Tristan Nitot, Chief Product Officer at MEF Member Cozy Cloud, discusses how ambiguous language in the impending GDPR regulation may impede the use of APIs in allowing the portability of consumer data – and how organisations, including MEF, are helping to ensure the guidelines specifically reference them as a matter of urgency.

Portability of personal data is a major topic for the digital future. In order to make sure it’s effective, it needs to happen by relying on APIs!

In today’s digital world, data has a huge influence on us: the recommendations we receive (advertising, purchases, reading, videos to see), the decisions that concern us (insurance, etc.), taken by us or by others, rely on our data. As such, the subject of data governance is essential: Who has access to data? Who controls the data?

Currently, users have very little control over personal data processed by data controllers, but this will change with the arrival of a European regulation called GDPR. Indeed, among other things, GDPR makes portability of personal data mandatory for May 2018, that is to say very soon!

The devil is in the details

Making personal data portable is a very positive step, but the texts are complicated. Thus, the text of the GDPR specifies that the transfer of a controller to another must be “direct” and “without hindrance”. Unfortunately, this notion is quite relative! In the eighteenth century, the use of the carriage was undoubtedly a direct transfer without hindrance. At the beginning of the nineteenth century, the electric telegraph was probably the best option. In the 1990s, the fax would have been chosen. But in the twenty-first century, the state of the art is the API.

With rare exceptions (very large volume of data for MRI, for example), the service provider who would not put an API to retrieve our data, while this is the most effective and cheaper to transfer data directly, would be objectively seen as trying to create friction.

The issue is this is not specified per se in the GDPR…

Which solution, then?

The Art. 29 WP (Article 29 Data Protection Working Party, which includes representatives of data protection authority of each EU Member) is taking comments about the GDPR. In this regard, Cozy Cloud brought together organizations and leaders in order to co-sign a comment.

The goal of this comment it to make clear that the G29 guidelines on data portability should explicitly mention the use of APIs. Otherwise, it would be necessary to wait for case law to be set, which would generate delays and uncertainty which would benefit established players at the expense of users, smaller and more innovative businesses and services.

Cozy would like to thank all those who have co-signed the comment. Some of them agreed to make their name public. Here they are:

Organizations:

• Cozy Cloud
• Qwant.com
• France Digitale
• MAIF
• OVH
• Bankin’
• Framasoft
• Mobile Ecosystem Forum (MEF)
• Digi.me
• Meeco
• Inno3
• Budget Insight
• U Change
• Association Ploss Auvergne Rhône-Alpes
• SNIPS
• OpenDataSoft
• CNLL
• Alter Way
• Shopmium
• Innovacom
• Fabernovel
• Linxo
• Aevatar
• Dashlane

Personalities:

• Benoît Thieulin (Dean of the School of Management and Innovation Science Po & DG of La Netscouade)
• Célia Zolynski (Professor of Law at the University of Versailles-Saint-Quentin-en-Yvelines, member of CNNum)
• Antoine Petit (PDG of Inria, Professor of Computer Science at ENS Cachan, member of CNNum)
• Nicolas Anciaux (Responsible for the project team PETRUS (INRIA))
• Yann Bonnet (Secretary General of the CNNum)
• Hugo Roy (co-author of User Data Manifesto)

Learn more about GDPR and data portability:

• General Data Protection Regulation on Wikipedia ;
• Article 20 of the GDPR on portability ;
• Guidelines of the G29 (PDF format) ;
• Comments made by Cozy Cloud on the guidelines (PDF format).

This post originally appeared on the Cozy Cloud blog and is re-used with kind permission

Chief Product Officer, Cozy Cloud