example in the field
of oncology. However, not all application cases in research would equally benefit from data portability
being facilitated and the advantages for the persons concerned could also differ very much. Oftentimes,
the complexity of the health data sets alone would significantly limit their usefulness for data subjects.

Apart from that, the authors also address the data types in medical research and the issue of a diffe-
rentiation between the data “provided” by the patients and “interpreted” data. They explain that there
was some uncertainty about when data could no longer be considered as provided by the concerned
persons themselves. Because even the observation data, which was included in the provisions of Art. 20
GDPR, was often based on a more or less comprehensive analysis. The issue of a possible infringement
of third party rights is illustrated based on the example of genetic diagnostics which allow conclusions
regarding the health of relatives.

With regard to compatibility, they explain that on one hand, there were a number of industry- and sec-
tor-specific formats in the healthcare sector, but on the other hand, this did not mean that there is a
solution for a data exchange across these boundaries.

38 See Section D.

Page — 76
 I. Statements

So this is an issue with respect to the requirement of interoperability. Interoperability itself would requi-
re the use of coordinated standards – but this coordination process was complex because many stake-
holders had to be involved and the heterogeneity of the data had to be taken into account. In addition,
several different levels have to be incorporated: Structural interoperability (a common data model),
syntactical interoperability (a common syntax) and semantic interoperability (a common understanding
of the data contents). Interoperability for different formats could only be achieved if these could be
reasonably converted between each other. For this purpose, the involved formats would have to be de-
scribed and documented in sufficient detail. Moreover, the classification and separation of “provided”,
“observed” and other data would pose a particular technical challenge for the implementation.

Finally, they emphasised that electronic medical records could be a suitable technical basis for fulfilling
the requirements of data portability. Electronic medical records collect all of the medical information
about the persons concerned in a structured form and can be controlled by the person concerned with
regard to contents and access. However, there is still no clear concept of who would be a suitable opera-
tor of such medical records based on an appropriate business model, and according to which structure
and based on which standards the data could be exchanged between treatment facilities and these
electronic medical records. In addition, it would have to be taken into account that clinical and research
facilities in medicine process extremely sensitive medical data and thus special measures would have
to be taken in order to guarantee fulfilment of the data protection and data security requirements – for
example setting up a safe web portal for the encrypted download of data following a secure authenti-
cation.

The issue of so-called “lock-in effects” in social networks is discussed in the paper “The Importance of
Data Portability and Interoperability in the Social Web” which was submitted to Stiftung Datenschutz
by Sebastian Göndör from TU Berlin Service-centric Networking. 39 He explained that today, social net-
works are a communication medium with enormous importance and reach. However, social networks
are mostly designed as isolated solutions (“island solutions”) and benefit from network effects through
which they continuously gain new users. This means that smaller competitors are pushed out of the
market or into niche solutions, which massively hinders competition and innovation within the social
web. Operators of social networks and communication platforms bind users to their services. Free com-
munication with other services is not possible. Due to this, users lose control over their data and their
usage. Therefore, data portability and interoperability would be appropriate measures in order to allow
for an open and free social web in which users retain control over their data and are able to communicate
freely. In order to achieve this, suitable protocols and data formats would have to be created.

In his paper, the lawyer Michael Strubel dealt with the scope of application of the right to data porta-
bility. 40 In his discussion of the guidelines by the Article 29 Working Party, the development history,
the very substance of the regulation as well as the analysis of its wording, he in particular analyses the
concept of the “provision of data”. In his analysis, he points out that regarding the interpretation of this
term, there was a discrepancy between the broad interpretation by the Article 29 Working Party and the
necessity to limit the scope of application of the right. He emphasises that a too broad interpretation of
the aspect of “observed data” which is “provided” could result in the criterion of “provision” getting out
of hand and thus becoming meaningless. As a possible solution, he suggests a compromise in which
Art. 20 GDPR is not applied to all “observed data” per se but the criterion of provision is interpreted in
a “service-specific” way and applied to such derived personal data which is necessary for the provision
of the respective service.

39 See Section D.
40 Strubel, Michael, Anwendungsbereich des Rechts auf Datenübertragbarkeit, in: ZD 8/2017, p. 355-361.

Page — 77
 B. Implementation of the Provisions in Art. 20 GDPR

The head of the department of tele-media at the regional Bavarian data protection authority (Landesamt
für Datenschutzaufsicht), Kristin Benedikt, particularly emphasised challenges in the field of authenti-
cation with regard to the practical implementation of data portability. 41 Because the bodies disclosing
the data would in any case be obligated to verify the identity of the person requesting the data transfer
in cases of doubt according to Art. 12, para. 6 GDPR, it would be advisable for them to carry out a stan-
dard identity check in every case, for example by providing/transmitting the data only after successful
entry of a log-in and personal password. In addition, it had to be made sure that the data to be trans-
ferred was not only transmitted to the correct recipient but that this was also taking place in a secure
manner. Therefore, transport layer security by means of encryption would be a minimum requirement.

Barbara Engels from the Institute of German Economy (Institut der deutschen Wirtschaft), Cologne, sub-
mitted an analysis 42 describing that while data portability could be beneficial for the data sovereignty
of the individual, it could in some cases prove detrimental to competition. In her opinion, many of the
legislator’s demands do not take the special characteristics of platform markets into account. On one
hand, data portability would result in better control over their data for the users, lower market entry bar-
riers and increase the chances of new businesses to establish themselves. On the other hand, the imple-
mentation costs for data portability might be detrimental to start-ups and smaller businesses because
established companies were better able to increase market power with their resources, which could
result in disadvantages for the users. Barbara Engels believes that because of this, the right to data
portability will have to be interpreted in a finely nuanced way so that the competition and innovation ac-
tivity of companies is not hindered. Data portability should be enforced in markets with complementary
products. In other markets, this would – from the point of competition policy – only be necessary where
there is a high risk of market power abuse, as it is the case on the search engine market.

In the “European Journal of Law and Technology”, Aysem Diker Vanberg and Mehmet Bilal Ünver critical-
ly discuss the practicability of the right to data portability under the European General Data Protection
Regulation. 43 They explain that the main difference between the General Data Protection Regulation and
European competition regulations was that the General Data Protection Regulation only applies to indi-
vidual persons so that the provisions regarding competition could be supplemented by EU competition
regulations, in particular by Art. 102 TFEU. This would require that this right is analysed in detail within
the scope of competition law provisions and precedents. They also pointed out that the right to data
portability would require the development of new services which import data from a service in a certain
format and then import it in another service. However, especially small and medium enterprises did of-
ten not have the necessary resources in order to fulfil these requirements of the General Data Protection
Regulation, while the costs were not significant for large companies. Moreover, they underlined that it
was still unclear whether the users would actually make use of their right to data portability. In order to
make sure that the right can be effectively exercised by the persons concerned, they would have to be
given more information about the importance and consequences of the right. Therefore, the national
data protection authorities in particular should explain the possibilities of data portability as well as
possible ways of filing complaints through their websites in simple and easily understandable language.

41 Benedikt, Kristin, Datenportabilität – das neue Recht des Betroffenen; RDV 2017,189 [190].
42 https://policyreview.info/articles/analysis/data-portability-among-online-platforms; https://www.iwkoeln.de/studien/iw-
kurzberichte/beitrag/barbara-engels-nicht-immer-gut-datenportabilitaet-zwischen-online-plattformen-300089.
43 Vanberg, Aysem Diker/ Ünver, Mehmet Bilal, The right to data portability in the GDPR and EU competition law: odd couple or
dynamic duo?, in: European Journal of Law and Technology, Vol 8, No 1, 2017. URL: http://ejlt.org/article/view/546/726.

Page — 78
 I. Statements

2. Data Protection and Consumer Protection Organisations

The report “Digitale Souveränität” (“Digital Sovereignty”) by the Sachverständigenrat für Verbraucher-
fragen (board of experts for consumer affairs, SVRV) indicates that data portability is highly relevant for
the exercise of digital sovereignty. 44 As the so-called “lock-in effects” would entail a risk of market pow-
er abuse, the SVRV recommends developing easily manageable, simple standards with respect to inte-
roperability, which ensure compatibility between digital services and thus allow for opening the market
to new and innovative service providers. At the same time, they claimed that the right to data portability
– the same way as digital payment traffic – should be considered a “termination of the underlying consu-
mer contract” under obligation law, so that the consumers can “request their data to be returned in a
commonly used, machine-readable and interoperable format or their deletion free of charge”. 45

The statement from the Verbraucherzentrale Bundesverband (Federation of German Consumer Orga-
nisations, VZBV) from autumn 2016 regarding the Green Paper by the Federal Ministry of Economics
and Technology expresses a favourable opinion on the introduction of the right to data portability, as
it reduced consumer costs for changing platforms, avoided “lock-in effects” and therefore promoted
competition. 46 The VZBV focuses in particular on an effective implementation of the right and the com-
pliance with high standards of data protection. The Federation explained that it was still an issue how
powerful companies could be persuaded to make data portability available to users. They also expres-
sed concerns whether a mere co-regulation could be successful, because powerful platforms would not
be interested in facilitating the migration of their users to competitors. 47

The statement of the European Data Protection Supervisor (EDPS), “Opinion on Personal Information
Management Systems2 from September 2016, in particular emphasises the importance of “Personal
Information Management Services” (PIMS) for the implementation of the right to data portability. 48 The
idea behind the PIMS solutions is to give the users a comprehensible and easy possibility to manage
their data and change their transmission preferences for several service providers at the same time with
a standardised and centralised data control in a one-stop solution (“One-Stop Shop”). 49 PIMS would
therefore be especially suitable for transmitting personal data in a targeted, complete and efficient man-
ner and thus allow for more user control. 50 However, many of these solutions are still in a development,
test or implementation stage.

44 Sachverständigenrat für Verbraucherfragen, Digitale Souveränität, June 2017, p. 26.

45 ibid., p. 27.
46 Grünbuch Digitale Plattformen, statement by Verbraucherzentrale Bundesverband, dated 26 September 2016, p. 10, 18.
47 ibid., p. 10.
48 European Data Protection Supervisor, Opinion 9/2016 “EDPS Opinion on Personal Information Management Systems”, p. 9.
49 See also: Stiftung Datenschutz, „Neue Wege bei der Einwilligung im Datenschutz – technische, rechtliche und ökonomische
Herausforderungen“, p. 7 ff. URL: https://stiftungdatenschutz.org/themen/projekt-einwilligung-und-transparenz/
50 European Data Protection Supervisor, Opinion 9/2016 “EDPS Opinion on Personal Information Management Systems”, p.
12-13.

Page — 79
 B. Implementation of the Provisions in Art. 20 GDPR

3. Other Governmental and Non-Governmental Institutions

In December 2016, the Research Services of the German Bundestag finished their work regarding the
question to what extent a market concentration or monopoly position could apply to digital platforms. 51
They analysed the so-called OTT services 52 , which they defined as services which are not based on a
provision of content but which enable individual or group communication using the IP protocol (internet
protocol). They also limited their study to messenger services such as Skype, WhatsApp, and email
services.
In general, the question is to what extent these services have to be regulated in order to create equal
conditions of competition. Explanations are given with respect to Art. 6 and Art. 18 of the Telecommu-
nications Act, 53 but also with respect to the right to data portability pursuant to Art. 20 General Data
Protection Regulation. In this context, they refer to the point of view of the Federal Network Agency,
according to which the prevailing opinion is that there is no national need for additional regulations
regarding Art. 20 GDPR. This is complemented by citing a statement from the Federation of German
Consumer Organisations saying that the federal government should rather work towards effective data
portability within the scope of application of the General Data Protection Regulation. Although they
indicate the general possibility of a “lock-in effect” that could affect competition, the Research Services
pointed out that the Federal Network Agency considered a corresponding regulation to be unnecessary.
This was justified with the possibility for users to locally save the contents of email communications as
well as address books by themselves. However, this should also apply if there is no such possibility, as
for example with WhatsApp. Most users would use OTT services parallel in so-called multi-homing and
were able to flexibly switch from one service to another without any charges. According to the Research
Services’ explanations, this also corresponds to the opinion of the Bundesverband Informationswirt-
schaft, Telekommunikation und Neue Medien e.V. (German Association for Information Technology, Tele-
communications and New Media, Bitkom) which also opposes a national regulation on data portability
in anticipation of the General Data Protection Regulation. In their opinion, the legislator should not pre-
scribe any formats for data portability, but the requirements should rather be developed by the industry
through international cooperation.

In the USA, too, the topic of data portability is considered very important. Within the scope of a public
consultation on data portability at the White House Office of Science and Technology Policy (OSTP), 22
papers were submitted. 54 Many stakeholders stated that data portability was an important instrument
to promote competition and improve data control for users. 55 Most of the commentators believed that
the healthcare sector could particularly benefit from data portability. At the same time, many of them
emphasised that the development of data portability and the privacy of the users should not contradict
each other in any way.

51 The background to this was the so-called “network effect” which could occur due to rising numbers of users and the
possibility of access to large data volumes.
52 As up to now, there is no consistent definition for the various digital platforms (over-the-top (OTT) services), the Research
Services use the grouping set up by the Body of European Regulators for Electronic Communications (BEREC) as a basis.
53 With regard to the general applicability of the Telecommunications Act, the question is raised whether this would even be
reasonable, for example because of the differences in the data protection regulations. In addition, regarding the controversial
question whether such a service could be qualified as a telecommunication service in the legal sense, the Research Services
refer to the pending decision of the Federal Administrative Court or the European Court of Justice.
54 White House Office of Science and Technology Policy. Request for Information Regarding Data Portability. 10/01/2017. URL:
https://obamawhitehouse.archives.gov/sites/whitehouse.gov/files/documents/OSTP-Data%20Portability-RFI-
Responses_for_humans.pdf
55 Macgillivray, A., Summary of Comments Received Regarding Data Portability, 10/01/2017. URL: https://obamawhitehouse.
archives.gov/blog/2017/01/10/summary-comments-received-regarding-data-portability.

Page — 80
 I. Statements

Most of the concerns expressed were related to the implementation costs and to how the portability
service should be ensured, as well as to the fact that up to now, there are no format standards. They also
advised against too strict regulations by government bodies. As recommendations, they suggested the
development of standards in cooperation with the industry, associations and consumer organisations,
supporting the government in the implementation of pilot projects and promoting best practice approa-
ches as well as raising the awareness of the users for the topic of “data portability”.

In its comments on the WP29 guidelines, the international think tank Center for Information Policy Lea-
dership (CIPL) underlined that it had to be kept in mind that there were areas, for instance in a B2B cont-
ext or in employment relationships, where the possibility of data portability would not create any added
value for the informational self-determination of the user. 56 They particularly emphasised that the right
to data portability should not apply to the area of employment relationships (“human resources data”).
Moreover, data controllers would have to clearly differentiate and categorise the different types of per-
sonal data in order to ensure an effective data transfer. They pointed out that “observed data” would
not automatically fall under the category “provided data”, unless the connection to this data constituted
a clear added value for the informational self-determination of the user. 57 In addition, they called for
a clarification what exactly was meant by “structured, commonly-used and machine-readable format”
and to what extent the “interoperability” of the data should include the “compatibility” of different
commonly used formats. Finally, the CIPL argues in favour of supporting cloud-based solutions such as
the “pull model”, as this could allow for better user control over the transfer of data to different service
providers. 58

The Internet Economy Foundation (IE.F) answered a list of questions for an expert discussion of the
Digital Agenda Committee at the German Bundestag and dealt with the questions regarding interopera-
bility and neutrality. 59 They emphasised that the interoperability of platforms constituted an important
requirement for the value creation potential and power of innovation of the digital economy because it
actively prevented the creation of monopolies (“market concentration”) and lowered market barriers.
Closed systems, which create customer retention by means of “lock-in effects” and use this to expand
and strengthen their market power, would generally have negative effects for the internet economy by
closing off the market. In contrast, the definition, development and use of format standards would faci-
litate interoperability and prevent monopoly positions of individual service providers. Consumers, too,
could benefit from open interoperable systems, as these would allow them more freedom of decision,
autonomy and convenience. The IE.F stated that in order to increase the users’ willingness to actively
use portability services, a lot of educational work will have to be done by consumer protection organisa-
tions in order to comprehensibly explain the value of their data to them. 60 In addition, they pointed out
that the planned regulations would only refer to personal data, while in many cases competition would
also be hindered by a lack of portability of other data types. As a switch from one provider to another
would be more worthwhile the more data could be transferred, more incentives for the development of
interoperability – also for non-personal data – would have to be created within the scope of the Europe-
an Commission’s initiative “Free flow of data”. 61

56 Center for Information Policy Leadership, Comments by the Center for Information Policy Leadership on the Article 29 Data
Protection Working Party´s “Guidelines on the right to data portability”, p. 1-2, 5.
57 ibid., p. 8.
58 Center for Information Policy Leadership, Comments by the Center for Information Policy Leadership on the Article 29 Data
Protection Working Party´s “Guidelines on the right to data portability”, p. 4.
59 German Bundestag, Ausschuss Digitale Agenda, Committee Bulletin 18(24)120, 13/12/2016.
60 German Bundestag, Ausschuss Digitale Agenda, Committee Bulletin 18(24)120, 13/12/2016., p. 11.
61 ibid., p. 14, 17.

Page — 81
 B. Implementation of the Provisions in Art. 20 GDPR

Open Knowledge Finland (OKFI) is a non-profit non-government organisation which lobbies for a free
flow of information as well as an open and transparent digital society. In their statement on the first
draft of the WP29 guidelines, OKFI critically questioned the term “personal data” and asked to what
extent the understanding, which data is considered personal, could change with the continuing techni-
cal development and which consequences this could have for the right to data portability. At the same
time, the question was raised whether the provisions of Art. 20 would entail a requirement of identifia-
bility for persons who use certain platforms under a pseudonym and want to exercise their right of data
portability. 62 With reference to the “rainbow data approach” 63, they also underlined that the solution
approaches for data portability would not require any sector-specific “island solutions” – such as “Blue
Button” 64 – but would produce basic standards for the download and transfer of personal data as a
result. Finally, they emphasised that the discussion regarding data portability should focus on the pos-
sibilities of improved data control for users rather than on the issue of data ownership.

4. Industry Associations and Companies

In their statement submitted following the call for papers by Stiftung Datenschutz, Deutsche Telekom
AG (DTAG) 65 argued that the Article 29 Working Party’s guideline exceeded the legal framework of Art.
20 GDPR. In the opinion of Deutsche Telekom, the right to data portability does only apply to such data
which is useful for the person concerned.

According to this statement, the Article 29 Working Party tries to substantially extend the framework
and objective of the provisions of Art. 20 GDPR. The Article 29 Working Party did not have the right nor
the mandate to arbitrarily broaden the scope of application of the General Data Protection Regulation.
DTAG based their argumentation on the history of the legislative process, according to which the EU
legislators had deliberately decided to limit the personal data affected by Art. 20 GDPR by changing the
wording. In this context, it had to be data which the person concerned “provided” to a controller rather
than “processed personal data” in general.

