May 122017

WP29 Adopts Final GDPR Guidelines on Data Portability

William RM Long and Thomas Fearon
, , , ,

The EU’s Article 29 Working Party (“WP29”) adopted, on 5 April 2017, final guidelines on the new right of data portability under the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) which applies from 25 May 2018.

The European Commission has expressed concerns about WP29’s broad interpretation of article 20 of the GDPR on data portability.

Article 20 gives data subjects the right to have personal data which they have “provided to” a data controller and which is in a machine readable and commonly used format, transferred to another data controller where the processing is based on (i) consent, or (ii) the performance of a contract with the individual.

WP29 considers that the right of data portability not only covers data “provided knowingly and actively” by the data subject, but also covers data generated by his/her activity. This is a critical point for the wearables industry, and includes “observed data provided by the data subject by virtue of the use of the service or the device.” Examples include: search history, traffic data, location data, and “raw data such as the heartbeat tracked by a wearable device.” The WP29 guidelines exclude from the scope of article 20 inferred data such as the health profile drawn up by a controller on the basis of the collected heartbeat.

The European Commission has written to WP29 to complain that the latter’s approach goes beyond what was decided by European legislators. Although WP29’s interpretation benefits data subjects by giving them the right to request more information from, for example, social network platforms, businesses will have the challenging task of compiling all of the requested information, and particularly in a structured format.

This interpretation may also create confusion and uncertainty, which introduces significant risk for the market with GDPR penalties. Violations of article 20 may result in fines of up to 4% of total worldwide annual turnover or €20 million, whichever is greater. Businesses and individuals must be afforded legal certainty, regarding the scope of rights under the GDPR and in complying with those rights what is required and what is not.

William RM Long

London

wlong@sidley.com

Thomas Fearon

tfearon@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.