GDPR after more than one year – How to make it happen?

25 Nov 2019 15:45h - 18:15h

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

The entry into force of the EU’s General Data Protection Regulation (GDPR) initiated numerous debates regarding the applicability and enforcement of the rights this regulation intends to protect. The practical implementation of article 20 of the GDPR, the right to data portability, is a key issue for non-profit group MyData Global, which regrets that article 20 is currently a formal rather than an actionable right. This is due to a lack of tools, applications, and processes on the side of the organisations processing personal data, but also to a lack of knowledge from citizens about how to access and transfer their data. Acknowledging the challenge and the importance of a human-centric approach to personal data, speakers argued that bridging discussions across sectors will be needed to make the article 20 more actionable in the coming years.

The practical implementation of the EU’s GDPR is still a key topic in Internet governance debates, one year after its entry into force. The right to data portability is one of eight rights enforced by the GDPR. In its article 20, the GDPR states that ‘the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided […].’

Though considering it to be one of the ‘most disruptive aspects of the GDPR’, Mr Olivier Dion (CEO of Onecub) argued that this right has so far not been actioned by users and companies for a number of reasons. From a legal perspective, there is still no liability framework to use this right. Technically, there is also a lack of interoperable standards to allow the actual implementation of data portability across platforms. Users may also fear moving their data to other platforms, while small companies may fear alienating themselves from large Internet companies when promoting portability solutions.

Nevertheless, Mr Matthias De Bievre (CEO of Visions) highlighted the great potential of data portability in the field of education and employment, while Dion pointed to the field of mobility.

In light of this potential, Ms Sille Sepp (Community Lead at MyData Global) noted that the MyData Declaration specifically demands that formal rights, such as the right to portability, become actionable rights. For Dion, the portability of personal data is the key to making the shift from data in closed silos to data which becomes a reusable resource.

In terms of governance and principles, Sepp also pointed to the work of MyData Global in developing new models for sharing data with services and companies, to avoid processes of centralisation while taking advantage of the growing availability of data. According to Sepp, individuals should be empowered and in control of their data, but this should not necessarily prevent data-handling. Transparency and accountability are also paramount, as channels must be provided to individuals to see and control what happens to their data. Dion argued that existing initiatives at the industry, national, or regional levels are not sufficient, and tend to strengthen technical and policy silos, rather than weaken them. MyData Global intends to develop a framework for bridging discussions of separated sectors forming an ‘agora’, which will be discussed in conferences in Berlin, Tokyo, Rio de Janeiro, and Nairobi in 2020.

By Clément Perarnaud