Hogan Lovells recently submitted comments on the proposed EU Data protection regulation to the UK Ministry of Justice.
Among their conclusions there are some regarding the right to be forgotten and the right to data portability:
The right to data portability seems to be focused on a competition law objective, reducing switching costs between service providers, rather than a data protection objective. It therefore exceeds the scope of Article 16 TFEU on which the proposed Regulation is based.
The Commission’s proposal no doubt has social media in mind. But data portability would apply to all sectors of industry: banking, insurance, healthcare, telecommunications, etc. The Community legislature has in the past introduced number portability for telecommunications operators, and some Member States have enacted specific provisions imposing portability in other industries (eg. the UK for the banking industry).
The Commission proposes an across-the-board portability obligation, but has not analysed the impact of that proposal, nor whether there are specific market failures warranting such an intrusive economic regulation. If the Commission had done a market analysis, it would have found that even in the field of social networking, the market is evolving quickly and that regulation is no doubt premature. Google + makes data portability a commercial argument to attract customers away from Facebook. In other industries (eg. banking in certain Member States), data portability may be a good idea to increase competition, but a privacy regulation is the wrong vehicle to use to address this issue.
The creation of a right to data portability also raises the complex issue of whether a data subject has a property interest in his or her personal data. Economists are divided on this controversial issue, and the Commission’s proposal goes too far down the road of recognizing a property right in personal data, where none has heretofore been recognized.
As one can easily see, all the conclusions are based on an economic or business analysis, even though the right to data portability is introduced in data protection legislation, which envisages basically “the person”. Only the natural person, to be more specific, and it does so taking into account two fundamental rights in the EU – the right to privacy and the right to data protection.
I would say that before excluding the possibility of such a right to be a part of the actual privacy and data protection sphere, one should analyze profoundly which are the implications of providing a person the right to move his or her collection of data from a service provider to another.
I am definitely not the first one to ever talk in history about a digital persona of the human being. Often, the data collected by some service providers become an expression of ones personality – like the reputation a seller or a buyer has on ebay. Why not enjoy the same reputation while using another similar service provider? Why not protect that personal data?
Or maybe data portability is the right which will make once and for all crystal clear the difference between privacy and data protection. After all, they are two separate rights. Which means they are not interchangeable. And instruments such data portability are more justified by the data protection philosophy than by the privacy one.