The Right to Data Portability as a Personal Right
Round 1
Reviewer 1 Report
Comments and Suggestions for AuthorsIn the author's reconstruction, the right to data portability, which is not regulated in Argentine legal system, can be grounded as a right of personality (very personal right), valuing in particular its connection with the principle of human dignity.
The author cites the European regulation 2016/679 (GDPR), and in particular Article 20, which regulates data portability, as the main precedent in the field. Although the solution proposed for Argentine law seems inspired by, or in any case in line with, that followed by the European legislator, there are no precise references to the debates, choices, and problems faced before and after the GDPR by EU law and member States legal systems (nor reference to US law, which in many ways has followed a different approach).
Due to the more detailed regulation that European law has known and to the contributions of legal debate that have stratified over the years, it would have been useful for the reader to know the foundations of EU law for protection of personal data and in particular for the right to data portability, which is the subject of this essay. The protection of human dignity is of course central in EU law as well as in the constitutional experiences of many Member States, but the regulation and debate on the subject of data has become 'specialised'.
The reference to “personality rights”, to the compensation for damages resulting from the infringement of personality rights (line 170 ff..), and to the link with the protection of human dignity remain in my opinion at a very general level (and very well known to a civil law jurist), while a comparative comparison with European law would have allowed for a more concrete approach with reference to data portability and to the interests that this right raises and with which it could conflict (also from a balancing perspective).
One may think, for example, that the portability and interoperability of data decreases the transaction costs of switching from one service provider to another, and consequently the lock-in phenomena (where the customer remains 'trapped' despite the presence of better opportunities on the market), and therefore it is worth noting that even though it is constructed as a personal right it has significant economic implications and stands at the intersection of many areas of law (competition, antitrust, consumer protection, etc.)
The bibliographical apparatus is very scarce; there is no reference to European doctrine.
Doctrinal references: only four publications are indicated (and one conference paper that does not appear to have been published), only one on the protection of personal data, the other three all on more general topics and are not recent (1991, 1992, 2008).
Line 32 and 33: That seems in contradiction with line 52 and ff. (GDPR, art. 20, 3)
Author Response
Regarding your first suggestion we added what follows:
The EU Regulation 2016/679 is part of the European Union (EU) data protection reform. It resides within the data protection law enforcement directive and Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by all EU institutions such as offices and agencies.
The general data protection regulation (GDPR) protects individuals when their data is being processed by the private sector and, for the most part, by the public sector. It strengthens existing rights provides opportunities for the creation of new rights and therefore gives individuals more control over their personal data. Thus, the GDPR allows individuals to better control their personal data. It further modernizes and unifies existing rules and regulations, allowing businesses to reduce red tape and to benefit from greater consumer trust. The GDPR establishes a system of completely independent supervisory authorities in charge of monitoring and enforcing compliance with the EU Regulation
In the EU, this “new” right to data portability aims to strengthening Individuals’ rights in several ways: 1) it makes it easier for an individual to access their own data; 2) it includes the provision of more information on how their personal data is used and processed and 3) it ensures that the way personal information is shared is available in a clear and understandable format; 4) it makes it easier to transmit personal data between service providers; 5) it makes it legally possible for the right for an individual’s data to be forgotten; 6) and finally, it includes the right to know when personal data has been breached, as companies and organizations have to notify the relevant data protection supervisory authority and, in cases of serious data breaches, also the individuals affected.
Some of the most important innovations of the EU DDPR include: 1) the requirement that public authorities and businesses appoint a person responsible for data protection; 2) the establishment of a one-stop shop as businesses only have to deal with one single supervisory authority (in the EU Member State in which they have their main establishment); 3) it requires that companies based outside the EU must apply the same rules when offering services or goods to individuals in the EU, which includes when those companies are monitoring the behaviors of individuals within the EU; 4) it requires that organizations have to carry out impact assessments when data processing may pose high risk for the rights and freedoms of individuals. These are just some of these very significant regulations.
The Commission submitted a report on the evaluation and review of the regulation in June 2020. The next evaluation is due in 2024.
In the United States, the right to privacy and the right to data portability has a different approach. Of course, US laws addresses data security and the importance of private records. However, the US regulations allow generally for businesses to establish their own set of rules privacy rules with their customers.
The California Consumer Privacy Act is the closest US equivalent of GDPR. It includes new privacy rights for California consumers, such as: the right to know about the personal information a business collects about them and how it is used and shared; the right to delete personal information collected from them (with some exceptions); the right to opt-out of the sale or sharing of their personal information; the right to non-discrimination for exercising their rights; the right to correct inaccurate personal information that a business has about them; and the right to limit the use and disclosure of sensitive personal information collected about them.