Therefore, any interpretation of Art. 20 GDPR should closely follow its wording to avoid any conflict with
the EU legislator’s intention. Hence, the wording did not refer to usage data and neither to data required
for the conclusion of a contract. Therefore, the data controller was not obligated to make data available
which is automatically generated during the usage of the service (e.g. log files, traffic or location data).
According to DTAG, the term “provided” can thus only refer to such data which is controlled and can be
accessed by the person concerned during the execution of the contract (e.g. photos, emails).

The expansion of the scope of application of Art. 20 GDPR by the Article 29 Working Party would only
lead to unsolvable problems for data controllers. In particular for the data from electronic communi-
cation with obligations of erasure, the right to data portability would result in a large number of legal
uncertainties.

62 https://medium.com/mydata/comments-on-data-portability-guidelines-2102d447f73b.
63 See also, as below, chap. B. II.
64 For “Blue Button”, see below, chap. B. II.
65 See Section D.

Page — 82
 I. Statements

With respect to traffic and location data, also taking into account the ePrivacy directive, the consequen-
ces for the person concerned and the new controller were entirely unclear. In addition, the transfer of
traffic data would affect third party rights and would therefore constitute an infringement of Art. 20,
para. 4 GDPR. Moreover, the recipient of the transferred data would also face legal uncertainties if they
were for example obliged to check whether the transmitted data are covered by consent or a contractual
obligation and whether processing the data would thus be legal. This would particularly affect telecom-
munication data (such as traffic and location data), as their processing based on a legitimate interest
would not be allowed. Furthermore they considered the practice of transmitting complete data sets in
order to check whether all of the data were actually necessary, as described by the Article 29 Working
Party, to be very problematic from the perspective of data protection.

Apart from this, they also argued from a technical point of view. For instance, most service providers
would not maintain separate databases for raw data which could be easily separated from the algorith-
ms for customer analysis. As a result, a data transfer to another service provider could include detailed
background information about the technical structure and the algorithms used. This would also disclose
basic information about the company and affect intellectual property and trade secrets. The Article 29
Working Party did indeed have the right to support the development of general standards and intero-
perable systems in order to allow for simple ways for the realisation of data portability. However, this
development of technical standards would take time and efforts by a large number of involved parties,
including data protection authorities and institutions of the public sector.

• In a statement from Google 66 submitted to Stiftung Datenschutz, the company emphasised that data
portability would allow for more user control and could also prove beneficial for innovation if it was im-
plemented the right way. In this context, implementation should be based on four principles: User-fri-
endly configuration, data security, reciprocal usability as well as limitation to user data rather than
internal company data. In addition, they underlined that investments in the development of a porta-
bility infrastructure would pay off in the long run and that open source solutions could substantially
contribute to this development. Practical implementation should however not focus on determining
a universal format but rather on a search for future-oriented possibilities to create a connection bet-
ween already existing, sector-specific and new formats. In this regard, Google recommends not to
determine fixed standards but to support the development of open and interoperable customary stan-
dards on the part of the companies. Furthermore, the users should be strongly encouraged to securi-
ty- and data protection-friendly data maintenance and should be educated about the possibilities of
portability. Finally, the statement mentions the current development of a proprietary prototype, which
would allow an import and export of data between two publicly accessible product interfaces and thus
a direct transfer between different platforms. The company said it planned to present detailed infor-
mation about this in 2018.

• The French start-up ONECUB, specialising in data portability based on PIMS since 2011, sub-
mitted a paper to Stiftung Datenschutz 67 dealing with the special significance of Personal In-
formation Management Systems (PIMS) for the implementation of the right to data por-
tability. At first, they identify three ways for the realisation of data portability: Direct B2C
transmission, direct B2B transfer, and data transmission using an interconnected tool.

66 See Section D.
67 See Section D.

Page — 83
 B. Implementation of the Provisions in Art. 20 GDPR

According to them, the first two solutions had the disadvantage that they were either unmanageable
for users due to their complexity (for B2C) or would require (for B2B) several approvals by the user
for the transfer of different data sets to a service provider (e.g. transmission of nutritional data from
various services to an e-health provider), and entail high implementation expenses and efforts for the
provider. An alternative would be to transfer the data using a tool with which the reuse of the data is
managed by the user. The use of a so-called PIMS would allow improved access and personalised col-
lection and reuse of the data for the user. In addition, it would also help service providers to cut costs
for the implementation of data portability. However, the use of PIMS poses the problem of a concent-
ration of a large amount of sensitive data at one central location and the security risks this entails. Th-
erefore, the paper proposes the solution to store the data in a decentralised way on the users’ devices
and to connect the individual user depots by means of the blockchain method. With this approach,
PIMS would be used to manage all of the technical aspects, but not to store any personal data:

PIMS
Open and
public
People People reference
private activity data base
repository Blockchain

• In a report submitted to Stiftung Datenschutz by the Gesamtverband der Deutschen Versicherungs-

wirtschaft e.V. (German Insurance Association, GDV), they explain that “provided” data should pri-
marily be defined as such data which is actively provided to the data controller by the customer, for
example within the scope of an application or the processing of an insurance claim. In case any trade
secrets, copyrights or rights of other persons are breached, however, a data transfer would be ruled
out. Furthermore, the fulfilment of the right to data portability should ideally be integrated in existing
data protection management systems. They pointed out that because in the insurance industry, highly
sensitive data are processed, it is important that data portability itself did not become a risk to data
protection. This could be avoided by means of an unambiguous authentication of the data recipient
and by ensuring an equivalent level of data protection and data security. In this process, however, the
transferring company should not be responsible for checking whether an external company needs cer-
tain data and which data they need. With respect to technical standardisation, the statement under-
lined that the development of general and binding standards would be very difficult given the manifold
use of data in different industries and sectors. Instead, general parameters should be given – such as
interoperability, platform-spanning usability, open standards and interfaces.

• In their statement submitted to Stiftung Datenschutz following their Call for Papers, the Deutsche Dialog-
marketing Verband (German Association of Dialog Marketing, DDV) addresses the difference between the
right of access and the right to data portability as well as the practical implementation of the regulation. 68

68 See Section D.

Page — 84
 I. Statements

They explain that the implementation of the right to data portability should not require considerable
efforts in the area of dialogue marketing (which mainly involves data regarding invoicing and delivery
addresses, order histories and information about payment processing), because it was very similar
to the right of access. The data which has to be transmitted electronically would only constitute a
small part of the data which a concerned person can receive in case they exercise their right of access.
The special characteristic of the right to data portability was that this sub-category of data has to be
transmitted in a structured, commonly used and machine-readable format. Thus, in order to meet the
requirements for data portability, only a few practical adjustments were necessary in dialogue marke-
ting – identifying the data to be transmitted, on one hand, and determining the technical method and
the format, on the other hand (in the opinion of the DDV, simple formats such as ASCII as well as PDF
formats would be suitable here).

• In their statement submitted to Stiftung Datenschutz following their Call for Papers, the Bundesver-
band Deutscher Inkasso-Unternehmen e.V. (Federal Association of German Debt Collectors, BDIU) 69
explained that the right to data portability was neither practicable nor necessary in the area of collec-
tion services. Debt collectors would communicate with the customer on behalf of another company
and would on principle only receive personal data from their client. As most of this data was generated
by the client, the new right to data portability would only be relevant for the collection sector if the
data was directly “provided” by the person concerned within the course of the collection procedu-
re. This could for example apply in case of address changes which are communicated via telephone.
While a customer could already get an overview of the existing personal data based on their right of
access pursuant to Art. 15 GDPR, the transfer of data according to Art. 20 GDPR would only concern
the fragmentary information “provided” during direct customer contact. From the point of view of the
industry representative, data portability would in these cases not result in any “added value” for the
informational self-determination of the customer, but at the same time require considerable efforts on
the part of the individual service provider (in particular for SME). Therefore, the collection sector does
not consider itself a primary addressee of Art. 20 GDPR and hopes for a clarification with regard to the
scope of application of the regulation.

• As a representative of the energy sector – where the issue of data portability mostly concerns energy
suppliers – the managing director of regiocom GmbH, Klemens Gutmann, submitted a position paper 70
to Stiftung Datenschutz presenting the sector-specific challenges of implementing data portability. In
particular the planned introductory of Smart Metering would result in extended forms of customer
data collection whose transmission could on principle constitute an improvement of informational
self-determination. However, there were still many unanswered questions as there were only a few
examples pointing the way and Germany was still only beginning to implement a comprehensive smart
meter rollout. First of all, questions regarding the contents, the amount and the format of the data to
be transmitted would have to be addressed. In this context, the determination of an industry-specific
format would have the advantage that it would be possible to refer to tried and tested practical ex-
amples and to transmit customer-specific data with relatively low redundancy. In addition, a practica-
ble format for end customers would have to be determined. Apart from that, the issue of interfacing
for interconnections between typical energy data and other household-relevant application areas, as it
could be the case in smart homes, would have to be addressed. Considering the future situation with
smart meter devices, it would also become increasingly complex to differentiate between “provided”
and “processed” data.

69 See Section D.
70 See Section D.

Page — 85
 B. Implementation of the Provisions in Art. 20 GDPR

• In another report submitted to Stiftung Datenschutz, the IT industry association Bitkom 71 underlined
that the term “provided” had not been legally defined in the GDPR and therefore gave rise to a number
of uncertainties. Therefore, the regulation should be interpreted based on its wording saying that the
regulation only applies to such data which has been “provided” to a controller by a person. Hence, it
should be sufficient only to account for those data which are controlled by the persons concerned and
which they dispose of themselves. This would exclude usage data and/or data which is automatically
generated during the usage of a service. With respect to technical implementation, they object to the
development of cross-sectoral “one-size-fits-all” solutions because they consider it disproportionate,
and call for the elaboration of industry-specific standards and formats.

• Within the scope the public consultation of the White House Office of Science and Technology Policy
(OSTP) on the implementation of data portability, the industry association Software & Information
Industry Association (SIIA) was one of the participants submitting a statement. 72 In their discussion
regarding the implementation of data portability, SIIA argued that, depending on the service and data
processing context, there had to be a stricter differentiation between different types of personal data
and that colliding legal interests such as licence agreements, intellectual property and personal rights
of third parties had to be accounted for. In addition, they pointed out the issues with the practical
implementation of portability, for instance in the development of compatible product formats (in some
cases even by competing companies), establishment of strategic partnerships as well as with regard
to limited resources and capacities in small and medium-sized enterprises. According to the SIIA, poli-
tical demands for data portability should therefore especially account for proportionality between the
costs and efforts of implementation and the actual added value for the informational self-determina-
tion of the consumers. Data portability should first of all be facilitated in areas in which added value
and benefits are evident (e.g. in the field of e-health). The SIIA believes that with respect to the imple-
mentation of data portability, the US government will mainly play the role of a mediator, supporter and
moderator in the development process. The elaboration of solution approaches and development of
technical standards should however be driven by the market participants.

II. Existing Solution Approaches

Up to now, there are only a few existing examples for the practical implementation of the right to data
portability. These include almost no approaches which have been especially developed with regard to
the fulfilment of the requirements in the General Data Protection Regulation. Indeed, many companies
make an effort to prepare for the new legal situation regarding data portability. 73 However, many are still
concerned about the new instrument 74. Considering this, it is worth taking a closer look at the already
existing approaches. Below, some approaches on data portability are briefly summarised.

71 See Section D.
72 White House Office of Science and Technology Policy. Request for Information Regarding
Data Portability. 10/01/2017, Respondent 14, p 23-28. See also: http://www.siia.net/LinkClick.
aspx?fileticket=L8dzKaK9Mx8%3d&tabid=577&portalid=0&mid=17113.
73 cf. euobserver, New EU right to data portability to cause headaches, 24/05/2017. URL: https://euobserver.com/
digital/137977.
74 According to a survey by the software provider SAS, 58 of the companies surveyed saw problems with the implementation of
data portability (www.pressetext.com/news/20171004025).

Page — 86
 II. Existing Solution Approaches

• Particularly with regard to the original intention of the legislator to free users from “lock-in effects” in
large social networks with the help of Art. 20 GDPR, the initiative Give Me My Data (http://givememy-
data.com) is noteworthy. Starting from 2009, this free service from the USA has helped to retrieve
user data from Facebook in a reusable format, to archive them and to reuse them accordingly. In late
2010, Facebook developed a prorietary service and demanded an update of apps which have access
to the network’s service, after which the company was able to determine at its sole discretion which
third-party apps are granted access to the user data. These access restrictions finally resulted in the
developer of “Give Me My Data” shutting the service down in 2016. 75 In a video, he still advises users
on how to gain access to data stored by Facebook on their own 76. However, as the process is very
complex, it is doubtful whether the average user will make use of the suggested elaborate solution.

• Google has already in 2011 created the online service “Google Takeout” 77 for registered users, allo-
wing them to export personal data from more than 30 online services offered by Google such as Maps,
Gmail or Contacts in different formats. For this purpose, they create an archive with the selected data
such as photos from Google+, videos from YouTube, mails and position data from Latitude and make
it available for download. Takeout uses standard formats, which gives users additional options for
handling the exported data. They can use this data for backups or other purposes or directly transfer
it to services of other providers, for example Dropbox or Microsoft OneDrive. With MyAccount (www.
myaccount.google.com), they also offer a central hub where users can make privacy settings and get
an overview of their stored data and access rights. According to Google, this service currently registers
more than one million export transactions per month.

• In Europe, as well, there are already noteworthy approaches for the implementation of data portability.
For instance, the French start-up ONECUB 78 offers a data transfer service based on PIMS, the “ONE-
CUB Connect Button”. 79 This portability tool manages the exchange of personal data by allowing indi-
vidual persons to collect their data and to securely transmit them between external websites or online
services through an API interface. This way, ONECUB users can exchange their data with third-party
providers while maintaining complete control over their privacy settings. The service has already been
integrated by some companies, for example the sales platform “MyTroc”, the airline passenger com-
pensation service “Air Indemnité” and the fitness coach “Umanlife”. In addition, ONECUB has been
involved in the American VRM (Vendor Relationship Management) community as well as the French
MesInfo community for more than seven years and discusses basic aspects of the Data Protection
Regulation and data portability with French start-ups, large companies, consultancies and the French
regulatory authority CNIL on a regular basis.

75 http://givememydata.com/. See also: White House Office of Science and Technology Policy. Request for Information
Regarding Data Portability. 10/01/2017, Respondent 9, p. 12.
76 www.youtube.com/watch?v=WteK95AppF4&feature=youtu.be
77 See Section D, statement from Google, https://takeout.google.com/settings/takeout
78 https://www.onecub.com/
79 See Section D.

Page — 87
 C. Assessment and Recommendations for Action

• In late 2016, the French think-tank Fondation Internet Nouvelle Génération (FING) and eight leading
companies (Crédit Coopératif, Enedis, Engie, GRDF, Maif, Mgen, Orange, Société Générale) initiated
the open-source project “Rainbow Button” (working title) in order to establish a common framework
for the implementation of the right to data portability. 80 In the meantime, the project was also joined
by the French data protection authority CNIL. The objective of the project is to reduce the complexity of
the implementation of data portability by developing common specifications, guidelines and designs,
allowing for manageability by the users, preventing misuse as well as creating a framework for the
development of innovative services. For this purpose, the project participants developed a prototype
in order to demonstrate the advantages of the portability service and to test various application scena-
rios. In compliance with the GDPR requirements for data portability, the project in particular develops
two application scenarios: On one hand, the “download” of the data from a user account, and on the
other hand, the transfer of data between different data controllers.

• In the US, several approaches on data portability have already been developed. For instance, the My
Data initiative of the White House, which started in 2010, is committed to improving the access of
the users to their personal data. 81 This initiative constitutes a collaborative foray to develop possible
solutions supporting data portability in cooperation with public and private organisations. In coope-
ration with the private sector, various approaches have been worked out, such as “Green Button” for
power supply data 82 or “My Student Data” for data from students. This also includes the “My Data
Healthcare” initiative “Blue Button” for improved access, control and transfer of medical data. 83 The
“Blue Button” is a symbol on a website, for example an online patient portal, through which patients
can download their healthcare information. Depending on the implementation, users can download a
large amount of infor mation in various formats, including text and PDF. In addition, “Blue Button” pro-
vides physicians with a simple way to transfer patient data. The management of the Blue Button Trust
Bundle was entrusted to the non-profit organisation NATE Trust-Community. 84 Just like “Blue Button”,
other functional portability approaches can in particular be found in the US health sector.

One example is DirectTrust.org Inc., an organisation which was founded as a “trust community” by
the US Office of the National Coordinator for Health Information Technology (ONC). As an independent
non-profit association of 124 healthcare IT and healthcare service providers, they support the secu-
re, interoperable exchange of healthcare information through direct messaging protocols. DirectTrust
created a “Trust Framework” which extends the use of Direct Exchange to more than 94,000 healthca-
re organisations and more than 1.4 million direct addresses and accounts. 85 Recently, DirectTrust has
also elaborated some suggestions regarding technical standardisation in the healthcare sector. 86 The
NATE trust community mentioned above also campaigns for the improvement of data portability in the
healthcare sector in a cross-sectoral collaboration with consumer protection organisations, healthcare
experts, technology companies and former politicians. In conclusion, it can be noted that data portabili-
ty of healthcare information within the US healthcare sector is already in an advanced stage of develop-
ment which is not least due to new forms of cooperation between the government, economic operators
and non-profit organisations.

80 http://mesinfos.fing.org/wp-content/uploads/2017/03/RButton_Perimetre_english.pdf
81 https://obamawhitehouse.archives.gov/blog/2016/03/15/my-data-empowering-all-americans-personal-data-access
82 http://www.greenbuttondata.org/
83 http://www.myphr.com/Resources/blue_button.aspx
84 http://nate-trust.org/?s=Blue+button
85 https://www.directtrust.org/about-directtrust/
86 DirectTrust, Comment to ONC on Draft 2017 Interoperability Standards Advisory, p. 4-6. URL: https://www.directtrust.org/wp-
content/uploads/2016/11/DirectTrusts-Comments-to-ONC-on-Draft-2017-Interoperability-Standards-Advisory.pdf

Page — 88
 I. Assessment

C. Assessment and Recommendations for Action

I. Assessment

1. Objectives of the Regulation

Opportunities and Risks of Data Portability
The discussion of the right to data portability with statements from relevant stakeholders and the ana-
lysis of existing solution approaches primarily raises the question to what extent the new regulation will
result in an increase in the protection of data privacy (“informational self-determination”) for the consu-
mer. In this context, it has to be taken into account that the transmission of data according to the pro-
visions of Art. 20 GDPR only concerns a copy of the data set and does not constitute a right to erasure.

On one hand, users would indeed benefit from the flexible possibility to make their data easily available
to different service providers. The right to data portability would in particular be helpful in the so-called
Internet of Things, if people were able to use the data from their usage of networked devices not only
in the relation to the supplier of a certain product but also for other purposes, and to link data from
different service providers together.

On the other hand, the duplication of personal data resulting from the data transfer could also lead to
an increase of data protection risks. This would at any rate apply to possible cases in which entitled
parties did not assert their right pursuant to Art. 17 GDPR (erasure) with respect to the addressee of
the transfer request. Thus, the data transfer would not be carried out as an actual “data migration” but
rather as a “data duplication”. This would in fact mean that the use of personal data is not minimised but
rather expanded – including all of the generally existing uncertainties 87 with regard to the data usage
by controllers.

