TY - JOUR AU - Li,, Wenlong AB - Key Points A joint effort of technology and law has increased the possibility that different data subjects exercise their data protection rights in a conflicting way. The General Data Protection Regulation (GDPR) contains the following rule for settling the conflict between the right to be forgotten (RtBF) and the right to data portability (RtDP). While Article 20(4) prescribes that the exercising of the latter right shall not adversely affect the former, Article 17 appears to suggest a hierarchical relationship between the two. The conflict of GDPR rights reflects a long-standing tension between access and privacy, and the GDPR can therefore be aligned with existing principle and case law. As a general rule, the privacy-protective RtBF is designed to override the privacy-threatening RtDP, yet this rule does not stop the competing rights from being balanced against each other. The RtDP may have various normative underpinnings; in light of its elusive nature, the balancing of rights largely depends upon how data portability is defined in a particular context. Introduction In the early 2012, the European Commission initiated a radical reform of the European Data Protection Law,1 which culminated in the adoption of the General Data Protection Regulation (GDPR) in April 2016.2 This regulation appears to mirror the 1995 Data Protection Directive (DPD) in many ways3 and entails some innovations that do not exist in the Directive. Perhaps the most eye-catching creation are the two data protection rights—the right to be forgotten (RtBF), a rebranded version of the right to erasure4, and the right to data portability (RtDP). These two rights can be seen as convincing illustrations of the regulation’s core objective of individual control over personal data.5 While the RtBF enables a data subject to request erasure of his or her personal data on varied grounds, the RtDP legitimatizes the retrieval and transmission of data at a data subject’s request. These two rights have been subject to intense public debates. Besides the rebalanced relationship between the data subjects and controllers, there is another issue that has been relatively understated, concerning the growing tension between data subjects themselves. Such a tension deserves closer attention in the GDPR era when the data subjects are encouraged to exercise their powerful rights.6 This article looks at one particular conflict between data subjects—potentially the most salient one in the GDPR era—that is, the conflicting exercise of the RtBF and the RtDP by different data subjects.7 This conflict has been discussed in the existing literature. Lynskey imagines a situation where ‘a photograph of two friends is ported from one social networking site to another in a way that violates the second individual’s privacy rights’.8 The Centre for Information Policy Leadership (CIPL), a US-based privacy and security think tank, inquiries whether ‘an individual account holder should be able to request and download data of other people underneath the account (such as family members’ data)’.9 While much importance has been attached to this conflict, some core issues remain unaddressed: how the two rights come into conflict and in what ways should they be balanced against each other? Does the GDPR entail an effective framework for this conflict? Before unpacking the GDPR, the section ‘An emerging battle of (active) data subjects’ explains the reasons why the potential conflict between data subjects should not be underestimated in the era of GDPR. The following section ‘Two new rights under the GDPR’ provides a detailed account of GDPR provisions and clarifies the relation between the two rights in question. It is argued that the Article 20(4) serves as the normative basis for settling the conflict of rights, prescribing that the RtDP shall not adversely affect the RtBF. In a similar vein, the Article 17 GDPR appears to suggest a hierarchical relationship between the two rights. This hierarchy is further elaborated in the final section ‘Balancing the RTBF with the RTDP’ where GDPR provisions are aligned with the existing principle and case law. An emerging battle of (active) data subjects The conflict in question occurs when multiple data subjects have competing interests in a certain set of data and they are all equipped with legal rights to exercise control over that data. Technically speaking, it is nearly effortless to have multiple individuals linked by one set of data. This technical reality, what this article calls ‘multiple linking’, is a major contributor to the conflict between the data subjects. Floridi observes that technological advances have made individuals hyper-connected.10 A hyper-connected era features a shift from the primacy of ‘standalone things, properties and binary relations’ to one of ‘interactions, processes and networks’.11 Schwartz and Solove reveal another technological impact on humans that individuals have also become (hyper-)‘linkable’.12 They argue that the rise of computers did not merely ‘increase the amount of data’, but also ‘changed how data could be organised, accessed and searched’.13 Ultimately, it changed ‘the way in which information could be linked to an individual’.14 The law may also heighten the tension between individuals because the expansive scope of personal data, as defined in the EU law, for instance, increases the possibility that two or more individuals dispute control over certain data. The Article 29 Working Party (A29WP) argues