European legal doctrine points out that “The right to data portability is no doubt a key concern for online users as well as for companies that wish to have a level playing field … as GDPR might not deliver the intended results due to its ambiguity and due to the inherent limitations contained therein such as the rights and freedoms of other data subjects. In order to have effective data portability within the EU that covers all stakeholders, including users and businesses, the implementation of the GDPR must be in harmony with competition law and other relevant legislation such as consumer protection laws. This will require cooperation between the relevant competition authorities, the European Data Protection Supervisor, national data protection agencies and sector-specific regulatory authorities where necessary”(1).
To address your second suggestion we included:
Under the European GDPR, a person is entitled to file a data breach claim and data breach compensation regarding personal data that has been leaked, disclosed, lost, mis-used, hacked, or corrupted. Even if there was no economic loss but the breach was deliberate or negligent.
We also included:
However, it is worth noting that the portability and interoperability of data decreases the transaction costs of switching from one service provider to another, and consequently lifts the lock-in phenomena, where the customer remains 'trapped' despite the presence of better opportunities on the market. It is worth noting that even though this right is constructed as a personal right, it has significant economic implications and stands at the intersection of many areas of law such as competition, antitrust, and consumer protection law.
- Diker Vanberg, A. & , Ünver, MB. (2017). "The right to data portability in the GDPR and EU competition law: odd couple or dynamic duo?", European Journal of Law and Technology, Vol 8, No 1.
We correcte the missing publishing reference:
- Tulio, A. (2023). La respuesta del derecho a la crisis económicas [The response of law to economic crises]. In Secondo Convegno Internazionale di Studi di Diritto Euro-Americano [Second International Conference on Euro-American Law Studies], Universidad de Modena, 2013 in Tratado de la Buena fe y Solidaridad Jurídica, Córdoba, Marcos, Director, Buenos Aires, Rubinzal Culzoni.
Reviewer 2 Report
Comments and Suggestions for Authors· Data portability (Art. 20 GDPR) and copyright are a well-kown conflict; it´s also that a lot of aspects still unclear here. Therefore the dicussion on the topic is very welcome.
· However some aspects of Art. 20 GDPR are not presented in structured manner, which makes it difficult to understand the first part. Therefore the requirements of Art. 20 GDPR should be named in advance and systematically prepared.
o Limited scope of Art. 20 GDPR.
o Which are included of the data portability claim (Art. 20 (1) GDPR).
o Limitation of data portability claims, esp. intellectual property of third parties.
· This could be followed by the author statements in Section 1.
· Please also avoid European contributions to Art. 20 GDPR, e.g. Siems/Repka, (Neue) Datenzugangsrechte im Spannungsverhältnis zu Geschäftsgeheimnissen, Urheberrecht und Datenschutz, DSRITB 2022, 373 (you can use a translation program)
· The GDPR implements the right of personality; therefore, Art. 20 GDPR is also to be seen as a manifestation ofthe right of personality. Insofar please check your statement in 41/42.
· I can´t comment the law of Argentina, but the statements are interesting.
Comments on the Quality of English LanguageThe language is fine.
Author Response
Regarding your suggestions we included:
David Fåhraeus, Jane Reichel and Santa Slokenberga in their article “The European Health Data Space: Challenges and Opportunities” explain the European regulation implications for patients, medical practitioners, private firms and public administrations. They consider that the EU generally seeks to balance personal rights and the integrity of the single market as it regulates the generation, storage, transfer and use of personal data. It has now trained its sights on health data and its stated objective is to give citizens greater control over their personal data and facilitate secure sharing. The authors conclude that while the legal framework could well help transform healthcare and catalyze health-related innovation and research in Europe, there remain major questions that need to be considered and addressed (3)
Bueres disagrees with this criterion because he considers that if the object of these Rights becomes palpable by injuring, it exposes the economic content they lack. It would be equivalent to considering it as a Subjective Patrimonial Right and not a Very Personal Subjective Right. Bueres distinguishes this Right, whose object is an internal good of the person, from that "whose efficient cause is the illegality arising from the damage caused to said property. This last prerogative, of purely obligatory roots, is nothing other than the power that assists the victim in compensation for the damage. In short, such a credit right is different and subsequent - chronologically speaking – to the way the very personal extra-patrimonial Subjective Right may be affected.
Bueres also argues that the existence of the very personal Subjective Right is evident when the person can carry out acts of disposal of those assets, being the basis of the Subjective Right (donating blood, authorizing surgery and participating in risky activities. ; donating organs, reveals private information if an individual wishes and authorizes the disclosure of their images, etc.).