The objective of the regulation to support informational self-determination might in particular be rever-
sed if consumers are incited to make excessive use of their rights pursuant to Art. 20 GDPR by means
of financial incentives such as discounted contract conditions. The “right to data portability” could then
de facto prove to be a hidden “obligation” to duplicate data sets. Business models could be establis-
hed which deliberately exploit the portability rights of the consumers in order to accumulate personal
data and create cross-sectoral customer profiles. This concern is obviously also taken up by the Swiss
Federal Council in their statement that the right to data portability “rather has the objective of allowing
the persons concerned to reuse their data in order to leave more space for competition than to protect
their privacy”. 88

Data protection and data security risks are particularly high when very sensitive data is concerned –
for example in case of insurance and healthcare data. In these cases, a definite authentication of data
recipients as well as equivalent data protection and data security levels must be ensured as otherwise,
fraudulent requests for data transfers could easily be possible.

87 Regarding the issue of the “informed consent”, see the study by Stiftung Datenschutz “New ways of providing consent in
data protection - technical, legal and economic challenges”, URL: https://stiftungdatenschutz.org/themen/projekt-einwilligung-
und-transparenz/.
88 Erläuternder Bericht zum Vorentwurf für das Bundesgesetz über die Totalrevision des Datenschutzgesetzes und die
Änderung weiterer Erlasse zum Datenschutz, 21 December 2016, p. 22. www.ejpd.admin.ch/dam/data/bj/staat/gesetzgebung/
datenschutzstaerkung/vn-ber-d.pdf.

Page — 89
 C. Assessment and Recommendations for Action

For instance, a risk of misuse could arise if a company (e.g. a large chain of car repair shops) virtually ins-
tigates their customers to exercise their right to portability in order to impair the competitive position of
their competitor by means of excessive data inquiries (e.g. from a smaller car repair shop). With regard
to such constellations, it should however be pointed out that cases of excessive or fraudulent requests
should be covered by Art. 12, para. 5 GDPR (possibility to refuse if requests are manifestly unfounded
or excessive).

Many stakeholders also expressed concerns that the right to data portability could prove to be a compe-
titive disadvantage. For example, some fund-raising organisations (NGOs) are concerned that in case of
the application of Art. 20 GDPR, they would have to transmit the entire history of donators to competing
NGOs and that this data would disclose the working methods of the respective NGO so that company
secrets could be revealed. Moreover, the implementation costs for data portability might be detrimental
to start-ups and smaller businesses, because established companies were better able to increase mar-
ket power with their resources, which could result in disadvantages for the users.

In addition, there seem to be justified doubts that the regulation will be able to break up large market
monopolies and “network effects”. Indeed, data portability and interoperability could on principle be
appropriate measures in order to allow for an open and free social web in which the users retain con-
trol over their data and are able to communicate freely. 89 However, it remains to be seen whether the
implementation of a portability service alone could in practice lead to a removal of “lock-in effects”. In
particular the example of the “Google Takeout” service, which has been existing for six years and sub-
stantially corresponds to the right to data portability, does not provide any indication that the market
dominating status of Google has in any way been “broken down” by the offer of “data migration”. The
doubts regarding the effectiveness of the regulation are especially great in regard to social networks,
because the transfer of the data which would be the most relevant for users – generated user analyses,
user profiles, but also data relating to third parties (e.g. Facebook “friends”) – is excluded from the
provisions of Art. 20 GDPR. Nevertheless, it has to be noted that the effect of the regulation on those
providers who generate “network effects” from the connection between online services and the use of
certain hardware products, for example in the Apple ecosystem, remains to be seen.

Promotion of Data Sovereignty

In order to ensure the promotion of informational self-determination through the right to data portabi-
lity, it is important to ensure the effectiveness of the regulation. The point is that data subjects will only
make use of their right to data portability if its added value is evident to them and thus the associated
efforts seem proportionate to the benefits. For one thing, this means that the effectiveness of concrete
solution approaches has to be tested in practice. This includes for example behavioural economic sur-
veys examining to what extent the right to data portability is actually exercised by the users.

On the other hand, it has to be specified for the implementation of the regulation that the right to
data portability only applies to such data whose portability effectively contributes to the promotion
of informational self-determination. If the interpretation of the regulation is too broad, data protection
risks could even increase and it could result in a disproportionately high amount of work regarding the
categorisation and extraction of data sets for the data controllers. Therefore, the interpretation of Art.
20 GDPR has to focus on the original intention of the legislator which is to allow for more data control.

89 cf. Göndör, Sebastian, see section D.

Page — 90
 I. Assessment

Thus, the scope of application of the regulation should focus on data sets which are necessary for swit-
ching from one provider to another. The users should also have a basic understanding of the data sets
they receive so that they are able to check and control them and to use them to their advantage. At least,
this applies in cases where the users receive the data themselves (Art. 20, para. 1 GDPR), rather than in
case of a requested direct transfer according to paragraph 2. In addition, the proportionality between
the efforts and expenses for the implementation of the regulation and the practical effectiveness of
individual measures for data sovereignty should be kept in mind.

The practical definition and arrangement of the regulation must be adapted to its original intention,
which was brought back to the fore again by the second version of the Article 29 Working Party’s recom-
mendations: The improvement of data privacy (“informational self-determination”) for the consumers.
In the context of data portability, this means that users have to be given more control over the transmis-
sion of personal data.

Conclusion
In conclusion, it can be noted that, as a matter of principle, the right to data portability can give users
better means of control over their personal data. However, the risks which this new regulation could
entail should not be underestimated. For one thing, the duplication of data sets could lead to an increa-
se of data risks. In particular, if consumers are incited to make excessive use of their rights pursuant
to Art. 20 GDPR by means of financial incentives such as discounted contract conditions and if the por-
tability rights of the users are deliberately exploited in order to accumulate personal data and create
cross-sectoral customer profiles. On the other hand, the regulation could prove ineffective or even have
an anticompetitive effect if minimal benefits for consumers from the transfer of data sets are opposed by
extremely high costs and efforts for their preparation and transmission by controllers, which could then
only be managed by large market operators. In addition, the analysis of previous approaches seems to
raise justified doubts whether the practical implementation of a portability service would necessarily
result in the removal of market monopolies and “lock-in effects”. It has to be kept in mind that high im-
plementation costs for data portability might be detrimental to start-ups and smaller businesses.

2. Determination of the Scope of Application 90

Provided Data
The term “data provided” in Art. 20 is not legally defined in the General Data Protection Regulation. The
Article 29 Data Protection Working Party uses a broad interpretation of this term in their statements
(Guidelines on the right to data portability) and includes contract as well as usage data in its scope of
application. 91 Hence, this interpretation also includes so-called “observed data”, i.e. data which is ge-
nerated based on the usage of a service. 92

90 The following chapter is based on the statement submitted by Anne Riechert, see chap. D. III.
91 Article 29 Working Party, WP 242 “Guidelines on the right to data portability” from 13/12/2016 and Article 29 Working Party,
WP 242 “Guidelines on the right to data portability” from 05/04/2017
92 Article 29 Working Party, WP 242, p. 5; Benedikt, RDV 2017, p. 190; Jülicher/Röttgen/v. Schönfeld, ZD 2016, p. 359, who are
opposed to active actions as a precondition.

Page — 91
 C. Assessment and Recommendations for Action

This extended interpretation, which includes traffic as well as location data, is rejected with reference to
the wording of the regulation. 93

In terms of such a stricter interpretation of the term “provided”, only such data would be included which
has actively and deliberately been provided by the person concerned and is required for the fulfilment
of a contract, but no usage data. 94 In this context, it is also pointed out that this narrow interpretation
was supported by the history of the legislative process as well as by the objectives of the provisions of
Art. 20 GDPR. 95 Experts unanimously agree that the scope of application does not include data which
is only processed and generated by the controllers themselves based on the data provided (“inferred
data”, such as score values). 96

With respect to third-party data, their protection rights have to be respected according to Art. 20, para
4 GDPR. In this regard, the Article 29 Working Party explained that personal data of third parties can
be transferred to a new controller for private and personal use, provided that they remain under the
exclusive control of the transferring person. 97 Indeed, the General Data Protection Regulation would not
apply if the data was processed “by individual persons exclusively for personal or family purposes and
without any intention of making a profit”. In such cases, it had however to be considered that personal
data is transferred to a commercial service provider. Therefore, it is questionable how these new cont-
rollers would implement these requirements in practice. This is particularly relevant with regard to the
possibility to process data based on legitimate interests according to Art. 6, para. 1f GDPR or based on
a change in purpose according to Art. 6, para. 4 GDPR. Because there are no consistent interpretation
criteria for these processing elements across Europe, the extent of a possible data processing would
currently not be foreseeable for any concerned third parties. First of all, it has to be taken into account
that these third parties could previously have consciously decided against a certain service provider so
that in this situation, civil law claims could be asserted, for example claims to cease and desist. This
means that it would be extremely important to ensure sufficient transparency in the entire process. The
respective concerned persons should not lose track of the data controllers and the rights of erasure they
are entitled to.

93 See Bitkom, statement on data portability (Stellungnahme zum Recht auf Datenübertragbarkeit nach Art. 20
Datenschutzgrundverordnung) from 14/03/2017, S. 7 as well as statement by Deutsche Telekom AG (Statement on the
“Guidelines on the right to data portability” of the Article 29 Data Protection Working Party), p. 2. See also Bitkom, statement
on data portability, p. 11, with the indication that telecommunication and location data were not included in the scope of
application. However dissenting with Article 29 Working Party, WP 242, p. 10, who are in favour of including it.
94 See Strubel, ZD 8/2017, p. 357/358, who explains that “letting things happen” was not sufficient and this would refer
to direct collection. See also statement by Deutsche Telekom AG, p. 2, who limit the characteristic to “useful” data which is
controlled by the user. In addition, they suggest to interpret the aspect of provision in a service-specific way and thus only
to apply the right to such data which is necessary for the usage of a similar service (see also Strubel, ZD 8/2017, p. 360, who
differentiates based on whether the data is required in order to provide a similar service).
95 Strubel, ZD 8/2017, p. 357 ff., also in the legal statement submitted by Anne Riechert, in detail under section 1.1, see chap. D.
III.
96 Article 29 Working Party, WP 242, p. 10.
97 Article 29 Working Party, WP 242, p. 11 ff. On one hand, the Article 29 Working Party explained that a new controller should
not be allowed to use the transferred data of third parties for his own purposes (e.g. for promoting marketing products and
services) On the other hand, however, they believed that such data processing was only very likely to be illegal and unfair, in
particular when the concerned other persons had not been informed about this and could not exercise their right as persons
concerned. Therefore, a possible further processing by a new controller would have to be subsumed under permissible
processing which is based on “legitimate interests” and is at the same level with all elements of data processing according
to the wording of the General Data Protection Regulation. However, until now, there are no consistent rules for interpretation
across Europe in this regard.

Page — 92
 I. Assessment

According to the wording, the scope of application of Art. 20 GDPR also applies to employee data. As
applicability in individual cases is however debatable, corresponding interpretation criteria will have to
be developed for this aspect, as well. 98

Interoperable Format
Art. 20 GDPR does not contain any definition for an interoperable format. According to the intention of
data portability, however, it is important to use a format which allows for a reasonable reuse of data by
the person concerned or the new controller. Such a format shall be developed in the future. 99 This me-
ans that certain formats such as PDF documents as a machine-readable format could be ruled out, even
if this format is sufficient as an electronic format within the scope of the right of access.

In addition, it is debatable whether the transmission of metadata is beneficial and necessary for data
portability 100 or if it actually conflicts with the interests of data protection. 101 The Article 29 Working
Party believes that the personal data should be accompanied by as many metadata as possible. 102 Ho-
wever, they do not specify what exactly characterises metadata in contrast to personal data. Sufficient
metadata is requested from a technical point of view, as well. 103 In terms of this view, metadata can on
one hand be personal, but can on the other hand also concretise an attribute and for example determi-
ne restrictions (e.g. of text length). The draft of the ePrivacy Directive 104 actually even contains a legal
definition for communication metadata which refers to such data, from which conclusions regarding
the private life of the persons involved in an electronic communication can be drawn. 105 This metadata
can for instance be traffic and location data, which are however classified as “personal data provided
by the person concerned” by the Article 29 Working Party, which is in turn opposed on the part of the
companies.

Therefore it is advisable to check whether there is a consistent technical and legal understanding of the
term “metadata”. This is particularly relevant in order to decide which metadata are required for the suc-
cessful implementation of data portability as well as for the development of a format from a technical
point of view, and which are permissible from a legal point of view.

98 Hennemann, PinG 01.17, p. 5; Bitkom, statement on data portability, p. 8. The Article 29 Working Party refers to individual
examinations of each case and does not rule out the applicability in general (Article 29 Working Party, WP 242, p. 8/9).
99 Article 29 Working Party, WP 242, p. 18. See also Schätzle, PinG 02.16, p. 74/75; Gerl/Pohl, The Right to data portability
between legal possibilities and technical boundaries, whereas these authors in their report describe the general conditions
for a corresponding data transfer format based on different scenarios and do not consider portability in itself an obstacle. See
also Hennemann, PinG 01.17, p. 8, who points out that, in fact, Art. 20 General Data Protection Regulation does not call for
interoperability. This requirement is only mentioned in Recital 68 of the General Data Protection Regulation.
100 Article 29 Working Party, WP 242, p. 18, who suggest metadata at the highest level of granularity; Gerl/Pohl, The Right to
data portability between legal possibilities and technical boundaries, see Section D.
101 See statement by Deutsche Telekom AG, in which they pointed out that the transmission of a complete data set with a
subsequent check whether all of the data is actually required was highly questionable with respect to data protection.
102 Article 29 Working Party, WP 242, p. 18.
103 Gerl/Pohl, The Right to data portability between legal possibilities and technical boundaries, see Section D.
104 Suggestions for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning the respect for privacy
and the protection of personal data in electronic communication and for the repeal of directive 2002/58/EC (Directive on Privacy
and Electronic Communications) from 10 January 2017 (ePrivacy Directive). According to Art. 95 of the General Data Protection
Regulation, no additional obligations are imposed on individual or legal persons with respect to processing in connection
with the provision of publicly available electronic communication services in public communication networks within the Union,
provided that they are subject to special obligations which have the same objectives and are determined in directive 2002/58/
EC. The ePrivacy Directive is the follow-up regulation and defines and complements the General Data Protection Regulation by
determining specific rules.
105 See definition of the term metadata in electronic communication on p. 13 as well as in Art. 4, para. 3 c of the Directive on
Privacy and Electronic Communications (ePrivacy Directive). This includes for example telephone numbers called, websites
visited, geographical location, time of day, date and duration of a phone call made by a person, from which precise conclusions
might be drawn regarding the private life of the persons involved in the electronic communication, e.g. with regard to their
social relationships, habits and daily life, their interests and tastes.

Page — 93
 C. Assessment and Recommendations for Action

With respect to the technical feasibility of direct portability of data between the controllers, it is also
important to note that this characteristic could be interpreted in a subjective as well as in an objective
way. 106 This means that in this regard, criteria will have to be developed determining to what extent the
individual capability of the companies could play a role.
Competition Law Aspects
The perspective of competition law is relevant for Art. 20 GDPR, because on one hand, the competition
law character is always referred to 107 and on the other hand, it has to be assessed to what extent the
regulation can constitute a market conduct rule. For example it might constitute a breach of §3a UWG 108
(German Act against Unfair Competition) (breach of law) and §4 no. 4 UWG 109 (deliberate hindrance of
competitors) in case interoperability is not implemented and if no trouble-free transfer possibility for
data is provided. 110 In the past, it has been confirmed that a breach of information duties under data
protection law can constitute an infringement of competition for which a cease and desist order could
be issued. 111

In case of an accusation of a deliberate, anticompetitive hindrance, the Federal Court of Justice for in-
stance assesses the overall circumstances of each individual case, taking into account the interests of
the competitors, consumers and other market operators as well as the general public. 112 This would
require that both parties supply similar goods or commercial services, however, they would not have to
be in the same industrial sector. 113 In contrast to this, Art. 20 GDPR grants the right to data portability
“across the board” and does not contain any restrictions or weighing of interests, for instance with re-
gard to industrial sectors or similar services.

The law on unfair competition and the data protection law are considered equally important. Therefore,
it is questionable whether different assessments and sanctioning options will be possible in the future.
This is associated with the disagreement concerning the spirit and purpose of Art. 20 GDPR, which on
one hand has the purpose of supporting the right of informational self-determination, but on the other
hand, is construed restrictively regarding the aspect that (only) a data transfer from one service provider
to another shall be facilitated and “lock-in effects” shall be avoided. 114

106 Hennemann, PinG 01.17, p. 8.

107 See also Hennemann, PinG 01.17, p. 6, who points out the competition approach as well as the legislative process during
which it was suggested not to regulate this right within the scope of the directive.
108 The breach of law is regulated by §3a UWG. According to this article, anyone is acting unfairly who acts contrary to a legal
provision which has the intention to regulate market conduct in the interest of the market operators and if this breach could
substantially prejudice the interests of consumers, other market operators and competitors.
109 §4 UWG regulates the protection of competitors. According to this article, anyone is acting unfairly who purposefully
hinders their competitors.
110 In German jurisprudence, it is controversial to what extent data protection regulations simultaneously constitute market
conduct rules in terms of the UWG. For instance denied by Higher Regional Court (OLG) Munich, decision from 12 January 2012,
ref. 29 U 3926/11: The data protection right was a product of personality rights and protects this individual legal position in
general while it does not concretely refer to protection in the role of a market operator. Irrespective of the fact that breaches of
the provisions of the Federal Data Protection Act (BDSG) could certainly have consequences in a business environment, these
provisions do not constitute market conduct rules (with reference to the exception of §28, para. 4, s. 2 BDSG). See also OLG
Cologne, decision from 19 November 2010, ref. 6 U 73/10; Superior Court of Justice Berlin, decision from 29 April 2011, ref. 5 W
88/11; OLG Stuttgart, decision from 22 July 2007, ref. 2 U 132/06.
111 OLG Hamburg, decision from 27 June 2013, ref. 3 U 26/12 with the argument that §13 German Telemedia Act (TMG)
(information duties) was a rule regulating market conduct in terms of §4 no. 11 UWG (now §3a UWG), and not merely as an
infringement of a rule regulating only supra-individual matters of free competition.
112 BGH, decision from 22/01/2014 – I ZR 164/12.
113 BGH, decision from 24/06/2004 – I ZR 26/02.
114 See also Hennemann, PinG 01.17, p. 6 with reference to Recital 68 of the General Data Protection Regulation.

