Skip to main content

Tristan Nitot, Chief Product Officer at MEF Member Cozy Cloud, discusses how ambiguous language in the impending GDPR regulation may impede the use of APIs in allowing the portability of consumer data – and how organisations, including MEF, are helping to ensure the guidelines specifically reference them as a matter of urgency.

Portability of personal data is a major topic for the digital future. In order to make sure it’s effective, it needs to happen by relying on APIs!

In today’s digital world, data has a huge influence on us: the recommendations we receive (advertising, purchases, reading, videos to see), the decisions that concern us (insurance, etc.), taken by us or by others, rely on our data. As such, the subject of data governance is essential: Who has access to data? Who controls the data?

Currently, users have very little control over personal data processed by data controllers, but this will change with the arrival of a European regulation called GDPR. Indeed, among other things, GDPR makes portability of personal data mandatory for May 2018, that is to say very soon!

The devil is in the details

Making personal data portable is a very positive step, but the texts are complicated. Thus, the text of the GDPR specifies that the transfer of a controller to another must be “direct” and “without hindrance”. Unfortunately, this notion is quite relative! In the eighteenth century, the use of the carriage was undoubtedly a direct transfer without hindrance. At the beginning of the nineteenth century, the electric telegraph was probably the best option. In the 1990s, the fax would have been chosen. But in the twenty-first century, the state of the art is the API.

With rare exceptions (very large volume of data for MRI, for example), the service provider who would not put an API to retrieve our data, while this is the most effective and cheaper to transfer data directly, would be objectively seen as trying to create friction.

The issue is this is not specified per se in the GDPR…

Which solution, then?

The Art. 29 WP (Article 29 Data Protection Working Party, which includes representatives of data protection authority of each EU Member) is taking comments about the GDPR. In this regard, Cozy Cloud brought together organizations and leaders in order to co-sign a comment.

The goal of this comment it to make clear that the G29 guidelines on data portability should explicitly mention the use of APIs. Otherwise, it would be necessary to wait for case law to be set, which would generate delays and uncertainty which would benefit established players at the expense of users, smaller and more innovative businesses and services.

Cozy would like to thank all those who have co-signed the comment. Some of them agreed to make their name public. Here they are:



Learn more about GDPR and data portability:

This post originally appeared on the Cozy Cloud blog and is re-used with kind permission

Tristan Nitot

Chief Product Officer, Cozy Cloud


Want to be featured on the MEF Minute?

The MEF Minute is an award winning blog that provides a cross-ecosystem and international perspectives on all things mobile. With contributions from MEF’s members and other industry experts it is a dedicated global news resource and thought leadership platform.

We welcome contributions from members and non-members across a range of formats including opinion pieces, industry views, stats, videos and infographics. MEF Minute offers a 360 look at any given topic impacting the mobile ecosystem whether that be from a MNO, enterprise, developer or provider perspective.

Download the info pack to find out more.