Also:
Finally, the same author says that every denial of Subjective Law means, ultimately, the direct path towards the denial of the individual in its ethical integrity, guaranteed with the certainty of the Law manifested in the recognition of Subjective Law, where the norm becomes concrete through the will of the agent who acts on the claim (8).
- David Fåhraeus, Jane Reichel and Santa Slokenberga. (2024) The European Health Data Space: Challenges and Opportunities. Sieps, Swedish Institute for European Policy Studies, February: 2epa.
In the introduction we added:
This article addresses the subject of the right to data portability as a personal right focusing on an exploration of the Argentine framework with insights into how data portability may develop in countries outside the EU.
Reviewer 3 Report
Comments and Suggestions for Authors
Thank you for inviting me to review this submission for your journal. I have enjoyed reading it.
This article addresses the subject of the right to data portability as a personal right and as such it addresses a topic, which is suitable for your journal. Overall the piece is well written and I look forward to seeing it develop further.
Its novel contribution is an exploration of the Argentine framework and as such I think it affords some insights into how data portability may develop in countries outside the EU.
I have recommended some revisions below, which I believe will help strengthen the piece:
1. I think the introduction could be improved by adding a paragraph setting out that you are going to consider this in relation to how it may operate in Argentina, as this would help link the separate parts of the article together more and highlight how your piece offers a different perspective on the right to data portability.
2. Also, in relation to the introduction, I recommend some slight revision in relation to the medical examples used. These are interesting, but it would be helpful in terms of making your piece really current if you mentioned briefly about the proposed Regulation on the European Health Data Space, the final text of which has now been agreed. This includes the right to portability. See Article 8d Right to data portability for natural persons in the Compromise Text.
The establishment of the European Health Data Space will involve the creation of two networks will be created for the sharing of health data, which is likely to require significant reform across the EU. These sources should help:
· European Commission, ‘Commission welcomes political agreement on European Health Data Space’ Press Release (15 March 2024) https://ec.europa.eu/commission/presscorner/detail/en/ip_24_1346
· Proposal for a Regulation on the European Health Data Space- Analysis of the final Compromise Text with a view to agreement <https://www.consilium.europa.eu/media/70909/st07553-en24.pdf>
· P Terzis and OE Santamaria Echeverria, ‘Interoperability and governance in the European Health Data Space regulation’ (2023) 23(4) Medical Law International 368-376, 373 <https://doi.org/10.1177/09685332231165692>
· see also Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the European Health Data Space COM/2022/197 final https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52022PC0197
· and https://www.europarl.europa.eu/legislative-train/theme-promoting-our-european-way-of-life/file-european-health-data-space
· and D Fåhraeus, J Reichel, and S Slokenberga, ‘The European Health Data Space: Challenges and Opportunities’ Sieps (February 2024) 8 <https://www.sieps.se/globalassets/publikationer/2024/2024_2epa.pdf>
3. I think sections 2 and 3 are your novel contributions for the purposes of this piece. I liked these parts, but suggest some slight revision. For instance in the paragraph beginning ‘The formation of the doctrine of personal…’it would be helpful just to add one or two more footnotes. Also, please proofread a little more, as there are a couple of minor typos here, such as cell pones, which I think should be phones.
4. In section 3, I recommend adding some further footnotes to support the discussion in the first and second paragraphs. I think it might be useful for you to refer to this piece:
· Róisín Á Costello, Genetic Data and the Right to Privacy: Towards a Relational Theory of Privacy?, Human Rights Law Review, Volume 22, Issue 1, March 2022, ngab031, https://doi.org/10.1093/hrlr/ngab031
· And also the work of Charles Foster https://www.bloomsbury.com/uk/human-dignity-in-bioethics-and-law-9781849461771/
Author Response
Following your suggestion we added and completed the following:
Simon Geiregat argues that “exercising that right can entail infringements of third-party copyright, depending on the circumstances, and that IP may often undermine the very regulatory concept and objectives of this ‘portability right’, particularly when cocreated content is involved” and add that “traders should not be allowed to reject portability requests by waiving their own IP rights, as this would hamper the effectiveness of the consumer’s remedy” (2)
With these regulations, a new personal right arises, within the context of the general protection of data, as part of the right to privacy. This development has certainly also to be seen as a manifestation of the right of personality. This regulation establishes that in order to further strengthen control over their own data, specifically when the processing of this personal data is carried out by automated means, individuals that have provided personal data to a ‘data collector’ must also be allowed for a natural person to receive that data in a structured format.