Page — 94
 I. Assessment

However, the latter do not necessarily occur and an obligation to implement interoperability could also
have anticompetitive effects, in particular for new and innovative services, and could constitute a consi-
derable interference with entrepreneurial freedom. 115

Conclusion
The right to data portability has to be safeguarded. However, it is questionable whether additional de-
cisions and assessments on individual cases would be useful in order to achieve a result doing justice
to the respective interests. Regarding the issue whether the scope of application includes contract data
as well as usage data, the scope of protection of the regulation could also be relevant, because usage
data are in their entirety included under the electronic copy of the right of access pursuant to Art. 15,
para. 3 GDPR, which means that the right to informational self-determination would be guaranteed. In
any case, the question in this context is whether a direct transfer would rather have advantages for the
new controller who incites persons to disclose their usage data by developing new business models. 116
Therefore, it should always be assessed for each individual case, under which circumstances a direct
transfer of all usage data to another service provider would actually support the improvement of control
rights for the person concerned. In this regard, a result doing justice to the respective interests could for
example be achieved with the objectivity of the term “required” concerning the contractually relevant
data according to Art. 20, para. 1a in connection with Art. 6, para. 1b GDPR. This way, service aspects
could be considered and the creation of a customer profile (e.g. as a purchase history or records of a
fitness app) could for instance be evaluated as “required for contract fulfilment” and thus also as a rea-
sonable interest of the customer. In this context, ensuring transparency constitutes another essential
requirement as the person concerned has to know all of the information relating to the processing by
the old and the new data controller.

With regard to the differentiation from competition law, it will have to be decided to what extent both
fields of law can influence each other and if it could therefore be advisable to develop criteria which
allow for a consistent perspective on competition law and data protection law as well as for a differenti-
ated result. In the assessment and the elaboration of rules of conduct according to Art. 40 GDPR, it could
be taken into account whether the interests of the general public as well as the right to informational
self-determination as interest of the persons concerned include a right to “across-the-board” data por-
tability. Indeed, the balancing of interests is not included in the wording of Art. 20 GDPR. Nevertheless,
the interpretation of the regulation could be subject to an ongoing, practice-oriented examination regar-
ding to what extent decisions could be made in individual cases for instance based on data, industries,
services or similar aspects, without interfering with the right to informational self-determination of the
persons concerned. In addition, the competition law aspect of the comparability of services likewise
corresponds to the original intention of the law and the protection purpose of Art. 20 GDPR, as this was
focused on social networks and was intended to facilitate a switch from one provider to another. 117

It should also be kept in mind that the sanctioning options of the data protection authorities could now
result in severe consequences due to an increase of the level of fines.

115 Paper of the Research Services of the German Bundestag on the topic of “Regulierung von Messengerdiensten,
Datenportabilität und Interoperabilität” (“Regulation of messenger services, data portability and interoperability”), p. 18, also
with reference to the opinion of the Federal Cartel Office. See also Hennemann, PinG 01.17, p. 6, who underlines the competition
approach.
116 See above, C. I. 1, as well as Gutmann, Beispiele aus der Energiewirtschaft, who is generally critical in his assessment of the
demand for more informational self-determination for the persons concerned.
117 See Hennemann, PinG 01.17., p. 6 with reference to the competition approach as well as to the statement by Jan Albrecht
(Rapporteur of the European Parliament on the General Data Protection Regulation) who considers Article 20 a catalyst for a
competition for data protection-friendly technologies.

Page — 95
 C. Assessment and Recommendations for Action

3. Implementation Strategies
Structural Implementation

The definition and arrangement of the data portability regulation reflects a fundamental dilemma re-
garding network regulation: On one hand, the regulation has the objective to determine the framework
for legal data processing in as concrete terms as possible, while on the other hand, such a regulation
would “ex ante” have to remain vague enough for newly developing technologies and possible innovati-
ve approaches to solutions. 118 For example, the data portability regulation calls for keeping the data in a
“structured, commonly used and machine-readable format” (Art. 20, para. 1 GDPR) but does not specify
what this format should look like in detail, which requirements it has to fulfil and how interoperability
between different “commonly used formats” shall be achieved. Thus, the individual addressees of the
regulation face the challenge to fulfil the requirements of the regulation without being given a precise
guideline, general standards or even tried and tested practical examples. This makes a fundamental pro-
blem blatantly obvious: The lack of suitable implementation strategies for data protection regulations.

In particular, the implementation of data portability in the US healthcare sector and the “Rainbow But-
ton” project of the Fondation Internet Nouvelle Génération (FING) 119 show that new forms of public-pri-
vate partnerships can be considered a suitable concept for the practical realisation of requirements
for data portability and the development of standards. The management of the cooperation between
technology companies, experts, consumer protection organisations, NGOs, public bodies and political
decision-makers by independent non-profit institutions (“trust communities”) following the example
of the US healthcare sector 120 has the necessary potential to respond to the government’s protective
duties on one hand and to support the flexible development of innovations on the other hand in the
implementation of the right to data portability.

For this purpose, corresponding approaches for “regulated self-regulation” have to be developed, es-
tablishing a framework under state supervision within which government and non-government institu-
tions as well as companies develop implementation strategies and standards for data portability. For
an effective definition and arrangement of data portability and realisation of legal compliance, it is ab-
solutely necessary to involve companies and industries which will presumably be particularly affected
in formal consultation processes of the regulatory authorities from an early stage in order to ensure an
implementation of Art. 20 in accordance with the law.

Approaches for Practical Implementation

The focus in the practical implementation of the right to data portability lies above all on the develop-
ment of procedures for the data transfer. As it has already been explained in the second version of the
Article 29 Working Party’s recommendations (page 16/new), there are basically two possible solutions
to enable data portability: A direct transfer to the user (para. 1) or rather to the third-party provider
(para. 2), or a transfer via an interconnected centralised application.

118 See also: Horn, Aus Sicht der Stiftung Datenschutz – wie die Regulierung im Datenrecht Schritt halten kann, in PinG 05/17.
119 See above, B. II.
120 Cf. above, B. II.

Page — 96
 I. Assessment

In particular in cases in which, due to specific business models, the right to data portability only applies
to a small number of data sets which are easy to collect and to transmit, a direct transfer of data can be
realised in a relatively simple and efficient way which is also easily manageable for the user. In addition,
it is currently still unclear how many users will actually exercise their right to data portability. For the
respective industries and companies, the actual demand for data transfers will be relevant because this
could influence their decision to undertake great efforts and to carry out fundamental adjustments to
their systems. In case of a low demand for data transfers, they could however react based on each indi-
vidual case and by means of manual compilation and direct transfers of data sets. Currently, it cannot be
predicted to what extent the interest in data portability will be increased by new business models and
how many users will as a result actually exercise their rights.

In cases in which portability concerns several heterogeneous personal data sets, which are transmitted
to different third-party providers for different processing purposes, a tool-based approach might be
preferable. In this case, a distinction would have to be made between group-specific, sector-specific and
universal procedures.

For market-dominating groups such as Apple, Facebook or Google, a group-specific technical imple-
mentation based on the model of the above-mentioned “Takeout” service (chapter B. II) would be pos-
sible. By bringing together individual online services and with the possibility of extracting personal
data, users are in a simple way given the opportunity to manage the use and transfer of their data in a
centralised manner. In the example of “Takeout”, it is particularly relevant that this portability service is
integrated in a global data protection dashboard (here “MyAccount”) where the portability functionality
can be easily found next to the other privacy settings. However, the question remains whether and how
interoperability, compatibility and real integration possibilities for data sets extracted from the services
of individual “big players” can be guaranteed in practice. In any case, the will of individual market-do-
minating groups to cooperate will be an important requirement for the effective implementation of the
right to data portability which is also practicable for users. In this regard, it has to be taken into account
that in case market-dominating groups agree on one or more certain standards, a “standard monopoly”
could result which could prove detrimental to the development and the competition of alternative por-
tability models.

Industry-specific solutions following the example of “Blue Button” services 121 in the US healthcare sec-
tor seem promising. The main advantage of industry-specific initiatives is that data types and formats
as well as special data protection aspects can be adjusted to industry-specific requirements. In additi-
on, the development of and agreement on specific tools and formats within individual industry sectors
can be realised in a more efficient and targeted way than it would be for more complex cross-sectoral
agreement processes. Furthermore, there are already existing overriding portability regulations under
European law in certain sectors, as for example in the credit industry with regard to account informa-
tion, the switch to another credit institute and the records of securities transactions. Industry-specific
adjustments are also facilitated by the possibility of referring to already existing internal portability
practices within the sector (such as the transfer of master and supply data of customers in the power
supply sector 122).

121 See above, B. II.

122 See Section D., Klemens Gutmann.

Page — 97
 C. Assessment and Recommendations for Action

In many cases (in particular with respect to the switch to another provider), in which the transfer of
customer data is useful for consumers as well as companies, there are already existing arrangements
– for example mail forwarding orders, telephone number porting, account switching services or the
transfer of no claims bonuses .Moreover, it is becoming evident that the efforts and expenses for the
implementation of the regulation can be relatively low in certain economic sectors if it only applies to a
limited amount of data 123 or if only a small number of portability requests is to be expected.

Universal solution approaches are mainly recommendable for application to cross-sectoral and comple-
mentary services. For services which use cross-sectoral data sets (e.g. location data, insurance data,
healthcare data, purchase profiles, etc.) or for markets with complementary products (e.g. in the Smart
Home area), the added value can be increased 124 and a framework for new and innovative business mo-
dels can be created. In particular, universal, tool-based and user-oriented solutions based on Personal
Information Management Systems (PIMS) can prove to be promising implementation strategies for the
right to data portability. 125 With a standardised and centralised data control in one stop (“One-Stop
Shop”), users are given a comprehensible and easy possibility to manage their data and to share it with
several service providers at the same time. 126 PIMS would therefore be especially suitable for transmit-
ting personal data in a targeted and efficient manner and thus allow for more user control. 127 Additional-
ly, the development of PIMS solutions such as the “Rainbow Button” project or the “ONECUB-Connect
Button” described above (chapter B. II), could also provide a suitable platform for the cooperation bet-
ween different service providers and industries.

Conclusion
In conclusion, it can be said that for the implementation of the right to data portability, approaches of
“regulated self-regulation” should be used, establishing a framework under state supervision within
which regulatory authorities, NGOs as well as companies develop implementation strategies and stan-
dards for data portability. For an effective definition and arrangement of data portability and realisation
of legal compliance, it is above all desirable to involve companies and industries which will presumably
be particularly affected in formal consultation processes of the regulatory authorities from an early
stage.

For the practical implementation of data portability, industry-specific as well as universal approaches
can be taken into account. The application of industry-specific methods is advisable for the use of sec-
tor-specific data sets (e.g. healthcare and power consumption data) as well as in cases in which there
are already tried and tested internal portability solutions within the industry. Universal solution appro-
aches based on PIMS are mainly recommendable for application in cross-sectoral and complementary
services such as in the networked home or for networked driving. In cases in which the right to data
portability only applies to a small number of data sets which are easy to collect and to transmit and/or
in case a low demand for data transfers is to be expected, a direct transfer of data based on individual
cases could however be preferable.

123 cf. statement by Deutschen Datenmarketing Verbands (DDV), see Section D.

124 cf. statement by Gesamtverband der Deutschen Versicherungswirtschaft e.V. (GDV), See Section D.
125 See also statement by the European Data Protection Supervisor (EDPS) “EDPS: European Data Protection Supervisor,
Opinion 9/2016 “EDPS Opinion on Personal Information Management Systems”, p. 9.
126 See also: Stiftung Datenschutz, „Neue Wege bei der Einwilligung im Datenschutz – technische, rechtliche und ökonomische
Herausforderungen“, p. 7 ff. URL: https://stiftungdatenschutz.org/themen/projekt-einwilligung-und-transparenz/
127 European Data Protection Supervisor, Opinion 9/2016 “EDPS Opinion on Personal Information Management Systems”, p.
12-13.

Page — 98
 I. Assessment

4. Technical Realisation 128

Current Situation
Due to the right to data portability, service providers are faced with the challenge to adjust and comple-
ment existing IT systems in such ways that precisely defined data sets with personal data can be trans-
mitted to the individual persons concerned or to another service provider indicated by these persons.
In the future, this data has to be made available in a structured, commonly used and machine-readable
format.

The question, in which format the data shall be transmitted, concerns technical, legal and economic
as well as acceptance-oriented aspects. The legislator does not define or specify precise requirements
regarding the technical realisation. The General Data Protection Regulation only calls for the creation of
organisational and technical measures and processes in order to efficiently achieve the objectives of the
provisions. At the same time, the act remains neutral with respect to technology. It does not prescribe
a certain format or a standard. The wording of the regulation only provides for the use of a “structured,
commonly used and machine-readable” format. In addition, it calls for the development of interoperable
formats (Recital 68) which allow for the further processing of the data in other systems.

Architecture of the Data Format

The original version of the Guideline by the Article 29 Working Party, according to which as much meta-
data as possible shall be made available at the highest level of granularity, was in a revised version cla-
rified to include the specification that commonly used and open formats shall be used, unless another
or no format was customary in a certain industry or a certain context. As examples, the formats XML,
JSON, CSV were listed.

More important than the selection of the precise format is however the architecture or rather the general
characteristics of a “commonly used” format. Here, different levels have to be incorporated: Structural
interoperability (a common data model), syntactical interoperability (a common syntax) and semantic
interoperability (a common understanding of the data contents). Interoperability for different formats
could only be achieved if these could be reasonably converted between each other. For this purpose,
the involved formats would have to be described and documented in sufficient detail. As a result, the
data shall be arranged within a file following a comprehensible pattern or rather a certain blueprint. The
architecture has to indicate syntax and semantics of the data within the file. While syntactical informa-
tion defines how the data is structured and composed (metadata), the actual contents are consistently
determined on the semantic level. From this structure, it can be deduced how the file itself (identify and
handle) and also how the data within the file have to be interpreted. Thus, the efficient machine-reada-
bility of the personal data contained therein is ensured. 129 This would also allow for the functional rea-
lisation of interoperability.

128 This chapter is based on the expert opinion by Gunnar Hempel/Karl Schmid, SCRC e.V. Leipzig, University of Leipzig, Chair of
Business Informatics, Prof. Dr. Rainer Alt., commissioned by Stiftung Datenschutz, see chap. D. II.
129 cf.: Hempel/Schmid, SCRC e.V. Leipzig, University of Leipzig, Chair of Business Informatics, Prof. Dr. Rainer Alt., see chap.
D. II.; Drepper/Schlünder/Buckow, Praktische Umsetzbarkeit der Datenportabilität im Bereich der medizinischen Forschung, see
Section D.

Page — 99
 C. Assessment and Recommendations for Action

A suitable solution in this context would for example be the XML-based standard for the structuring of
personal data. XML allows for different granularity levels without any problems. In addition, the informa-
tion contained in the XML schema is not only machine-readable but it can also be read by the persons
concerned themselves using standard software. Apart from the right to data portability, this property
could also support the exercise of access rights by the persons concerned. 130

The minimum requirement for data portability and/or interoperability is to write the data into a basic
CSV format and to add a simple description of how the data is arranged in the file. This description has
to indicate which data contents can be found at which position inside the file (surname, first name, date
of birth, etc.) and, if applicable, what certain codings mean.

For the transmission via information technology, appropriate security measures must be guaranteed,
such as end-to-end encryption of the data during transport using to the latest technology. In addition,
secure identification and authentication of the person concerned has to be ensured in any case (log-in
procedure, double opt-in). 131 The requirement to process the data in a way which guarantees sufficient
security is indispensable and a general principle in data protection law (e.g. Art. 5, para. 1f GDPR). This
also includes the integrity and confidentiality of the data, which has to be ensured by means of suitable
technical and organisational measures. For this purpose, it will be advisable to transmit the data in a
tamper-proof and signed format. This way, it could in case of doubt be verified that the controller has
exported correct and unaltered data. Otherwise, there would be a general risk of data manipulations
within the scope of the transmission. In order to be effectively covered against liability risks, appropriate
measures have to be taken.

Industry Standards
Over time, a large number of industry standards for the exchange of data has been developed. One of
the best known examples for the specific exchange of data is EDIFact. This standard communication
is used to realise a large part of the data exchanges in the industrial, service and commercial sectors.
Standard systems such as ERP by SAP, but also less commonly used commercial applications provide an
EDIFact interface for export and import. The implementation of new EDIFact interfaces requires relati-
vely sophisticated expert knowledge as well as some effort. Also, EDIFact is hardly readable on the part
of the user. EDIFact is for example used to exchange personal data in case of a switch from one power
supplier to another. 132

The same applies in the case of DATANORM. This format is used to transmit article information. DA-
TANORM is highly generic and thus flexible, and it offers a broad range of functionalities. However, this
standard, too, is hardly suitable for the extensive requirements of data portability.

In the field of medical informatics, the standard HL7 has become the established solution. However, this
standard, as well, is subject to the above-mentioned limitations in terms of a cross-sectoral portability.

These three examples show how application- and/or industry-specific exchange standards have de-
veloped.

130 ibid.
131 See also WP 242 Guidelines on the right to data portability. Adopted on 13 December 2016. As last revised and adopted on
5 April 2017. 2017. Article 29 Data Protection Working Party, WP 242, rev.01, http://ec.europa.eu/newsroom/document.cfm?doc_
id=44099 (access: 2017-07-31).
132 See also statement by Klemens Gutmann., see Section D.

Page — 100
 I. Assessment

The XML standard (Extensible Mark-up Language) has a more general relevance. The advantages of this
standard are:

> Widely spread industrial standard

> Used by many IT solutions, platform-spanning, flexible and easily expandable

> Basis for modern transmission technologies such as web services

> Allows for quick reactions to legal requirements

> Standardisation avoids individual solutions

> Even deeply nested layers can be read with relative ease

> XSLT is available for conversion into different formats.

XML has the advantage that this technology can deliver data as well as the corresponding metadata for
the description of the data, for plausibilities and further processing. This way, the data description is
automatically included in the delivered exchange format. Moreover, data in XML format can easily be
displayed in a readable way, e.g. by means of MS EXCEL or any editor. In connection with web services,
XML is extremely well-suited for the communication between different systems. Of course, this techno-
logy does not eliminate the need for a definition which data shall be transmitted at all – this applies to
all exchange formats.

Lately, JSON (JavaScript Object Notation) is being used more and more. It offers relatively easy readabi-
lity for humans

> Simple, minimalist syntax

> Low data volume

> More suitable for AJAX applications

> Supports a large number of programming languages

> Less suitable for documents and media data

Generally speaking, both XML and JSON are open interface technologies which fulfil the requirements
for interoperability.

Page — 101
 C. Assessment and Recommendations for Action

Conclusion
The minimum requirement for data portability and/or interoperability is to write the data in the CSV
format and to add a simple description of how the data is arranged in the file. This description has to
indicate which data contents can be found at which position inside the file (surname, first name, date
of birth, etc.) and, if applicable, what certain codings mean. For more complex solutions, XML or JSON
would be suitable. Both standards fulfil the requirements regarding machine-readability as well as in-
teroperability. They contain the data as well as descriptive metadata and have sufficient depth due to
their structure so that they are able to represent even complex data structures. Finally, the necessity to
encrypt data is essential, as well. This also includes the integrity and confidentiality of the data, which
have to be ensured by means of suitable technical and organisational measures.

II. Recommendations for Action

1. Objectives of the Regulation

• The regulation should be implemented in line with its original intention – the improvement of data
privacy (“informational self-determination”) for the consumers. This refers primarily to possibilities of
control over the transmission of personal data.

• The right to data portability has to include at least such data whose portability actually supports infor-
mational self-determination and which can correspondingly be utilised by the users. The efforts and
expenses required for the implementation of the regulation have to be proportionate, also with regard
to the consumers’ data sovereignty.

