May 122017

WP29 Adopts Final GDPR Guidelines on Data Portability

William RM Long and Thomas Fearon
, , , ,

The EU’s Article 29 Working Party (“WP29”) adopted, on 5 April 2017, final guidelines on the new right of data portability under the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) which applies from 25 May 2018.

The European Commission has expressed concerns about WP29’s broad interpretation of article 20 of the GDPR on data portability.

Article 20 gives data subjects the right to have personal data which they have “provided to” a data controller and which is in a machine readable and commonly used format, transferred to another data controller where the processing is based on (i) consent, or (ii) the performance of a contract with the individual.

WP29 considers that the right of data portability not only covers data “provided knowingly and actively” by the data subject, but also covers data generated by his/her activity. This is a critical point for the wearables industry, and includes “observed data provided by the data subject by virtue of the use of the service or the device.” Examples include: search history, traffic data, location data, and “raw data such as the heartbeat tracked by a wearable device.” The WP29 guidelines exclude from the scope of article 20 inferred data such as the health profile drawn up by a controller on the basis of the collected heartbeat.

The European Commission has written to WP29 to complain that the latter’s approach goes beyond what was decided by European legislators. Although WP29’s interpretation benefits data subjects by giving them the right to request more information from, for example, social network platforms, businesses will have the challenging task of compiling all of the requested information, and particularly in a structured format.

This interpretation may also create confusion and uncertainty, which introduces significant risk for the market with GDPR penalties. Violations of article 20 may result in fines of up to 4% of total worldwide annual turnover or €20 million, whichever is greater. Businesses and individuals must be afforded legal certainty, regarding the scope of rights under the GDPR and in complying with those rights what is required and what is not.

William RM Long

London

wlong@sidley.com

Thomas Fearon

tfearon@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.