Cryptonoise: Exercising the GDPR’s right to data portability

Are you going?

3 people going


57North Hacklab

Lower Levels, 26 North Silver Street · Aberdeen

How to find us

Access is from Skene Terrace. When you're facing Assembly, look to the right and you'll see a fire exit just before the steps up to North Silver Street. This is the access door. If it is not open, please use the doorbell.

Location image of event venue


Thanks to Janis Wong for agreeing to travel to present at this session. As usual, we'll be starting around 19:00 BST.

The new European General Data Protection Regulation (GDPR) reinforces existing data subject rights in an attempt to rebalance power between citizens and the increasingly sizeable and international companies that are collecting and exploiting data from them. The GDPR introduces one new data subject right, and the focus of this talk, Article 20 the right to data portability (RtDP). The RtDP aims to allow data subjects to obtain and reuse their personal data for their own purposes across different services.

As no empirical research has been done to assess the RtDP, we exercise the right by making 230 real-world data portability requests across a wide range of data controllers. The RtDP is interesting to study as it operates under a framework that aims to be technologically neutral while requiring specific technologies for implementation. Our research assesses the ease of the RtDP process from the perspective of the data subject and to examine the file formats returned by data controllers.

This talk will discuss the responses to 230 real-world data portability requests, and examine the file formats returned and difficulties in making and interpreting requests. We find variation in file formats, not all of which meet the GDPR requirements, and confusion amongst data controllers about the various GDPR rights. Legal and technical recommendations and future work for various stakeholders are also be discussed.