• The effectiveness of the regulation has to be tested in practice. This includes for example behaviou-
ral economic surveys examining the actual willingness of the users to make use of data portability
options. The results should be taken into account in the evaluation of the EU General Data Protection
Regulation.

• The introduction of the right to data portability should be accompanied by information campaigns re-
garding its scope and possibilities (e.g. by national data protection authorities or through information
platforms).

2. Determination of the Scope of Application

• The determination of the scope of application should focus on the consumer benefits in order to in-
crease acceptance and success of the new right.

• The definition of “data provided” should be based on the spirit and purpose of the regulation.

Page — 102
 II. Recommendations for Action

• Apart from the statement of the Article 29 Working Party, the regulatory authorities should specify
what “data provided” means exactly and give examples for the data categories included under this
term.

• The question whether the scope of application could include inventory data as well as usage data
should be answered based on each individual case and on the respective service. It has to be exa-
mined, in which cases the transfer of “provided” usage data to another service provider would actually
support the control rights of the person concerned.

• With respect to the data format and the requested interoperability, issues of competition law have to
be taken into account. It has to be examined, to what extent criteria have to be developed in order to
achieve a consistent perspective across Europe as well as a differentiated result with respect to com-
petition law and data protection law. Antitrust issues with respect to agreements on methods for data
transfer have to be avoided. The protective purpose of the regulation, i.e. to facilitate a switch from
one provider to another, has to be realised in an effective way.

• In case of data processing by an individual person exclusively for personal or family purposes, it has to
be taken into account with regard to third-party protection rights whether personal data are transmit-
ted to a commercial provider or if they are processed on their own private devices. In this regard, rules
of conduct have to be elaborated indicating to what extent further processing by commercial providers
due to legitimate interests or a change of purpose would be actually ruled out in the future.

• It is advisable to check whether there is a consistent technical and legal understanding of the term
“metadata”. This is particularly relevant in order to decide which metadata are required for the suc-
cessful implementation of data portability as well as for the development of a format from a technical
point of view and which are permissible from a legal point of view.

• All of the involved parties should always ensure transparency when the right to data portability is exer-
cised. The respective concerned persons should not lose track of the data controllers and the rights of
erasure they are entitled to. They have to know all of the information relating to the processing by the
old and the new controller.

• With regard to the request “where technically feasible”, it has to be decided whether objective criteria
can be developed or if the individual capacities of the respective data controller (subjective standard)
are taken as a basis.

• It is also important to strive for a harmonisation and consistent interpretation across all of Europe in
construing Art. 20 GDPR as well as in the elaboration of rules of conduct according to Art. 40 GDPR.

Page — 103
 C. Assessment and Recommendations for Action

3. Implementation Strategies
• It is advisable to develop approaches of “regulated self-regulation” establishing a framework under
state supervision within which regulatory authorities, NGOs as well as companies develop implemen-
tation strategies and standards for data portability.

• For an effective definition and arrangement of data portability and realisation of legal compliance,
companies and industries which will be particularly affected should be involved in formal consultation
processes of the regulatory authorities.

• In case of the transfer of sector-specific data sets within one category of controllers and in cases where
there are already existing internal portability solutions within the industry, an industry-specific proce-
dure is recommended.

• Solution approaches based on Personal Information Management Systems (PIMS) seem very promi-
sing for cross-sectoral application cases.

• In cases in which a low demand for data transfers is to be expected, individual solutions for the direct
transfer of data sets could be applied.

• In order to allow for better orientation, the responsible bodies should work towards rules of conduct
for the practical implementation of portability (Art. 40 GDPR).

4. Technical Realisation
• The minimum requirement for data portability and interoperability should be the use of the CSV for-
mat. To this, a simple description of how the data is arranged in the file has to be added.

• For more complex solutions, the formats XML or JSON should be used. These formats allow for finer
granularity levels, contain content data as well as describing metadata and have sufficient depth due
to their structure so that they are able to represent even complex data structures. The information
contained in these files is not only machine-readable but it can also be read by the persons concerned
themselves using standard software, which at the same time supports the users’ exercise of their
information rights.

• The data protection authorities should define which specific requirements are imposed with regard to
authentication in order to avoid legal uncertainties for the controllers as well as risks for the persons
concerned.

Page — 104
 II. Recommendations for Action

• It has to be made sure for individual solutions as well as for industry-specific or cross-sectoral and
universal approaches that the technical solutions are as a matter of principle made interoperable with
each other by means of open interfaces.

• With regard to the efficient reuse of the transferred data, the PDF format should not be used as a stan-
dard in the field of data portability, even if it is sufficient as an electronic format within the scope of the
right of access with respect to transparent information.

Page — 105
 D. Anlagen / Annexes

Page — 106
D. Anlagen / Annexes

Seite / Page — 107

 D. Anlagen / Annexes

Haftungsausschluss
Beiträge und Stellungnahmen in diesem Abschnitt sind eigenständige Werke der einreichenden Person/
Institution und geben alleine deren Auffassung wieder.

Disclaimer
Any papers and statements cited in this section are independent works of the submitting person(s)/
institution and only reflect their own opinions.

Seite / Page — 108

 D. Anlagen / Annexes

Seite / Page — 132

 d. Deutsche Telekom

Seite / Page — 133

Seite / Page — 145
 D. Anlagen / Annexes

Seite / Page — 146

 f. Google

● Privacy  and  Security:  Providers  on  each  side  of  the  portability  transaction  should  have 
strong  privacy  and  security  measures---such  as  encryption  in  transit---to  guard  against 
unauthorized​ ​access,​ ​diversion​ ​of​ ​data,​ ​or​ ​other​ ​types​ ​of​ ​fraud.  
 
● Reciprocity:  While  portability  offers  more  choice  and  flexibility  for  users,  it  will  be 
important  to  guard  against  incentives  that  are  misaligned  with  user  interests.  A  user's 
decision  to  move  data to another service should not result in any loss of transparency or 
control  over  that  data.  Users  will  expect  that  data  ported  into  a provider can likewise be 
exported  again,  if  they  so  choose.  Data  should  only  be  transferrable  between reciprocal 
services  to  incentivize  provider  participation  and  guard  against  the  possibility  of 
companies  with  limited consumer relationships requesting and gaining control over data 
that​ ​does​ ​not​ ​fit​ ​the​ ​purpose​ ​of​ ​their​ ​business​ ​or​ ​benefit​ ​the​ ​consumer. 
  
● Focus  On  Users’  Data,  Not  Company  Data:  Data  portability  is  not,  and  should  not  be, 
without  reasonable  limits.  Portability  efforts  should  be  limited  to  data that has utility for 
a  user,  e.g.  the  content  a  user  creates,  imports,  approves  for  collection,  or  has  control 
over.  This  reduces  the  friction  for  users who want to switch among products or services 
because  the  data  they  export  is  meaningful  to  them.  Portability  should  not  extend  to 
data  collected  to  make  a  service  operate,  including  data  generated  to  improve  system 
performance  or  train  models  that  may  be  commercially  sensitive  or  proprietary.  This 
approach  also  encourages  companies  to  continue  to  create,  knowing  that  their 
proprietary​ ​technologies​ ​are​ ​not​ ​threatened​ ​by​ ​data​ ​portability​ ​requirements.  
 
Concerned​ ​Sectors: 
 
Data portability is aligned with general industry trends to increase user engagement by making it 
easier  to  try  new,  innovative  services.  Companies  are  building  increasingly  sophisticated 
features  and  need  to  ensure  that  a  wide  variety  of  users  can  enjoy  the  experiences  they  are 
offering.  One  solution  to  increasing  the  audience  is  to  reduce  the  infrastructure  burdens  that 
products  place  on  users.  This  requires  companies  to  build  products  that  minimize  the 
bandwidth,  storage space, and technical expertise required to participate. These solutions result 
in  better  experiences  for  all  users,  but  particularly for those who reside in areas that lack robust 
digital  infrastructure  or  where  data  can  be  prohibitively  expensive.  Portability  aligns  with  this 
trend​ ​and​ ​is​ ​an​ ​obvious​ ​step​ ​toward​ ​the​ ​larger​ ​goal​ ​of​ ​expanding​ ​the​ ​digital​ ​economy. 
 
That  said,  porting  data  between  entities  raises  challenging  policy  and  engineering  questions 
that  industry  will  need  to  address  collectively.  We  can  look  to  existing  infrastructure  and 
industry​ ​trends​ ​for​ ​guidance​ ​on​ ​possible​ ​solutions.  

First,  companies  must  simultaneously  advance  their  understanding  of  the  importance  users 
place  on  controlling  their  digital  lives  as  they  build  products that assume responsibility for data 
storage.  Although  individual  companies  may  have  policies  or  principles  that  give  users  control, 
the  industry  at  large  must  respond  to  some  user  expectations  as  a  community.  Users  rely  on 

Google​ ​Inc.​ ​—​ ​2

Seite / Page — 147

 D. Anlagen / Annexes

data  to  engage  in  everyday  life.  They  need  to  be  able  to  manage  both  the  content  they  create, 
like  a  drawing  or  document,  and  content  about  them  like  their  medical  records,  banking 
information,  or  records  of  the  songs  they  listened  to.  Because  of  this  users  expect  to  have 
control  over  all  of  this  data,  including  the  right  to  relocate  it  freely.  At  the  same  time,  the 
combination  of  an  increasing  amount  of  digital  data  and  the  shift  to  mobile  devices  with lower 
storage  capacities  results  in  much  of users’ personal data being stored with third-parties. Users 
understand  that  their  control  over  their  data  requires  the  participation  of  the  technology 
companies  they  are  entrusting  with  their  digital  life,  and  portability  is  a  pillar  of  meeting  their 
expectations.  
 
Additionally,  industry  should  not  assume  that  successful  portability  requires  building  entirely 
new  products.  Lightweight  approaches  to  solving  the  engineering  challenge  might  rely  on 
existing infrastructure, creating minimal burden on companies. For many data types, it is already 
industry  standard  to  offer  platforms  that  support  importing  and  exporting user data.  Building a 
solution  that  leverages  this  existing  infrastructure  to  allow  users  to  send  data  directly between 
companies  enables  a  robust  data  portability  ecosystem  without  the  long  delays  that  might  be 
caused​ ​by​ ​starting​ ​at​ ​a​ ​nascent​ ​state.   
 
Data  portability  aligns  with  an  industry-wide  shift.  While  it  may  require  some  investment  to 
develop  platforms that are minimally burdensome on users, the increased engagement and user 
empowerment  will  benefit  the  technology  sector  at  large. We believe open source solutions will 
foster  a  robust  data  portability  ecosystem,  while  requiring  relatively  little  investment  from  the 
majority  of  the  industry.  Companies  and  sectors  that  align  their  portability  efforts  with  larger 
goals​ ​to​ ​improve​ ​ ser​ ​experiences​ ​globally​ ​ ill​ ​see​ ​long-term​ ​gains​ ​in​ ​their​ ​ability​ ​to​ ​innovate. 
 
Practical​ ​ mplementation: 
 
Industry has an important role to play in fostering the right framework to encourage more robust 
and  meaningful  data  portability  and  interoperability  for  users.  When  done  right,  data  portability 
enables  user  control,  and  promotes  user  choice  through  improved  competition  between 
providers.  
 
Developing  one  universal format should not be a prerequisite for a portability solution. For some 
types  of  data,  a  recognized  industry  standard  exists  (jpeg),  for  some  there  are  defacto 
portability  standards  (mbox  and PST for mail), and for others there isn’t a clear format of choice 
(IMs).  Additionally,  different  products  offer  unique  features  and  encouraging this uniqueness is 
paramount  to  encouraging  innovation.  New  features  and  use  cases  may  be  developed  at  any 
time  and  may  be  incompatible  with  current  formats.  Enforcing  static,  standard  formats  may 
reduce  the  opportunity  for  portability  of  these new features because they are not represented in 
the​ ​standard.​ ​ ecisions​ ​about​ ​standardization​ ​ ust​ ​account​ ​for​ ​technological​ ​innovation.  
 
For  data  types  where  there  is  a  standard,  these  standards  should  continue  to  be  used.  We 
believe  that  compatibility  can  be  achieved  by  providing  an  open  source  repository  of  ways  to 

Google​ ​Inc.​ ​—​ ​3

Seite / Page — 148

 f. Google

translate  from  proprietary  formats  into one or more common formats. If a service provider feels 

existing  interfaces  don’t  suit  their  needs,  they  are  free  to  define  a  new  one  and  also  write  the 
interface​ ​for​ ​one​ ​or​ ​ ore​ ​competitor​ ​importers​ ​for​ ​that​ ​data​ ​type. 
 
While  we  support  maximizing  the  role  of  existing  standards  and  protocols,  there still must be a 
mechanism  to  encourage  reciprocity  among  data  providers.  We  believe  companies  have  a 
strong  interest  in  being  able  to  import  data  from  a  wide  variety  of  sources.  Maintaining  parity 
allows  a  given  provider  to  choose  any  format  that  works  for  its  purposes,  and  encourages 
portability  by  enabling  export  in  any  format  a  different  service  can  import.  We  believe 
companies’  desire  to  be  able  to  import  data  from  the  most  common  formats  will  provide  a 
strong​ ​business​ ​incentive​ ​for​ ​them​ ​to​ ​also​ ​export​ ​data​ ​in​ ​the​ ​ ost​ ​common​ ​format. 
 
To​ ​that​ ​end,​ ​ e​ ​recommend​ ​policymakers​ ​consider​ ​the​ ​following​ ​points: 
 
● Portability  should  be  flexible:  Locking in rigid data portability requirements or standards 
is  an  ineffective  approach.  Inflexible  “one  size  fits  all”  requirements  may  promote 
consistency,  but  they  often  result  in  a  focus  on  compliance  over  innovation.  Portability 
solutions  must  work  for  services  of  all sizes and sectors, and should not create artificial 
barriers​ ​to​ ​new​ ​services​ ​entering​ ​the​ ​ arketplace.  
 
● Encourage  open,  consistent,  interoperable  standards:  Industry  should  encourage  more 
providers  to  voluntarily  offer  robust  data  portability  mechanisms  that  are  open  and 
interoperable  with  industry-standard  formats.  Increasing  portability  and  interoperability 
incentivizes  providers  to  improve  their  product  offerings  and  improves  user 
engagement.  
 
● Increase  consumer  awareness:  Encouraging  users  to  practice  good  data  hygiene 
empowers  them  to  make  smart  choices  about their data. More effort should be made to 
educate  users  about  data  portability  and  what  factors  they  should  consider,  such  as 
security​ ​and​ ​data​ ​protection​ ​ hen​ ​choosing​ ​services. 
 
Google’s​ ​ akeout: 
 
In  2011,  Google  launched  a  portability  product  called  “Google  Takeout.”  This  straightforward 
tool  enables  users  to  download  a  copy  of  the  data  they  store  or  create  in  a  variety  of 
industry-standard  formats.  Takeout  (available  at  ​https://takeout.google.com/settings/takeout​) 
has​ ​become​ ​a​ ​staple​ ​of​ ​our​ ​ ser​ ​control​ ​offerings​ ​and​ ​ e​ ​continue​ ​to​ ​ ake​ ​improvements. 
 
Allowing  users  to  download  data  in  multiple  formats  maximizes  flexibility,  creating  many 
options  for  how  users  can  utilize  their  downloaded  data.  Users most commonly download their 
data to create a copy as a backup, but Google also enables exports directly to certain competing 
services,  including  Dropbox  and  Microsoft  OneDrive.  We  expect  to  add  additional  services  for 
direct​ ​portability​ ​in​ ​the​ ​near​ ​future.  

Google​ ​Inc.​ ​—​ ​4

Seite / Page — 149

 D. Anlagen / Annexes

 
Takeout  currently  facilitates  the  export  of  data  for  more  than  30  products  (see  appendix  for 
details).  Since  launching,  users  have  exported  more  than  one  exabyte  of  data  and  there  are 
currently  more  than  one  million  exports  per  month.  We  continue  to  refine  the  user  experience 
and​ ​add​ ​additional​ ​functionality​ ​and​ ​products​ ​to​ ​expand​ ​the​ ​types​ ​of​ ​data​ ​ sers​ ​can​ ​download.   
 
The​ ​ uture--​ ​Service-to-Service​ ​ ortability:  
 
At  Google,  we  believe  users  should  be  able  to  seamlessly  and  securely  transfer  their  data 
directly  from  one  provider to another. To help make this possible, we are developing a prototype 
that  can  connect  any  two  public-facing  product  interfaces  for  the  purpose  of  importing  and 
exporting  data.  This  allows  for  a  direct  transfer  between  the  corresponding  platforms.  This  is 
especially  important  for  users  in  developing  markets as it does not require a user to upload and 
download  the  data  over  what  may  be  low  bandwidth  connections  and  at  potentially  significant 
personal​ ​expense.  
 
Our  proposed  approach  envisions  an  ecosystem  of  adapters  to  convert  proprietary  interfaces 
and  formats  into  a  small  number  of  canonical  formats  useful  for  porting  data.  This  makes  it 
possible  to  transfer  data  between  any  two  arbitrary  providers  using  existing  authorization 
mechanisms.  The  sustainability  of  this  ecosystem  is  supported  by  the  inherent  benefits  of 
reciprocity;  the  easiest  way  for  companies  to  attract  new users to share their existing data is to 
support​ ​and​ ​ aintain​ ​an​ ​interface​ ​that​ ​allows​ ​for​ ​data​ ​portability. 
 
This  approach  does  not  address  all  challenges.  For  example,  restrictions  on  formatting  and  a 
loss  of  access  to  specific  features  are  not  mitigated  through  our  open  source  solution. 
However,  our  approach  proves  the  concept  that  a  substantial  amount  of  industry-wide  data 
portability  can  be  achieved  without  changes  to  existing  products  or  authorization  mechanisms 
by  most  companies.  In  2018  we  plan  to  publish  more  detailed  information  about  this proposal, 
as  well  as  make  it  available  in  an  open-source format, to demonstrate our commitment  toward 
universal​ ​data​ ​portability.  
 
Conclusion​: 
 
Thank  you  for  this  opportunity  to  share  our  views  on  the  practical  methods and implications of 
data  portability.  The  implementation  of  data  portability  requirements,  described  in  Article  20 of 
the  General  Data  Protection  Regulation,  provides  an  opportunity  to  advance  user  control  over 
data  and,  if  done  correctly,  can  achieve  this  without  reducing  incentives  for  continued 
innovation.​ ​ e​ ​look​ ​forward​ ​to​ ​continuing​ ​dialogue​ ​on​ ​this​ ​and​ ​other​ ​topics. 
   

