Two years of GDPR: where does Europe stand on data portability?


Today, the European Commission published a report assessing the effectiveness of the General Data Protection Regulation (GDPR).

With its entry into force, European citizens gained new rights, notably with data portability. But two years later, there is still little sign of people exercising this right, and of companies offering an easy and convenient service for data portability.

The European Commission's review itself acknowledges that the right to data portability has the potential to "put individuals at the centre of the data economy", yet it is not fully used.  

Making personal data portability more effective

A new CERRE study provides recommendations on how to make personal data portability more effective. This will truly empower consumers to use the services they want and share their data with whomever they wish and stimulate innovation in Europe.

The authors of the study, professors Jan Krämer, Pierre Senellart and Alexandre de Streel, warn that the current legal framework requires clarifications to better empower European citizens in a data-driven society.

They identify barriers to data portability, including the lack of possibilities to import data as well as the lack of common standards and tools to access data as easy as the click of a button. The ability to provide users with a centralised dashboard for monitoring and controlling the flow of their data is also critically missing.

"Today, consumers do not widely use data portability for reasons that can and should be overcome. Making data portability more effective is better for competition, for innovation and to empower users. There should be no second-guessing on whether to make data portability more effective, the time to act is now."

Legal gaps

The current EU framework encourages data portability, but there are legal gaps that the EU should fill. The authors insist on the need for detailed guidance on how data portability can be facilitated and on which data is subject to data portability without violating privacy rights. They advocate that data provided by users when using a service, such as search history (i.e. “observed data”) should clearly be included under the scope of data portability.

Missing tools

The authors consider it essential that the obligation to offer standardised Application Programming Interfaces (APIs) be much more widespread to enable consumers to continuously port their data.

"We believe that standardised APIs that enable continuous data portability is a prerequisite for encouraging more organisations to import personal data, and for encouraging more consumers to initiate such transfers."

Projects, such as the Data Transfer Project have highlighted that continuous data portability is technically feasible.

The authors argue that Personal Management Information Systems (PIMSs) facilitate the complex consent management and offer users a centralised dashboard for monitoring and controlling the flow of their data will have a crucial role to play for the wider adoption of data portability.

"It must be as easy as clicking a button for consumers to continuously share data they created with one provider to another provider. This may also require educating and informing users on their rights through information campaigns alongside clear policy measures."


Nevertheless, they stress that PIMSs are not likely to find a sustainable business model, and thus, policy makers should support the emergence of open-source projects by setting common standards for data transfers, consent management, and identity management.