The right to data portability and user control: ambitions and limitations

This article covers the right to data portability and analyzes its incidence in relation to the policy objectives set out by the EU regulator. Art. 20 of Regulation (EU) 679/2016 (“GDPR”) establishes a general-purpose control mechanism of horizontal application to facilitate the sharing and re-use of personal data among data subjects and promote the free flow of personal data within the European Union. As a key enabler of user control, the right to data portability aims to transform passive subjects into active data re-users. This objective presents an opportunity to develop a user-centric digital environment, by mandating easy retrieval of personal datasets and automatic transfers between digital providers. Nonetheless, the overview of the provision’s elements proves that the right applies in a reduced range of situations, suffers several limitations and raises pivotal concerns for data security, undermining the creation of a safe and trust-worthy data-driven environment. Consequently, this article questions the significance of the right’s reach and the intensity of the alleged user control, whose beneficial impacts largely depend on the extent to which individuals will exercise the right in practice.