Google​ ​Inc.​ ​—​ ​5

Seite / Page — 150

 f. Google

APPENDIX: 
Takeout​,​ ​accessible​ ​through​ ​ yAccount,​ ​is​ ​a​ ​simple​ ​tool​ ​that​ ​enables​ ​ sers​ ​to​ ​download​ ​a​ ​copy 
of​ ​their​ ​data​ ​at​ ​anytime.​ ​ any​ ​ oogle​ ​products​ ​enable​ ​download​ ​from​ ​ akeout​ ​including:   
 
● 3D​ ​ arehouse 
3D​ ​ odels​ ​the​ ​ ser​ ​created 
● Android​ ​ ay 
Loyalty​ ​and​ ​gift​ ​card​ ​info 
● Blogger 
Blog​ ​data​ ​in​ ​ tom​ ​format 
● Bookmarks 
Bookmarks​ ​in​ ​structured​ ​ tml​ ​format​ ​that​ ​are​ ​importable​ ​into​ ​other​ ​browsers 
● Calendar 
Calendar​ ​data​ ​in​ ​iCal​ ​format 
● Chrome​ ​data 
Chrome​ ​ ync​ ​data​ ​including:​ ​autofill,​ ​bookmarks,​ ​browser​ ​ istory,​ ​custom 
dictionary,​ ​ etadata​ ​about​ ​extension,​ ​and​ ​search​ ​engine​ ​settings 
● Contacts 
Contacts​ ​data​ ​in​ ​either​ ​ Card,​ ​ V,​ ​or​ ​ T L​ ​format 
● Dri e​ ​ Documents,​ ​ rawings,​ ​ orms,​ ​ resentations,​ ​and​ ​ preadsheets) 
All​ ​dri e​ ​content​ ​that​ ​ ou​ ​own 
● it 
itness​ ​data 
● mail 
ail​ ​content​ ​in​ ​ BOX​ ​format 
● oogle​ ​ hotos 
Original​ ​photos,​ ​edited​ ​photos,​ ​as​ ​ ell​ ​as​ ​ etadata​ ​and​ ​comments 
● oogle​ ​ lay​ ​ ooks 
Books​ ​ ou’ e​ ​ ploaded​ ​as​ ​ ell​ ​as​ ​bookmarks​ ​and​ ​notes 
● oogle+​ ​ +1’s,​ ​ ircles,​ ​ ages,​ ​ tream) 
T L​ ​formated​ ​data​ ​on​ ​ our​ ​ arious​ ​social​ ​data 
● roups 
embership​ ​lists​ ​of​ ​all​ ​the​ ​groups​ ​ ou​ ​ anage 
● andsfree 
Transaction​ ​data​ ​ ade​ ​ ith​ ​the​ ​platform 
● angouts 
J ON​ ​formatted​ ​chat​ ​data 
● angouts​ ​on​ ​ ir 
Q&As​ ​from​ ​e ents​ ​ ou’ e​ ​ osted 
● Keep 
T L​ ​formatted​ ​data​ ​from​ ​ eep,​ ​including​ ​ ploaded​ ​photos 
● Location​ ​ istory 
J ON​ ​of​ ​ L​ ​formatted​ ​list​ ​reported​ ​location​ ​data 

Google​ ​Inc.​ ​—​ ​6

Seite / Page — 151

 D. Anlagen / Annexes

● Maps​ ​ Your​ ​ laces,​ ​ y​ ​ aps) 

laces​ ​ ou​ ​ ave​ ​rated​ ​or​ ​stored​ ​on​ ​ aps 
● Moderator 
HTML​ ​formated​ ​ uestions​ ​or​ ​ nswers​ ​ ou​ ​ ave​ ​contributed​ ​to 
● anoramio 
otos​ ​ ou​ ​ ave​ ​ ploaded 
● rofile 
rofile​ ​data​ ​ ou​ ​ ave​ ​entered 
● Searc ​ ​ istory 
HTML​ ​formatted​ ​listing​ ​of​ ​searc ​ ​ ueries 
● Tasks 
JSON​ ​formatted​ ​list​ ​of​ ​all​ ​ our​ ​task​ ​data 
● Voice 
Text​ ​ essages,​ ​ oicemails,​ ​greetings,​ ​call​ ​and​ ​billing​ ​ istory 
● Wallet 
CSV​ ​ ransaction​ ​ istory 
● YouTube 
Videos,​ ​comments,​ ​playlists,​ ​ atc ​ ​ istory,​ ​searc ​ ​ istory 
 

Google​ ​Inc.​ ​—​ ​7

Seite / Page — 152

Seite / Page — 153
 D. Anlagen / Annexes

Olvier Dion

Seite / Page — 154

 g. ONECUBE

Tags : PIMS, decentralization, blockchain

Abstract

Onecub is a French startup that created a PIMS (Personal Information Management System)
and is a Data Portability tool for individuals.

Onecub helps companies to apply GDPR Art.20 for a limited cost and allows individuals to
benefit from it through a very simple user experience.

In this paper we present our views, based on 7 years of experience in the field, of the real
purposes, barriers and implications of Data Portability.

We also propose a general architecture for Data Portability based on PIMS. We extend it by
presenting a decentralized solution based on the blockchain technology.

In the end we explain why we think that PIMS should be at the center of the Data Portability
standards debate.

Seite / Page — 155

 D. Anlagen / Annexes

Contents
I. Who is Onecub? .............................................................................................................................. 4
1. Proposed service ......................................................................................................................... 4
2. Current realizations and partnerships ......................................................................................... 4
3. ONECUB engagement in the PIMS community .......................................................................... 5
II. Why do we need Data Portability?.................................................................................................. 6
1. Purposes and benefits................................................................................................................ 6
2. Concerns and limitations ............................................................................................................ 8
3. Scope .......................................................................................................................................... 9
4. Use cases ................................................................................................................................... 10
III. A general architecture for Data Portability.................................................................................. 11
1. Architectural options for Data Portability ................................................................................. 11
2. The PIMS architecture ............................................................................................................... 12
3. Technical solution for data collection and reutilization ............................................................ 12
4. The PIMS data centralization problem ................................................................................ 12
5. PIMS specific status ................................................................................................................... 14
6. Business models ........................................................................................................................ 14
IV. Standards and formats ................................................................................................................ 15
1. User centric approach ............................................................................................................... 15
2. Reinventing the wheel or not .................................................................................................... 15
3. Debating with PIMS ................................................................................................................... 15

Seite / Page — 156

 g. ONECUBE

I. Who is Onecub?

In the era of Big Data, organizations have truly learned to seize the opportunities given by
this revolution. Every day the costs of collecting, storing, analyzing and distributing data
decrease, and the value of data goes up. However, where companies knew how to ride this
wave, individuals haven't benefited from it yet. This observation is all the more absurd when
we know that 75% of all data used by companies is "personal data" concerning the
individuals themselves.

ONECUB, a French startup created in 2011, aims at giving individuals back the control of
their data through an innovative service: a data portability tool that manages personal data
exchange between users and service providers in a homogenous manner.

1. Proposed service

ONECUB is a data portability tool that allows an individual to easily gather his personal data
and securely exchange it with external websites or online services via an API, ONECUB
Connect. Thus, ONECUB users will be able to share their data with third party services while
remaining in full control of their privacy settings, in a transparent way and to discover new
ways to benefit from that data.

Companies and organizations in general will be able to provide their users more
personalized services and a simplified end-user experience. Furthermore, ONECUB is an
ideal solution for data controllers as it can help them respond to the new right to data
portability introduced by the GDPR framework.

2. Current realizations and partnerships

Mytroc is the first online service which had integrated a ONECUB Connect Button. Currently,
discussions are advanced with many online services in order to integrate a ONECUB
Connect button.

2.1 Mytroc

Mytroc is a digital platform which allows its users to trade every kind of stuff. Concretely,
Mytroc users have to publish an ad on the website with a picture and a description of the
product that they want to exchange.

Thanks to the ONECUB Connect Button, a user can offer something to trade more easily by
clicking on the ONECUB Connect button to share his online purchases history with Mytroc. In
this way, he will only have to select the product that he wants to sell among all of his online
purchases to publish a new ad.

2.2 Air Indemnité

Air Indemnité is an online compensation service for air passengers which takes care of the
entire claim procedure in cases of delays, cancellations or overbooking. An air passenger

Seite / Page — 157

 D. Anlagen / Annexes

can claim for cancelled and overbooked flights over the past five years! To file a claim, an Air
Indemnité user has to send the electronic ticket issued by the air carrier.

A ONECUB Connect button could enable the user to share directly with Air Indemnité all of
his airline tickets that he purchased in the past and that he will purchase in the future..
Therefore, Air Indemnité will be able to notify the user when a compensation opportunity is
identified.

2.3 Umanlife

Umanlife is a personal wellness coach which aims at influencing healthy behaviors through
innovation and disruptive user experience. Umanlife suggests personalized goals as well as
relevant advice and recommendations thanks to data collected. Umanlife provides, among
others, a nutritional follow-up service. Such a service requires a large amount of data which
is difficult to collect at the present time.

A ONECUB Connect button could enable the user to share directly with Umanlife all of the
data relating to their diet thanks to the food online orders. Thus, Umanlife will be able to offer
the user a simplified user experience and at the same time, give him nutritional advice
tailored to his needs.

3. ONECUB engagement in the PIMS community

Onecub has been involved for 7 years in the American VRM (Vendor Relationship
Management) community and in the French MesInfo community.

In 2017 Onecub has been selected by Facebook to be a part of Startup Garage Paris, a
program that helps startups dealing with personal data in the context of GDPR grow.

Onecub regularly discusses GDPR key aspects and Data Portability with French startups, big
companies, consulting firms and the French data protection authority.

Onecub is a member of the newly born French PrivacyTech community which aims at
promoting privacy friendly technologies.

We regularly participate in GDPR related events and have already organized our own
events.

Seite / Page — 158

 g. ONECUBE

II. Why do we need Data Portability?

1. Purposes and benefits

GDPR Art.20 enforces the new right for Data Portability. It will allow individuals to get their
personal data back from their service providers, in order to reuse it anywhere they want.
Service providers (companies, administrations, etc.) on their side are required not to oppose
any kind of obstruction to the process.

This new ability given to EU citizens does not come with an obvious purpose: as mentioned
in recital 68 of the GDPR, the right for data portability aims at strengthening data subjects’
control over their own data. That is interesting but what are practical implications?

We can guess that almost no one will claim for his data portability rights without any direct
benefit and that no business will deploy any data portability technical solution if there is no
constraint or benefit related to it. So we can ask ourselves what each kind of actor is looking
for within Data Portability.

1.1. For individuals

Market freedom and “the Switch”

In many occasions individuals want to switch operators for a specific service

(telecommunication, utilities, bank, insurance, etc.). Each operator often tries to retain its
customers by making the unsubscribing process overly complicated on the user experience
point of view (unsubscription postal mail required for instance).

The other main barrier for switching is the fact that when opening a new account with a new
service provider, the individual has to start from scratch, there is no continuity throughout its
different operators although services are very similar form one to another.

Service provider’s retention strategies and service discontinuity largely participate in the lock-
in effect that traps a customer with a service provider even when the customer is not
satisfied. On a market point of view, lock-in effect creates or maintain de facto monopolies
and oligopolies which can be detrimental to the customer (high prices, poor service quality,
etc.).

Data Portability adds fluidity to markets: it is way easier to change your telecommunication
operator when you know that your phone number will stay the same. In the same time if
people in general change their telecommunication operator easily, it increases competition
and can lead to lower prices and better service quality. The same goes for many industries.

Online services make our lives easier. We spend a smaller amount of time than before on
our administrative tasks since we can fill online forms home instead of waiting in line at the
service provider’s office.

Seite / Page — 159

 D. Anlagen / Annexes

But at the digital era, task management is still a frustrating endeavor.

We continuously fill up online forms containing the same information within various service
providers and it still requires an organization effort since there does not exist any
consolidated online view of our situation over our different service providers.

Data Portability would save us a lot of time and pain by allowing us to reuse the same data
throughout our different services. We could reuse provided data (ex: identification data) as
well as processed data (when processed data is not covered by rights of any kind:
intellectual property, etc.) from one service to another in a fluid manner. Instead of giving
data to a service provider we would just have to grant access to it. User experience as well
as data quality online would be greatly improved by this kind of processes.

We would also benefit from a consolidated view of our general situation over our multiple
service providers which would help us to stay organize and to make informed decisions (ex:
consolidated view of our financial situation).

With the boom of artificial intelligence and social networks many new online services that
require a lot of personal data are reaching a wider audience:

- Digital agents (pre-sale and after-sale services)

- Virtual assistants (health coach, finance planners, travel advisors,…)
- Sharing economy marketplaces (travel housing, goods exchange, jobbing,…)
- Etc.

Many services are technically easy to build today but they cannot take off due to an overly
complex user experience (ex: a health assistant that would have to ask users what they eat
for each meal in order to give advice). Data Portability is finally a great opportunity to foster
online innovation for these services as it will allow individuals to make use of their data
through a fast and simple user experience.

Data Portability will make a multitude of new services possible and will allow service
personalization like never before. Cross domain use cases can be build (ex: food and sport
data reuse for a health service, travel and energy data reused for a carbon footprint
calculators,…) and may unleash tremendous as well as unexpected opportunities.

1.2. For services providers

Today competition makes it essential for service providers to create a fast and simple user
experience for their users. If online forms are too long, if there are too many screens or too
many clicks, users can switch to the next service in a matter of seconds.

Data Portability will greatly decrease the need for online forms. If a certain data has already
been provided for a certain service, it can be reused for other services which will result in
reducing redundancy for the user and augment data quality at the same time.

Seite / Page — 160

 g. ONECUBE

Cheap modern prospection techniques like mailing have made online marketing a burden for
Web users. Most of the time marketing emails are just missing their target as companies
sending. They based their communication on a very limited amount of data, they just lack
context (ex: gardening tools ads sent to someone living in an apartment).

Data Portability will allow businesses to gather more personal data – within user consent - in
order to better understand context and propose relevant offers at the right time, to the right
person.

Personal data stored by a specific company can prove useful for many use cases (ex: food
purchase data can be reuse within health services, carbon footprint calculators, personal
finance management services, etc.). This is why a company that would make its data easily
accessible for reutilization would be really helpful for its users.

It would also be a way to build trust on the long term with users as the company would show
that it firmly rejects lock-in effect.

Concerns and limitations

2.1. For individuals

So far Data Portability is still expert subject matter. It does not ring a bell with the general
audience as it is still an abstract concept with almost no visible practical application.

Online, people generally want to do exactly what they were doing offline before:

- Socialize
- Buy/sell goods and services
- Find a home, a job, a mate
- Play
- Etc.

The benefits they generally look for in a service are:

- Saving time
- Saving money
- Having fun
- Etc.

People will not make use of their new right for Data Portability if use cases related to it do no
help them with their daily life concerns.

Seite / Page — 161

 D. Anlagen / Annexes

The last few years have seen the accumulation of scandals, trials and media coverage that
changed public opinion for good on the privacy topic. People are asking for more privacy and
GDPR is the perfect example of the regulator’s answer to the problem.

Data Portability is distinct from other GDPR articles as it protects users by allowing them to
be freer. Unlike other articles it does not limit data circulation, on the contrary it fosters it
under the strict control of the individual itself. Data Portability means more data on the
marketplace and it could raise major privacy concerns in the general audience.

2.2. For co p ies

Companies are not supposed to make obstruction to Data Portability. So far most of them
were either indifferent to the subject matter or clearly reluctant to participate in the process or
even to let it happen.

Most of the companies are focused on their everyday activities. They want to find new clients
and keep the ones they already have satisfied. New use cases made possible via Data
Portability are too theoretical for them so far. Short term as well as long terms benefits are
hard to estimate for them, as the online world does not revolve around this principle today,
they have a hard time imagining it.

Most companies highly value their customer relationship. If Data Portability becomes
mainstream they clearly fear the “switch” and they fear disintermediation in general.
Sometimes they can understand cross domain innovation use cases benefits but if the cost is
to open the door for the switch they do not want it and will make everything they can to
ignore Art. 20, diminish it or postpone its application.

GDPR in general and Art. 20 in particular raise a major concern among companies
concerning costs. Who will pay for it? As Art. 20 risks are considered high and benefits are
considered low, some companies do not want to invest time and money in looking for
practical solutions yet. They rather wait that solutions show up on the market concerning a
topic they do not fully master or even understand.

3. Scope
3.1. Industries

All the companies and administrations that offer a B2C service are concerned, when the data
subject provides personal data on the basis of his or her consent or when processing is
necessary for the performance of a contract.

If we limit Data Portability to the switch it gets easy to think about big companies
telecommunication, banks and insurances, utilities, etc.. If we add to Data Portability task
efficiency and cross domain innovation, it opens up to every domain of the economy from
startups to worldwide firms and administrations.

Seite / Page — 162

 g. ONECUBE

From what we have experienced, the opinion of a company does not really depend on the
industry. It is more a matter of key manager’s opinion, company culture, company size,
position regarding competition. In a monopoly or quasi-monopoly the company generally
thinks Data Portability would help competitors to arise. In an oligopoly they fear the Switch.

3.2. Concerned data

The GDPR states that portability only applies to personal data concerning an individual that
he or she has “provided to” a data controller. According to the WP29, “provided by” includes
data provided knowingly and actively by the data subject as well as the personal data
generated by his or her activity. On the other hand, inferred data and derived data are
created by the data controller does not fall within the scope of the article 20. However, the
reuse of processed data which is not covered by rights of any kind could be interesting to
foster the development of innovative services. Therefore, the data processor should not be
legally forced to release processed data but should be encourage to.

4. Use cases

Food orders Drive and online shopping Automatized wish lists (switch)

Utilities bills Energy provider Energy consumption history (switch)

Telecom bills Telecom company Telecom consumption history (switch

Food orders Personal wellness coach Personalized nutritional tips

Fashion orders Personal shopper Personalized fashion tips

Receipts Administration Proof of address

Mobile luggage storage A luggage storage service at the right place, at the right
Travels
service moment
Connecting individuals who want to have something
Travels Crowd-shipping service
delivered to others who are traveling
Trips & Energy Personal environmental
Personalized green tips
use coach

Books orders Readings social network Comments sharing

Job and
education Jobbing platforms Finding personalized job offers
history
Global
Purchase Financial advisors Personalized financial tips
history
Bills Utilities/Telecom Automatized relocation administrative tasks
Global
Purchase Personal accountant Automatized accountability
history

Etc.

Seite / Page — 163

 D. Anlagen / Annexes

III. A general architecture for Data Portability

1. Architectural options for Data Portability

We identified 3 possible architectures for Data Portability:

Service providers could give data back to their users directly via a restitution button. Users
could for instance get their data back in an Excel/CSV. They could decide to reuse it by
importing it manually onto other services.

On the service provider side this solution is easy to implement but it is minimalist, we can
barely consider this solution as Data Portability.

On the user side this solution is very manual with a poor user experience. Many people who
use online services will not know how to export and import their data.

Service providers could organize direct data transfer solutions with APIs. The user could ask
a utility service provider to transfer his consumption data from one service to another in one
click.

Considering user experience this solution is better than the previous one for a simple transfer
from a service to another. Problems would arise for use cases requiring multiple data
transfers at once (ex: transferring food data coming from multiple service providers to a
health service that will analyze it); the user would then be asked to give his consent multiple
times.

On the business side this solution would be complicated and expensive from a technical
point of view. Every service provider would have to build and maintain an incredible number
of APIs. They would also have to maintain relationships with many other service providers
which has a non-negligible cost.

Service providers could allow their users to export their data into a tool dedicated to data
portability. This kind of tool already exists under different names:

- PDS (Personal Data Store)

- VRM (Vendor Relationship Management)
- PIMS (Personal Information Management System)

From their PIMS users could reuse their data in a single click onto other services.

