The concept of data portability has been of increasing interest in APAC countries. This is partly influenced by data portability provisions in the GDPR. However, scoping and implementing data portability rights in practice is proving challenging. Here is a snapshot of differing and developing approaches.
In Thailand, the right to data portability has been incorporated into the new Personal Data Protection Act, which will come into effect in May 2020. In India, the right to data portability has been incorporated into the draft Personal Data Protection Bill.
Similarly, in Singapore, the Personal Data Protection Commission (PDPC) that administers and enforces the Personal Data Protection Act 2012 (PDPA) published a consultation paper in May 2019 outlining the proposed introduction of a data portability obligation (Data Portability Obligation), which will require organisations to transmit, at the request of the individual, his/her data that is in the organisation’s possession or under its control, to another organisation in a commonly used machine-readable format.
The results of the consultation are in. Key concerns raised during the consultation include:
- the scope of the Data Portability Obligation e.g. the scope of data proposed to be covered by the Data Portability Obligation is too extensive, and further clarity is required as to whether the porting organisation or receiving organisation of ported data should determine whether a receiving organisation has presence in Singapore;
- handling of requests pursuant to the Data Portability Obligation e.g. further clarity is required with respect to the liabilities for breaches of ported data as well as the accuracy of data ported to another organisation, and the charging of fees for porting data; and
- Code of Practices to be issued by the PDPC with respect to the Data Portability Obligation e.g. concerns that an organisation may be bound by more than one Code of Practice, the standards of which may not be aligned, resulting in differing standards of protection when data is ported across sectors, and concerns that minimum standards may not be in place if Codes of Practices are only issued after the Data Portability Obligation comes into force.
The PDPC has published its response to the feedback received and has in mind to adopt and roll out the Data Portability Obligation in the following manner:
- the obligation to comply with the Data Portability Obligation would be applicable to organisations subject to the PDPA who have a presence in Singapore (i.e. organisations that are formed or recognised under the law of Singapore, or have a place of business in Singapore) and would not be applicable to data intermediaries (similar to data processors in GDPR terms);
- the scope of data to be covered by the Data Portability Obligation would be limited to data provided by an individual to an organisation and data generated by an individual’s activities in using the organisation’s product or service – such individuals must have a direct and existing relationship with the porting organisation;
- the receiving organisation will be treated as having collected personal data that they receive from a data porting request;
- the PDPC will issue suitable regulatory instruments in phases, such as Codes of Practices on the requirements, security standards and transmission protocols for porting fixed, standard set of data categories which will be identified jointly by the PDPC, industry stakeholders and relevant sectoral regulators; and
- the PDPC will issue Advisory Guidelines on: (i) how individuals may request for a copy of their personal data in commonly-used machine readable format, (ii) the exceptions to the Data Portability Obligation, and (iii) the charging of fees for data porting.
Australia has already introduced a limited, sector-specific, data portability right, known as the Consumer Data Right (CDR) — but it has been a long time coming and its implementation has proven challenging.
CDR stems from a 2016-2017 public inquiry into data availability and use, which recommended introducing rights for consumers to have greater access to and control of their data, arguing that this would spark additional competition between and innovation by service providers. In 2018, the Australian Government announced that it would introduce CDR on a phased basis, commencing with the banking sector, followed by the energy and telecommunications sectors. As envisaged, CDR would allow consumers to direct entities in relevant sectors (e.g. banks or electricity companies) to disclose certain data about them to accredited third parties, such as comparison sites.
Despite widespread support for CDR in principle, the legislation and its roll out to the banking sector – originally planned for 1 July 2019 – has faced numerous obstacles. Industry raised a range of concerns, including worries around privacy and security and the interaction of the scheme with other legal requirements. There was also debate over what data should be in scope, who should be entitled to receive it, who should fund CDR and who would bear liability for issues with disclosed data. The Government sought to allay some of these concerns and eventually succeeded in passing legislation to create CDR in August 2019. But many matters were left to be dealt with through rules and standards to be issued by the scheme’s primary regulator, the Australian Competition and Consumer Commission (ACCC), and a data standards body. Significant time and energy then had to be spent consulting with industry about the procedural, technical and operational changes needed to implement CDR, and building, testing and refining the CDR system.
This has culminated in multiple postponements to banking sector CDR: consumer account data will now only become available from 1 July 2020, and consumers will have to wait until 1 November 2020 to access loan data. Unsurprisingly, plans for CDR in other sectors have also been impacted: the ACCC’s only significant work on energy CDR has been a 2019 consultation and position paper, and it is yet to take significant steps for telecommunications CDR. Throughout 2020, the Australian government will be consulting with industry again on future directions for CDR.
While no APAC countries (save for Australia) have yet to formally implement a data portability obligation, it is clear law makers and regulators will continue to develop their thinking on data portability requirements. Organisations may wish to start thinking about the potential challenges and solutions in implementing a data portability obligation. For example, in terms of technology and compliance costs, is the state of technology of your organisation’s current systems able to deal with the proposed data portability requirements, and if not, will upgrades to systems be required?