What does data portability actually entail?
Today I read a pretty interesting paper on GDPRs right to data portability, or Article 20, which states that:
- the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
- the processing is carried out by automated means."
Go have a look at this paper - its an interesting read!
De Hert, P., Papakonstantinou, V., Malgieri, G., Beslay, L., & Sanchez, I. (2018). The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Computer Law & Security Review, 34(2), 193-203.
It does a great job looking at the historical evolution of this right in drafts of the GDPR, how they were changed in the final legislation (and what that means), and how the rights to access and erasure interact with the right to data portability. Interestingly, this paper made me aware of a concession in paragraph 4 of Article 20 which states that
“The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.”
That is, if one person demanding data portability harms another person then the right of that second person to e.g. erasure appears to trump the right of the first person to portability. This means that if a specific student could demonstrate harm resulting from us making groupwork data available to other students in a group (perhaps in a personal data store) then they could demand that it be deleted.
However, as the paper points out:
“In practice this means that judges will need to determine – on a case-by-case approach – when the right to data portability will adversely affect rights and freedom of others in a specific circumstance.”
Interesting indeed. I am very curious to see what happens when a claim like this does eventually end up in a court! Something for the learning analytics community to mull over though… how are we going to navigate this very tricky boundary?