This solution offers a great user experience on the individual side and has a very limited cost
on the companies’ side. The European Data Protection Supervisor recently gave a public
and very positive opinion about the PIMS solution.

Seite / Page — 164

 g. ONECUBE

Seite / Page — 165

 D. Anlagen / Annexes

Seite / Page — 166

 g. ONECUBE

5. PIMS specific status

In order to build trust with PIMS which would become very central, the regulator should grant
a specific status for PIMS with rights and obligations. For instance PIMS themselves would
have to be compatible from one to another and they would also have to respect neutrality,
they would be required to limit their action to Data Portability only.

6. Business models
A possible business model for the PIMS based architecture could be this:
- A service provider that reuses data from a PIMS pays a fee to the PIMS
- A service provider that helps the PIMS to collect information gets paid by the PIMS
- An external actor that helps to build Public reference databases get paid by the PIMS

Seite / Page — 167

 D. Anlagen / Annexes

IV. Standards and formats

1. User centric approach

Complex formats would be detrimental to the user experience and slow down adoption.
Individuals should always be central when designing new formats.

New data Portability use cases would frame the format debate.

2. Not reinventing the wheel

Industry specific formats often already exist (ex: Schema.org for E-commerce) and should be
preferred. A step by step approach would allow to build a sound representation of all the data
that concern individuals.

3. Debating with PIMS

In order to simplify standards and formats debates, PIMS should be at the center of it as they
would be use cases driven and have a cross industry view. In our opinion it is PIMS role to
organize this debate, with industries and regulators.

Seite / Page — 168

Seite / Page — 169
 D. Anlagen / Annexes

The Right to data portability between legal possibilities and technical boundaries
Armin Gerl, Dirk Pohl*
Keywords: Privacy, Data Portability, Portability Format, Ontology-Matching, Data- and In-
formation Law

I. Introduction
The General Data Protection Regulation is designed to be ‘technology-neutral’. This concept
was intended to allow for a high degree of flexibility in order to address the so-called ‘law lag’
problem1: The Law is often unable to keep up with the rapid technological change. In fact,
many social media services started offering (albeit limited 2) data portability interfaces as
early as 20083, when the discussion about a new Data Protection Right within the European
Union was still at its’ infancy.
However, wide and flexible provisions like Art. 20 GDPR introducing the Right to Data Port-
ability may on the other hand create a high degree of legal ambiguity.
Without further guidelines, this may well be a risk for a useful practical implementation and
the Right to Data Portability might fail to achieve the ambitious and manifold aims of granting
benefits to the ‘Data Subject’ (Art. 4 No. 1 GDPR) by allowing a free choice of services due
to convenient and easy moving of data4 , as well as enabling him or her to be in control of
their information (‘informational self-determination’5) and to boost consumer protection 6 while
also creating advantages for the (especially non-market dominant) Controller7 (Art. 4 No. 7
GDPR) and increasing economic interests to support the portability of user data.

*Armin Gerl is Research Assistant and Ph.D. student at the Dept. of Distributed and Multimedia
Information Systems and at the Dept. of Civil Law, German and European Legal History, University
of Passau; Dirk Pohl is Research Assistant and Ph.D. student at the Dept. of Public Law,
Information- and Media Law, University of Passau.
1For a detailed account on the problem see Stephan Hobe, “Technological Development as a
Challenge for the Development of Air and Space Law”, in A New International Legal Order, ed.
Chia-Jui Cheng (Leiden: Brill, 2016), 295 ff.
2Inge Graef, “Mandating portability and interoperability in online social networks”, Telecommunications
Policy 39 (2015): 506.
3See Bill Greenwood, “My Space, Facebook, Google integrate data portability”, Information Today 6
(2008): 27; a comprehensive account of the origins of the right to data portability can be found in
Barbara Van der Auwermeulen, “How to attribute the right to data portability in Europe: A
comparative analysis of legislation”, Computer Law & Security Review 33 (2017): 58 f.
4Peter Swire/Yianni Lagos, „Why the right to data portability likely reduces consumer wellfare“,
Maryland Law Review 335 (2013): 344 f.
5See Stefan Weiss, “Privacy threat model for data portability in social network applications”,
International Journal of Information Management 29 (2009): 249; Eva Fialová, ”data portability and
informational self-determination”, Masaryk Journal of Law and Technology 8:1(2014): 46; European
Commission Staff Working Paper, SEC(2012) 72 final (2012): 43.
6
Barbara Van der Auwermeulen, “How to attribute the right to data portability in Europe: A comparative
analysis of legislation”, Computer Law & Security Review 33 (2017): 59.
7Barbara Van der Auwermeulen, “How to attribute the right to data portability in Europe: A comparative
analysis of legislation”, Computer Law & Security Review 33 (2017): 60.

!1
Seite / Page — 204
 k. Universität Passau

Furthermore, as long as a Controller is not able to foresee his legal responsibilities under
Art. 20 GDPR with a reasonable certainty, it seems doubtful whether the administrative fees
for infringements as contained in Art. 83(5) lit b) GDPR (‘up to 20.000.000 or 4 % of the
total worldwide annual turnover of the preceding financial year, whichever is higher’) can be
enforced.8
This article shall first describe the current legal claims to data portability as laid down in
Art. 20 GDPR, as well as the legal limitations (II.1). Then scenarios to enable data portability
from a technical perspective are developed in accordance with the legal requirements (II.2).
The requirements for a portability format are then to be assessed in detail from a technical as
well as legal perspective (III.), followed by an assessment of the specific requirements of the
Negotiation Process, when data are being transferred from one Controller to another (IV.).
Subsequently some additional requirements not directly related to data portability itself, but
nevertheless important during a data transfer, shall be discussed (V.). The possible effects of
the Right to Data Portability as one of the few true innovations within the GDPR9 are then to
be critically evaluated (VI.).

II. t ort i it c n rio

Prior to a detailed assessment of the possibilities and problems regarding data portability, the
two scenarios as stipulated by Art. 20(1) GDPR and Art. 20(2) GDPR are to be described and
critically discussed (II.1). Subsequently, technical scenarios are to be developed in accord-
ance (II.2).
. c i
Art 20 GDPR grants two different Rights to Data Portability to the Data Subject. The right
contained in Art. 20(1) GDPR shall be referred to as a ‘Right to obtain a copy of the data’,
while Art. 20(2) contains a different and distinguishable ‘Right to data transfer’.10
The basic conditions for the exercise of both rights are identical. As does the GDPR, the
Right to Data Portability only applies to ‘personal data’ as defined in Art. 4 No. 1 GDPR, and
specifically those processed by automated means (see Art. 2(1) GDPR). More restrictively it
only applies to those data provided by the Data Subject to the Controller. Additionally, only
such data are to be included that were processed based on the consent of the Data Subject
or where the basis for processing has been a contract (Art. 6(1) lit. b GDPR).
A substantial limitation is placed on both claims within the Right to Data Portability by
Art. 20(4) GDPR. The exercise of the right to data portability may not adversely affect the
rights and freedoms of others. The complex problems that may arise from this provision can-

8See Dirk Pohl, „Durchsetzungsdefizite der DSGVO? Der schmale Grat zwischen Flexibilität und
Unbestimmtheit“, PinG 3 (2017): 85.
9
See amongst others Tim Jülicher/ Charlotte Röttgen/Max v. Schönfeld, „Das Recht auf
Datenübertragbarkeit“, ZD 8 (2016): 358.
10Terminology found in Eva Fialová, ”data portability and informational self-determination”, Masaryk
Journal of Law and Technology 8:1 (2014): 45.

!2
Seite / Page — 205
 D. Anlagen / Annexes

not be discussed here. Especially in a social media context this could lead to great amounts
of data being excluded from the Right to Data Portability.
. . i t to o t in co o t d t
Undoubtedly Art. 20(1) GDPR establishes a right of the Data Subject to receive his data from
the Controller. On its own and strictly speaking this cannot be considered a true Right to Data
Portability. It bears more similarities to the Right to Access as granted by Art. 15 GDPR. The
Data Subject merely receives a copy of certain data (see in detail III.2) from one Controller
and is then required to negotiate the import of this data with the target Controller by him or
herself. (see II.2.1).
. . i t to d t tr n r
True portability of data is only granted under Art. 20(2) GDPR. The Data Subject can demand
that data are being transferred from one Controller directly to another. The Data Subject itself
only initiates the transfer, but is otherwise not involved. However, this right is considerably
limited by the fact that there is no corresponding obligation of the target Controller to receive
such transfer of data by another controller (II.1.2.1) and further by the limitation to cases,
where such transfer is ‘technically feasible’.
. . . oo i tion to i ort d t
On a literal interpretation Art. 20(2) GDPR does not seem to place any obligation on the tar-
get Controller to provide any feasible measure of acceptance for such data that have been
transferred. The target Controller is not even mentioned. The requirement to allow a transfer
‘without hindrance’ within Art. 20(1) GDPR is only aimed at the first Controller as well.
While the spirit and purpose (French raison d’être) of this provision may point into a different
direction in order to guarantee its’ effectiveness, Recital 68 to the GDPR clarifies the inten-
tions of the legislator. It states that the Right to Data Portability shall not create any obligation
for a Controller to adopt or maintain compatible processing systems.
. . .I c i to i ort tion o d t d ir
At first sight the missing obligation for the target Controller to import the data seems to be an
odd outcome. It warrants a discussion of the necessity to introduce such obligation in future
legislation.
A starting point for the debate may be the two (often competing) goals of the GDPR as stipu-
lated in Art. 16(2) TFEU. It mandates the European Union to lay down rules relating to the
protection of personal data, as well as rules relating to the free movement of personal data.
The GDPR has to strike a balance between these goals.
Considering the perspective of the Data Subject, it seems reasonable to state that a broader
right to Data Portability generally strengthens his or her position. As postulated by Recital 68
to the GDPR, it allows the Data Subject to ‘further strengthen the control over his or her
data’.
Contrary to many other discussions regarding the GDPR, the second aim of promoting the
free movement of data does not seem to warrant another outcome. A broad and robust right

Seite / !3
Page — 206
 k. Universität Passau

to Data Portability may also increase the free movement of personal data. With both aims of
the GDPR seem pointing in another direction, the assertion of a very limited right to Data
Portability is even more surprising.
However, even though the Right to Data Portability was included in the GDPR and thus
formally is part of the data protection laws of the Union, the legal nature of the right is broad-
er than its’ formal localisation may suggest. Art. 20 GDPR may well be – and often is – seen
as an element of competition law within the GDPR. So from a systematic point of view, the
‘data protection perspective’ must not be the sole basis of interpretation.
An obligation to accept data transferred by another controller in any format that fulfils the
general criteria of Art. 20 GDPR (see III.1) may be beneficial for the data subjects’ informa-
tional self-determination and the free movement of data, but can cause several problems
within the market.11 It has to be taken into account that Art. 20 GDPR applies to ‘a garage
start-up software company just as it does to a monopolist’.12 On the one hand, a Right to
Data Portability can strengthen the position of small companies, since it enables them to
share in the large volumes of data gathered by the well-established companies in the market
and thereby avoid market entrance barriers.13 On the other hand, especially the business
model of smaller companies or start-up companies may be endangered if the Right to Data
Protection were to be understood as establishing an obligation to import formats from anoth-
er controller. They would be forced to provide feasible means of acceptance for the poten-
tially very different but common formats of their larger competitors.
Once the market effects are taken into account, it seems arguable that Art. 20 GDPR strikes
a reasonable balance between the various interests. Thus, an obligation for the target Con-
troller to import the data does not seem desirable. However, it must be noted that such a
careful approach also minimises the regulatory effects of the Right to Data Portability.
The effective implementation of the right could be improved by legal regulations for accom-
panying measures (see also V.). Instead of requiring the import itself, it seems more reason-
able to require Controllers to publish information about formats they are willing to accept for
import, so a competitor – if willing – may transfer the data in a suitable format causing no ad-
ditional efforts for the target Controller.14

11For an analysis see Barbara Engels, “Data portability among online platforms”, Internet Policy
Review 5:2 (2016): 13.
12Barbara Engels, “Data portability among online platforms”, Internet Policy Review 5:2 (2016): 4;
Peter Swire/Yianni Lagos, „Why the right to data portability likely reduces consumer wellfare“,
Maryland Law Review 335 (2013): 339.
13
Barbara Van der Auwermeulen, “How to attribute the right to data portability in Europe: A
comparative analysis of legislation”, Computer Law & Security Review 33 (2017): 57; Lucio
Scudiero, “Bringing Your Data Everywhere: A Legal Reading Of The Right To Data Portability”,
EDPL 1 (2017): 119.
14For extensive description of other methods to ensure interoperability see Sih Yuliana
Wahyuningtyas, “Interoperability for data portability between social networking sites (SNS)”, Queen
Mary Journal of Intellectual Property 5:1 (2015): 46 ff.

!4
Seite / Page — 207
 D. Anlagen / Annexes

. . . r n r u t t c nic i
The Controllers is required to transfer data to another Controller under Art. 20(2) GDPR as
far as such transfer is ‘technically feasible’. While this is said to be a limitation to the Right to
Data Portability in a legal sense, the effect of this ‘limitation’ has to be assed from the view of
the (possibly wide) technical possibilities. It seems unlikely that the transfer itself as required
by Art. 20(2) GDPR causes any significant problems. However, in cases of obvious incom-
patibility between formats it may be possible for a Controller to invoke this exception instead
initiating a transfer with no chance for an effective outcome.
In any case the Data Subject may still receive a copy of the data as described in
Art. 20(1) GDPR.
. c nic c n rio
In general the legal requirements as described above allow for the interpretation of two tech-
nical scenarios.
On the one hand it is stated that a Data Subject has the right to receive its personal data
from a Controller and may transfer this personal data to a target Controller thereafter (Art.
20(1) GDPR, see II.1.1). We denote this scenario as Data Subject Negotiation.
On the other hand it is stated that the Data Subject has the right to enforce a transfer
between Controllers as far as this is technically feasible (Art. 20(2) GDPR, see II.1.2). We
denote this scenario as Controller Negotiation.
Both the Data Subject Negotiation and Controller Negotiation will be described and dis-
cussed in the following.
. . t u ct oti tion
In this scenario we assume the following general procedure for data portability when the
Data Subject shall be enabled to receive and transfer personal data:
Data Subject DS1 wants to port personal data from Controller C1 to Controller C2.
DS1 requests data-portability task from C1 for all its personal data P1 in Format F1.
Controller C1 transfers P1 in F1 to DS1. C2 has Format F2. DS1 requests C2 to port
P1 and therefore transfers P1 in F1. C2 negotiates with DS1, if necessary, to convert
F1 to F2 to store P1.
This scenario has the advantage for the Data Subject that the data may be stored on any
device of him or her and therefore usage of the data by the Data Subject is possible. This
usage may include the transfer of the data to a target Controller as well as all basic opera-
tions (create, read, update, delete). With the possibility to store data on any device of the
Data Subject, the responsibility of protecting the data from malicious actions also lies with the
Data Subject. The Data Subject has to initiate the request for the data portability as well as
the transfer to the target Controller or several target Controllers.
A Controller has to fulfil two roles in this scenario. A Controller has to be able to accept data
portability requests and transfer data to the Data Subject. Additionally a Controller has to be
able to process data received from a Data Subject. Hereby further interaction with the Data

!5
Seite / Page — 208
 k. Universität Passau

Seite / Page — 209

 D. Anlagen / Annexes

Seite / Page — 210

 k. Universität Passau

The apparently only other legal document of the Union containing a definition of the term is
the Computer Programs Directive.18 The definition in general seems to be of limited use for
the problems discussed here as it targets problems of interoperability of hard- and software
in general, not format. The last part of the definition may have some merit: ‘interoperability
can be defined as the ability to exchange information and mutually to use the information
which has been exchanged’. This can also be identified as the main aim of Art. 20 GDPR, but
Art. 20 GDPR specifies additional qualities of an ‘interoperable’ format: it has to be struc-
tured, commonly used, and machine-readable.
The term ‘structured’ can be understood as referring to the arrangement of the information. In
contrast to the draft by the European Commission, the perspective to be taken seems to one
of the Controller. The formulation within the draft version ‘to be further processed by the Data
Subject’ was replaced early in the negotiation process.
The additional criteria of machine-readability can only be a useful limitation if it is interpreted
in a way, that machine-readability must not only be possible (e.g. OCR-readability), but the
format shall be specifically designed to be machine-readable, possibly even requiring elec-
tronic form19.
As opposed to the two criteria above, the term ‘commonly used’ is not a technical require-
ment. Whether a format is ‘commonly used’ is determined by market conditions. Thus it
seems possible to have more than one commonly used format at a time. Considering the fast
development of IT technology, the (temporary) existence of new markets without any com-
monly used format seems likely.20 While some argue that proprietary formats can never fulfil
this requirement21, the wording of the norm itself does not seem to be that restrictive as long
as a proprietary format is commonly used. The access to proprietary formats should be re-
garded a separate issue, which has already been approached by competition law.22
Art. 20 GDPR sets out minimal requirements to facilitate the interoperability of data
formats.23 However, this neither ensures compatibility, nor does it guarantee an outcome with
regards to the interoperability of the systems. Again, this may be a consideration taking the
competition law perspective into account. In comparison to other approaches, the one taken
by the European Union seems to lack ambition. The Art. 45 of the ECOWAS Data Protection

18Directive 2009/24/EC, Recital 10.

19v. Lewinski, “Art. 20 DSGVO”, in BeckOK-DS, ed. Heinrich A. Wolff/Stefan Brink, Rn. 74 ff.
20 v. Lewinski, “Art. 20 DSGVO”, in BeckOK-DS, ed. Heinrich A. Wolff/Stefan Brink, Rn. 78 ff.
21Art. 29-Group, Guidelines to the right to data portability (Working Paper 242) 13.12.2016, 13.
22
EuG, 17.9.2007 – T-201/04, Slg. 2007, II-3601 – Microsoft/Kommission
23Lucio Scudiero, “Bringing Your Data Everywhere: A Legal Reading Of The Right To Data Portability”,
EDPL 1 (2017): 120.

Seite / !8
Page — 211
 D. Anlagen / Annexes

Act for example is said to essentially guarantee the interoperability of technical devices by
ensuring that any standard device or system can interpret processed personal data. 24
. . c nic
Both the Data Subject and the Controller Negotiation scenario are based on legal require-
ments set by Article 20 GDPR. For the Data Subject Negotiation the Data Format in which
the personal data are transmitted to the Data Subject can be either generalized for data port-
ability or for uniform Data Subject Negotiation scenario enabling the Negotiation between
Data Subject and Controller.
For the Controller Negotiation the Format can either be domain-specific as negotiated
between the Controllers or it can be a generalized machine-readable Format.
Because both scenarios have to be considered, the properties (like shown in IV.) should be
considered for a common Portability Format if no common set of personal data attributes can
be defined. Otherwise if such a set of personal data attributes is defined, then a more specif-
ic Data Format could be defined. However, this is rather unlikely because a variety of attrib-
utes can identify a person uniquely.
Furthermore several combinations of personal attributes may lead to the identification of a
Data Subject. Globally collecting all possible personal data attributes and forming a Data
Format by them therefore seems not feasible, especially because it is debatable what be-
longs to the set of personal data attributes (see III.2.2).
. t nt o d t to ro id d
Not all data linked to the account of a Data Subject at a certain Controller are to be trans-
ferred. This legal limits set by Art.20 GDPR again have to be implemented on a technical
level.
. . r uir nt
The extent of data to be provided to the data subject is limited by two criteria. As a part of the
GDPR the right to data portability is limited to personal data concerning a data subject, which
has to be interpreted as including only those personal data defined in Art. 4 Nr. 1 GDPR (‘any
information relating to an identified or identifiable natural person’).
The second criterion leading to more significant limitation is that only such data may be re-
ceived by the data subject which he or she has provided to the Controller. Clearly the Data
Subject has to receive data entered into a registration form or pictures uploaded by the per-
son. The concerns raised about further data especially outside social media applications25
may only be mentioned here.

