Corporate Law

Art. 20, GDPR: A case for Extensive Interpretation

Kashish Makkar

An extensive approach manages to address the concerns of holders of IPR, and is in line with the broader scheme of GDPR.


“May the 25th be with you”

The EU’s General Data Protection Regulations (GDPR), which came into full force on May 25th, gave the data-subjects a plethora of rights. Among all the rights that were recognized, the Right to Data Portability is a right which has created a lot of ripples across IP circles (See, here and here). The Right is ensured under Article 20 of the GDPR which is worded in a fashion that leaves a scope for an interpretation which could either make the right restrictive or extensive in its application. A lot of hue and cry has been created in the IP circles to advocate a restrictive approach in interpreting Article 20.

Though, its actual application will be decided when a Court of law would interpret the same. In this blog post, I will make a case for adopting an extensive approach to interpret Article 20. I will argue that, contrary to popular opinion, an extensive approach must be taken for interpreting Article 20 as such an approach not only takes care of the concerns of IPR holders, but also furthers the broader scheme of GDPR.

Right to Data Portability

Article 20 of the GDPR provides the individuals (data-subjects) with a right to require an organization (controllers) to give them the data that they have provided to them. The data has to be provided in a simple, commonly-used machine readable format.

Such data provided by the organization can be given to a different organization, and thus provides the individual with an option to choose other services. This portability gives the power to users to choose their service provider without being restricted on account of the leverage that an existing service provider holds for having access to their data.

Apart from providing the individuals with an option to switch, the above right also ensures healthy competition in the market. Organisations starting afresh have a potential to compete with giants like Facebook on account of at par access to user data. However, this access to data, the quality of the same and its quantum is critically dependent upon the interpretation of Article 20.

Extensive vis-à-vis Restrictive Approach for Interpretation

Interestingly, Article 20 is worded in a fashion that leaves scope for an interpretation that could lead to its application in a range of ways. Article 20(1) reads as:

“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller,”

It is this term, i.e., ‘provided’ in Article 20 leaves a wide scope for interpretation. It sparks a debate as to whether the data collected by the organisations from your GPS location, your activities etc. is data ‘provided’ by you, or is it simply the data that you actively volunteer by filling up forms etc.

A restrictive approach for interpreting Article 20 would entail interpreting ‘provided’ to include just ‘received’ data, i.e., data volunteered by the individual user, thereby excluding any data which the organization collects by observing user activities.

Whereas an extensive approach for interpreting Article 20 would include both received and observed data. Therefore, any data extracted by the organization, using specialized algorithms, based on your activities on its interface is included within the ambit of data ‘provided to a controller’. Hence, under the extensive interpretation regime, the controller would have to provide that data as well, in a simple, commonly-used machine readable format.

Extensive Approach to Interpretation and the concerns with IPRs

Even though the WP29 (Article 29 Working Party) has recently endorsed the extensive approach for interpreting Article 20, a number of IP experts have rallied against such an interpretation (See, here and here). This is on account of the fact that inclusion of ‘observed’ data under the data portability regime, gives exposure to the IPRs of the organization that collects the data from such observation. Simply put, the observed data is collected via softwares & trade-secrets which are crucial IPR resources of an organization. The data that is so collected from observation, if provided to a user who could further provide it to the organisation’s competitor, could easily reveal the algorithms by a reverse engineering on the same. As a result, it leaves the IPRs of the organizations vulnerable.

Therefore, this leads to a considerable opposition among the owners of IPR, and thus they argue for a restrictive approach for Interpretation.

Extensive Approach: The Ideal Interpretation

Understandably, as explained above, the extensive approach leaves the owners of IPR vulnerable, however, I would argue that it is still the ideal approach. I will begin by addressing the concerns that have been highlighted and later on argue that an extensive interpretation is in line with the broader scheme of GDPR.

The concerns as highlighted above are bonafide, however, we must take into consideration two things: First, Article 20(4) is a balancing provision in itself. Art. 20(4) states that, “The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.” Under the term ‘rights of others’, the IPR of the organization who is requested to release data would be covered. Therefore, there is a balancing clause within the scheme of the provision for data portability.

Two, we need to differentiate between different kinds of data and the software algorithms used. As per the WP29, the extensive approach just extends to ‘received’ and ‘observed’ data, the ‘inferred’ data remains with the organization. Simply put, the algorithms used by the organization to infer your behavior or habits etc. from your received data and observed data is not subject to Data Portability. Therefore, sophisticated algorithms, which may be ‘trade-secrets’ anyway stay out of bounds for Article 20.

Hence, any concerns with regard to the vulnerability of IPR stand secured on account of the above two considerations. However, even in the absence of these concerns, it is still objectively better for a court of law to adopt an extensive interpretation, as such an interpretation is in line with the scheme of GDPR.

An extensive interpretation makes the organizations adapt to an effective data management regime. This is on account of the fact that the organizations would have to index received, observed and inferred data for ensuring compliance with Article 20. This has wide-reaching implications, and furthers the goals of GDPR. For instance, an efficient data management system would help organizations to cater to the demands of data-subjects who exercise their right to be forgotten. Similarly, it also promotes interoperability of systems which, though is not a part of GDPR as an obligation, it is one of the goals of the EU Data Protection Regime {Recital 68, GDPR}.

Therefore, given that an extensive approach takes care of the considerations of IPR owners, and clearly is in line with the broader scheme of GDPR, it must be taken up as the ideal interpretation.

Kashish Makkar is the founding editor of Law School Policy Review.

Image Source: Sputnik International