- Geirega, Simon (2022). Copyright Meets Consumer Data Portability Rights: Inevitable Friction between IP and the Remedies in the Digital Content Directive, GRUR International, Volume 71, Issue 6, June.
Round 2
Reviewer 1 Report
Comments and Suggestions for AuthorsThe author examines the possibility of establishing the right to data portability within the Argentine legal system, where such a right is not explicitly recognized by law.
Considering the European regulation 2016/679 (GDPR), and in particular Article 20, as the main precedent in the field, the author proposes a reconstruction of the right to data portability as a right of personality (very personal right), emphasizing its connection with the principle of human dignity. The author references Argentine law (in its various legal formants) concerning personality rights, the importance of solidarity and the protection of human dignity; and on this basis lays the groundwork for recognizing the right to portability. However, the author also points out the complexity of the interests involved, the opportunity to develop “a robust regulatory framework”, indicating that any legislative intervention should address these complexities and involve various stakeholders.
Author Response
The author examines the possibility of establishing the right to data portability within the Argentine legal system, where such a right is not explicitly recognized by law.
Considering the European regulation 2016/679 (GDPR), and in particular Article 20, as the main precedent in the field, the author proposes a reconstruction of the right to data portability as a right of personality (very personal right), emphasizing its connection with the principle of human dignity. The author references Argentine law (in its various legal formants) concerning personality rights, the importance of solidarity and the protection of human dignity; and on this basis lays the groundwork for recognizing the right to portability. However, the author also points out the complexity of the interests involved, the opportunity to develop “a robust regulatory framework”, indicating that any legislative intervention should address these complexities and involve various stakeholders.
Thank you so much for your feedback. We added a few more details marked in yellow. Specifically relating to the EU GDPR. We also added a reference to clarify details within the Argentina Laws. :
- Laje, Alejandro (2014). Derecho a la Intimidad. Su protección en la Sociedad del Espectáculo. Astrea.
Reviewer 3 Report
Comments and Suggestions for AuthorsThank you for inviting me to review this revised submission for your journal. I have enjoyed reading it.
Overall, I am pleased with your revisions and I think they have improved the piece.
I recommend some further proofreading to fix some minor errors. Below are some examples to help with this.
On page 2, the second sentence of the second paragraph (lines 51 and 52) could be improved and the last sentence needs a full stop.
Also, on page 2, I think it should be ‘strengthen individuals’ rights’ rather than strengthening.
And on page 2, line 67, it should be GDPR, rather than DDPR.
For example, on page 5, where you have added more on Bueres, there seems to be an unfinished quotation on line 235 and I think this section would benefit from another footnote or two. I also recommend revising the paragraph beginning a line 240, as it is a very long sentence and I think you could split it into two and just add a few more words to make it clearer.
Author Response
Thank you for inviting me to review this revised submission for your journal. I have enjoyed reading it.
Overall, I am pleased with your revisions and I think they have improved the piece.
I recommend some further proofreading to fix some minor errors. Below are some examples to help with this.
On page 2, the second sentence of the second paragraph (lines 51 and 52) could be improved and the last sentence needs a full stop.
Also, on page 2, I think it should be ‘strengthen individuals’ rights’ rather than strengthening.
And on page 2, line 67, it should be GDPR, rather than DDPR.
For example, on page 5, where you have added more on Bueres, there seems to be an unfinished quotation on line 235 and I think this section would benefit from another footnote or two. I also recommend revising the paragraph beginning a line 240, as it is a very long sentence and I think you could split it into two and just add a few more words to make it clearer.
WE reworded and added a reference:
Thank you for inviting me to review this revised submission for your journal. I have enjoyed reading it.
Overall, I am pleased with your revisions and I think they have improved the piece.
I recommend some further proofreading to fix some minor errors. Below are some examples to help with this.
On page 2, the second sentence of the second paragraph (lines 51 and 52) could be improved and the last sentence needs a full stop. HAS BEEN FIXED. SEE YELLOW.
Also, on page 2, I think it should be ‘strengthen individuals’ rights’ rather than strengthening.
HAS BEEN FIXED. SEE YELLOW.
And on page 2, line 67, it should be GDPR, rather than DDPR.
HAS BEEN FIXED. SEE YELLOW.
For example, on page 5, where you have added more on Bueres, there seems to be an unfinished quotation on line 235 and I think this section would benefit from another footnote or two. I also recommend revising the paragraph beginning a line 240, as it is a very long sentence and I think you could split it into two and just add a few more words to make it clearer.
“It is the case when an individual donates blood, or authorizes a surgery, decides to participate in risky activities, donates organs, reveals private information or authorizes the disclosure of their images, etc.)”(9).