24
See Uchena Jerome Orji, “A Comparative Review of the ECOWAS Data Protection Act“; CRi 4
(2016): 116; However, there are few specifics on the effect of this requirement in practise.
25For the debate within the banking see for example the statement of ‘The German Banking Industry
Committee’ , accessed August 29, 2017, https://bankenverband.de/media/files/
150903_DK_Stellungnahme_DSGVO.pdf.

!9
Seite / Page — 212
 k. Universität Passau

The addition of the second criterion leads to certain legal peculiarities. A great example are
pictures of the Data Subject uploaded by a third party26 : While clearly meeting the require-
ment of ‘personal data concerning the Data Subject’, they would not fall under the right to
data portability as introduced by Art. 20 GDPR because they have not been provided to the
Controller by the Data Subject itself. Additionally, this criterion is not a requirement for claim-
ing the right to access (Art. 15 GDPR) which may lead to some unclarity27 (see V.2.2).
While this seems to be an odd outcome from a data protection perspective, it is another
symptom of the broader legal nature of the right: Even though the Right to Data Portability is
contained within the GDPR and thus formally part of the data protection laws of the Union,
the legal nature of right is broader than its’ formal localisation may suggest (see II.1.2.2).
. . c nic di tinction
From a technical perspective for each Controller it has to be encoded which attributes are
classified as personal data, have been provided by the Data Subject and which are related to
other Data Subjects.
Attributes from a privacy-preserving point of view are classified in four groups. Explicit identi-
fiers can identify a Data Subject on their own. Quasi identifiers can identify a Data Subject if
a set of them is used. Sensitive attributes contain valuable information about the Data Sub-
ject but cannot identify him or her. Non-Sensitive attributes do not contain any valuable in-
formation.28
Personal Data as defined in Art. 4 No. 1 GDPR can directly or indirectly identify a Data Sub-
ject and therefore the classifications of explicit identifiers and quasi identifiers are contained
within this legal definition. But it was shown that also sensitive attributes can be used to
identify a Data Subject29 and they should therefore be covered by the GDPR or more spe-
cifically the Right to Data Portability. Additional concerns may be raised by services making
use of combined data and the value derived from them.30 The more data become available,
the more likely such side effects occur and the combination of attributes can enable the iden-
tification of the Data Subject.

26See Inge Graef, “Mandating portability and interoperability in online social networks”,
Telecommunications Policy 39 (2015): 507.
27Lucio Scudiero, “Bringing Your Data Everywhere: A Legal Reading Of The Right To Data Portability”,
EDPL 1 (2017): 122.
28
Latanya Sweeney, „k-anonymity: A model for protecting privacy“, International Journal of Uncertainty,
Fuzziness and Knowledge-Based Systems,10:5 (2002): 557.
29Ashwin Machanavajjhala/Daniel Kifer/Johannes Gehrke/Muthuramakrishnan Venkitasubramaniam,
„Diversity: Privacy Beyond k-Anonymity“, ACM Trans.Knowl. Discov. Data, (2007): 1, accessed August
29, 2017 doi:10.1145/1217299.1217302.
30Stefan Weiss, „privacy threat model for data portability in social network applications“, International
Journal of Information Management 29 (2009). 251.

!10
Seite / Page — 213
 D. Anlagen / Annexes

Therefore only non-sensitive attributes will not be covered by the Right to Data Portability.
Such data might be sensor data which is not related to any Data Subject, e.g. process mon-
itoring in Industry 4.031.
Any Data Subject related attribute like comments in a forum, tweets in Twitter or smart health
data might be exploited to identify a Data Subject. This type of information is also most likely
to cause problems with regard to the distinction between attributes only relating to the Data
Subject and such Data also relating to other natural persons, which are excluded from the
scope of the Right to Data Portability. For example a Tweet created by a Data Subject is ba-
sically text with some additional meta-information like the creation date. The task for the Con-
troller is now to distinguish if this Tweet is classified as personal data or not based on this
text. Classifying the Tweet as personal data based on the text is a serious problem.

I . oti tion roc

During the Negotiation of both scenarios described above (II.2) it is possible that one or more
of the following processes have to be applied when a source scheme F_source, with the at-
tributes A_source1 … A_sourceN, has to be matched against the target scheme F_target,
with the attributes A_target1 … A_targetM. Hereby the number of attributes can differ (N !=
M). For each attribute we consider an identifier, e.g. ‘name’ and the format of the attribute,
e.g. ‘text’ or ‘number’. Additionally we assume that the format of the can be more specialized
by adding constraints, e.g. ‘text(300)’ defining that the text has maximal 300 characters.
• Attribute Exact Match: Assuming an attribute A_source1 of F_source1 and an
attribute A_target1 of F_target1 with the same identifier ‘surname’ and attribute
‘text’. Then the value of A_source1 can be migrated without alteration. Therefore a
Data Format enabling data portability has to have the ability to model an identifier
and attribute format for each value.
• Attribute Semantic Match: Assuming an attribute A_source1 of F_source1 with
the identifier ‘surname’ and an attribute A_target1 of F_target1 with the identifier
‘name’. The format is ‘text’ in both cases. This resembles a semantic variety
between the source and the target scheme. Therefore a Data Format enabling
data portability has to support different notations for the same value to support
semantic matching. For example a list of identifiers for a value could be allowed.
The list could be extended by the Controller every time a identifier is unknown or
a central data portability repository is introduced that can be used to lookup un-
known identifiers for Controllers which also submit their own identifiers. This
would lead to new questions like who is responsible for maintaining and adminis-
trating such a central data portability repository.
• Attribute Value Segregation: Assuming an attribute A_source1 of F_source1
with the identifier ‘address’, an attribute A_target1 with the identifier ‘street’ and an

31BMBF, „Industrie 4.0, Innovationen für die Produktion von morgen“, accessed August 29, 2017,
https://www.bmbf.de/pub/Industrie_4.0.pdf.

Seite / !11 — 214

Page
 k. Universität Passau

attribute A_target2 with the identifier ‘streetNumber’ of F_target1. The format is

‘text’ in both cases. We assume that for F_source1 the address will be separated
as ‘STREET STREET_NUMBER’ within the actual value. Therefore a Data
Format enabling data portability has to support the segregation of values. This
could be done by a fine-grained description of the format of the attribute including
additional sub-identifier and sub-formats for the source Format F_source1.
• Attribute Value Junction: Assuming an attribute A_source1 with the identifier
‘street’ and an attribute A_source2 with the identifier ‘streetNumber’ of F_source1
and an attribute A_target1 with the identifier ‘address’ of F_target1. The format is
‘text’ in both cases. We assume that for F_target1 the address will be separated
as ‘STREET STREET_NUMBER’ within the actual value. Therefore a Data
Format enabling data portability has not only to support segregation but also the
junction of values. This could be done by the same method described above for
the target Format F_target1.
• Attribute Processing: Assuming an attribute A_source1 with the identifier ‘birth-
date’ and the format ‘date’ of F_source1 and an attribute A_target1 with the identi-
fier ‘age’ and the format ‘number’ of F_target1. Based on the birth-date and the
current date it is possible to compute the age. With this setup not only the identifi-
er differs but also the format. Therefore a Data Format enabling data portability
has to support processing of one or more attributes to compute a value for a tar-
get attribute. First of all the semantic relation between identifiers has to be estab-
lished. Based on this processing rules have to be defined that can be executed on
the target Controller. This is also necessary when the format of two attributes with
the same identifier differ. For example assuming an attribute A_source1 with the
identifier ‘birth-date’ and the format ‘date’ of F_source1 and an attribute A_target1
with the identifier ‘birth-date’ and the format ‘text’ of F_target1. Within this scenario
the format ‘date’ has to be processed to ‘text’.
• Attribute Miss: Assuming an attribute A_source1 with the identifier ‘birth-date’
and the format ‘date’ of F_source1 and a set of attributes A_target1 … A_targetM
of F_target1 with no matching identifier to A_source1. In this scenario the target
Format misses an attribute in the source Format. It is also possible that the
source Format misses an attribute of the target Format. In both cases an appro-
priate handling for the missing attribute has to be applied.
• Manual Attribute Matching: For the Data Subject Negotiation scenario we as-
sume that the Data Subject can assist the Negotiation process with a user inter-
face. In such a user interface the user could assign source attributes to target at-
tributes to verify or correct attribute assignments by previous processes. To allow
the user to understand both the source and target Data Format it is necessary to
add human readable labels to each attribute.

Seite / !1 2 — 215
Page
 D. Anlagen / Annexes

Seite / Page — 216

 k. Universität Passau

another Controller could be threatened by a Man-in-the-Middle attack which can lead to the
leak of the personal data to the attacker. A risk casually mentioned in the data portability con-
text34 is the additional risk of multi-platform identity theft once the offender gained access to
one service supporting data portability functionalities. Therefore an end-to-end encrypted
transfer35 should be applied. But encrypting the connection may not be sufficient on its own
to prevent such attacks, as long as the communication partners are not authenticated36 .
Additionally only the Data Subject related to the personal data should be able to initiate data
portability and therefore has to be authorized. This requires the appliance of suitable access
control measures for the data portability process.
Further security measures have to be applied to prevent additional possible attacks, e.g. like
those described in the OWASP Top Ten37. It has to be considered that new attack schemes
might arise based on data portability functionalities since any additional interface may cause
additional risks.
. u nr d i it
Providing of a human-readable version of the personal data to be transferred upon a request
of Data Portability also seems a topic worthy of discussion. It would be highly beneficial to
strengthen the informational self-determination of the individual. The Article 29 Data Protec-
tion Working Party thus recommends that the Data Subject shall have the possibility to
choose between several types of data he may or may not want to receive. This requires a
human-readable representation. Additionally, the informational requirements of the GDPR
(see II.2.2) could be fulfilled within the necessary user interface.
. . c nic r uir nt
Based on the Data Subject Negotiation scenario (see II.2.1) it is possible that the Data Sub-
ject is participating in the Negotiation process, therefore a user interface is required. Even
within the Controller Negotiation scenario (see II.2.2) a transfer is initiated only on request by
the Data Subject which requires at least a minimalistic version of a user interface. This user
interface should be capable to support the user in assigning attributes from the source Data
Format described by the Portability Format to the target Data Format. Hereby the Data Sub-
ject may aid the negotiation process by manually matching attributes which could not be as-
signed or add additional required information. This can either be done by integrating human-
readable descriptions in the Portability Format on the attribute level or the Source Controller

34See Peter Swire/Yianni Lagos, „Why the right to data portability likely reduces consumer wellfare“,
Maryland Law Review 335 (2013), 339.
35BSI, „IT-Grundschutz, M4.101 Sicherheitsgateways und Verschlüsselung“, accessed August 29,
2017, https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/
m/m04/m04101.html.
36
BSI, “IT-Grundschutz, G 5.143 Man-in-the-Middle-Angriff”, accessed August 29, 2017, https://
www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/g/g05/
g05143.html.
37OWASP Top Ten Project, accessed August 29, 2017, https://www.owasp.org/index.php/
Category:OWASP_Top_Ten_Project.

!14
Seite / Page — 217
 D. Anlagen / Annexes

has to provide an interface managing requests from target Controllers. The later method
would cause several additional problems considering that several versions may have been to
be supported in the long term, which would just be included in the specific Portability Format
file describing the personal data of a Data Subject at a specific point in time.
Introducing human-readable descriptions in the Portability Format would furthermore allow
for a generic Portability Format Viewer enabling the Data Subject to inspect his or her per-
sonal data. This is possible if the Portability Format is designed as a standardised format.
. . i t to r c i d t in u nr d or
A legal basis to receive data in a human-readable form can be found in Art. 15 GDPR (‘Right
of access by the data subject’). Art. 15(3) GDPR also allows the controller to provide the data
as described in Art. 15 GDPR in a ‘commonly used electronic form’, unless the Data Subject
requests otherwise. Recital 63 even encourages the Controller to provide direct access to the
data where possible.
While it must be noted that the rights in Art. 15 and 20 GDPR fulfil different purposes and
there is no legal requirement within Art. 20 GDPR to present a human-readable form during
the transfer process, a technical system as shown above (V.2.1) can easily be designed to
ensure compliance with both norms.
Careful consideration must be paid to the fact that the right of access in Art. 15(1) GDPR re-
quires the Controller to allow access to all the personal data concerning the Data Subject
that are being processed, while Art. 20(1) GDPR only grants a right to data portability when
in addition the data where provided to the Controller by the Data Subject.
A unification of the two requirements as proposed by the European Parliament in an earlier
draft 38 should be reconsidered, as the right to Data Portability may be seen as a mere spe-
cification of the right to data access.39
. o in ci ic d t
There are no clear legal rules as to which services are addressed by the Data Portability re-
quirements. It is clear that the obligation was aiming at social media services, but in there is
no such limitation within the GDPR.
Additional Problems may arise when two services – while operating within the same general
branch – are in detail offering very different functions. While this could be considered a tech-
nical boundary ( II.1.2.3.), it seems more appropriate to treat the incompatibility of two busi-
ness models as a separate problem. Irrespective of the classification, this will place signific-
ant limits on the Right to Data Portability in practise.
Data portability of domain-specific personal data may be possible for well-defined Data
Formats but will not always be possible even within the same branch. For example, it seems
unlikely to transfer personal data from Facebook to a Twitter account. Although basic regis-

38
COM(2012)0011 – C7-0025/2012 – 2012/0011 (COD), p. 92 f.
39W. Gregory Voss, „One year an loads of data later, Where are we? An update on the proposed
European Union General Data Protection Regulation“, Journal of Internet Law 10:10 (2013): 21.

Seite / !1 5 — 218
Page
 k. Universität Passau

tration forms may be transferable, other content is simply not meant to be displayed within
the other system; e.g. Twitter allows a maximum length of 140 characters for a Tweet40 but
Facebook allows longer posts for a profiles’ feed41.
As a counter-example one may assume two Controllers C1 and C2 providing an e-mail ser-
vice. If a Data Subject wants to transfer his or her e-mails (as part of personal data) from C1
to C2 then this might be feasible, because the format for e-mails is standardised42 and the
services offered are alike. However, the transfer of data between competing services on the
other hand raises the most sensitive competition law issues.43

I. onc u ion
The right to data portability as contained in Art. 20 GDPR is of limited scope and only sets
broad boundaries 44. While there are some plausible reasons, especially from a market per-
spective, that data portability should not be an ‘all-or-nothing’ feature’45 to avoid (possibly un-
intentional) damages to competition, it does not seem too far-fetched to state that the future
development of data portability will mainly be driven be technological development, as well
as the willingness of the market players, which in turn is largely based on the question
whether Data Portability provides economic benefits. This may be underpinned by the fact
the establishment of data portability technologies by global players predate the earliest drafts
of the GDPR. The law as of now will be of limited influence.
For the technical realization of the right to data portability it is necessary to find a common
and formally described Portability Format with properties enabling and supporting the Nego-
tiation process for both the Data Subject Negotiation and Controller Negotiation scenario. To
strengthen the information self-determination it is desirable to introduce human-readability as
a requirement for the Portability Format to both inform the Data Subject and assist the Nego-
tiation process by allowing manual intervention. Such a Portability Format has to be re-
searched and the interfaces for the Controller enabling the right to data portability have to be
defined in the future to avoid proprietary solutions. Such a Portability Format shall include
sufficient metadata to enable the Negotiation process. It would clearly be beneficial if associ-
ations and other bodies representing Controllers would make use of the possibilities to pre-
pare code of conducts (Art. 40 GDPR) in order to ease to exercise of the Right to Data Port-

40 Twitter Developer Documentation, accessed August 29, 2017, https://dev.twitter.com/basics/

counting-characters.
41Facebook Graph API Documentation, accessed August 29, 2017, https://developers.facebook.com/
docs/graph-api/reference/post.
42W3C, RFC822: Standard for ARPA Internet Text Messages, accessed August 29, 2017, https://
www.w3.org/Protocols/rfc822/.
43 Barbara Engels, “Data portability among online platforms”, Internet Policy Review 5:2 (2016): 5.
44
Some even refer to a rather symbolic motivation, v. Lewinski, “Art. 20 DSGVO”, in BeckOK-DS, ed.
Heinrich A. Wolff/Stefan Brink, Rn. 1.1.
45 Barbara Engels, “Data portability among online platforms”, Internet Policy Review 5:2 (2016): 5.

Seite / !1 6 — 219
Page
 D. Anlagen / Annexes

ability by the Data subject. However, it is doubtful whether the economic advantages are
strong enough to warrant such market behaviour.
The legal requirements as set by Art .20 GDPR thus can only be a starting point to target the
most extensive limits to portability.46 A true and valuable Right to Data Portability should not
only be more consistent with other rights within the GDPR (e.g. Art. 15) but must also con-
sider a broader perspective. Not only the competition law perspective on market access and
interoperability have to be considered. The different requirements of Art. 15 GDPR also show
the imminent need for a consistent Data- and Informational Law within the Union, establish-
ing a legal quality of ‘Data’ and clarifying ‘ownership’ of data especially when related to mul-
tiple Data Subjects. Careful consideration also should be paid to the fact, that non-personal
data may also have economic value47. This again calls for a broader perspective on data
portability including both personal and non-personal data provided by a Data Subject.
As long as a true, unified Data- and Informational Law of the Union is still at its’ infancy, the
Data Protection law should focus on the guarantee of ‘flanking policy frameworks’ 48 regard-
ing security, authentication, access control, human readability as discussed in V., as well as
the development of criteria to distinguish services that are so similar that data transfer is a
general option from purely domain specific data that are not compatible with services from
other domains.

46 eg contractual restrictions to offer additional portability tools, see http://europa.eu/rapid/press-

release_SPEECH-12-372_en.htm, accessed August 29, 2017.
47
Recital 13 in Com 2015 (634); „Digital content is often supplied not in exchange for a price but
against counter-performance other than money i.e. by giving access to personal data or other
data”.
48 Barbara Engels, “Data portability among online platforms”, Internet Policy Review 5:2 (2016): 14.

!17
Seite / Page — 220
 k. Universität Passau

Seite / Page — 221

Stiftung Datenschutz
rechtsfähige Stiftung bürgerlichen Rechts
Karl-Rothe-Straße 10–14
04105 Leipzig
Deutschland

Telefon 0341 / 5861 555-0

mail@stiftungdatenschutz.org
www.stiftungdatenschutz.org

9 783000 583360
ISBN 978-3-00-058336-0
Seite — 264