that the personal data ‘includes information touching not only the private and family life stricto sensu, but also information regarding whatever type of activity is undertaken by the individual, like that concerning work relations or the economic or social behaviour of the individual’.15 A medical prescription, for instance, includes not only personal data of the physician (eg name, handwriting, and records) but also data about the patient(s), along with the entire process of medical consulting in which they interact.16 The UK’s Information Commissioner’s Office (ICO) has mapped out three major circumstances where a certain set of data links to multiple individuals, respectively, reflecting the content, purpose, and results of data processing17: (A) the content of data is (obviously) about two or more individuals (e.g. the record of a policeman about the arrest of an individual) (B) the content of data is about one individual but it is processed in order to learn/record/decide something about another individual (e.g. the school record? of emergency contact details about a child’s parents) (C) the personal data about one individual is personal data affecting another individual (e.g. the interview with a few employees about one of their colleagues being bullied by a manager) The A29WP contends that these circumstances must be considered as ‘alternative conditions’ instead of ‘cumulative ones’, meaning that same piece of data may ‘relate to different individuals at the same time, depending on what element is present with regard to each one’.18 A certain set of data may relate to one subject based on the ‘content’ factor, and to another subject on the grounds of ‘purpose’ or ‘result’. As a result, this evidently multiplies the chance of one set of data simultaneously linking to multiple individuals. Schwartz and Solove observe that the grounds are wider in the European Union (EU) than the USA for linking personal data to a data subject. While the USA takes a reductionist approach to define personal data by ‘associating with a specific person’, the EU embraces an expansionist view that ‘personal data includes not only the information linked to a particular person, but also information that may be linked (identifiable) in the future’.19 Indeed, the European data protection law has for decades kept hold of an unusually broad concept of personal data. Lynskey considers this concept as ‘notoriously inclusive’.20 Similarly, Purtova critiques the overstretched scope of the EU data protection law. Labelling the GDPR as the ‘law of everything’, she is concerned with some disturbing situations where the data generated from ‘observing weather and analysing wastewater’ are included.21 Other than an inclusive concept of personal data, the European data protection law is also known as ‘subject-centric’22 or ‘rights-based’.23 The fact that data subjects are all equipped with a set of ‘micro-rights’ may lead to a battle of control over data.24 A few scholars even argued that the GDPR corresponds to a property-based scheme. For instance, Victor opines that it has taken ‘unprecedented step of, in effect, creating a property regime in personal data, under which the property entitlement belongs to the data subjects and is partially alienable’.25 In contrast, Greaf and others contend that new data protection schemes like the RtDP, even fully enforced ‘along or in combination with the RtBF’, do not create a ‘right to exclude’—that is, allowing one data subject to exclude others from retaining parallel control. In the absence of coordination between individuals, which is unlikely to be the case in reality, the battle between them is bound to happen. It should be acknowledged that the existing rights, e.g. right of access (RoA), have shown to be underutilized for decades.26 However, the RtBF is a notable example of the new data protection rights gaining momentum, and hence the possibility of the new GDPR rights being exercised in a conflicting way should never be ignored.27 Two new rights under the GDPR Both the RtBF (Article 17) and the RtDP (Article 20) are prescribed under the section 3 of the GDPR, titled ‘Rectification and Erasure’. Historically, the RtBF can be seen as an extension to the ‘right to erasure’ established under Article 12(b) DPD.28 The two names of the right are used in an interchangeable way in recital 65 GDPR, ostensibly suggesting that the rebranding is just a manner of semantics. Article 17(1) GDPR prescribes that the data subject shall have the right to ‘obtain the erasure of personal data concerning him or her without undue delay’.29 This right is subject to a wide range of (alternative) conditions that the personal data are (i) ‘no longer necessary in relation to the purposes for which they were collected or otherwise processed’; (ii) that the data subject ‘withdraws consent on which the processing is based’ and where ‘there is no other legal ground for the processing’; (iii) that the data subject exercises the right to object (the processing) and there are ‘no overriding legitimate grounds for the processing’; (iv) that the personal data ‘have been unlawfully processed’; (v) that the personal data have to be erased for compliance with a legal obligation; or (vi) lastly, that the personal data have been ‘collected in relation to the offer of information society services’.30 As Sartor opines, these conditions seem to suggest that the RtBF is generally exercisable where the data processing concerned lacks a legitimate basis.31 This is echoed by Article 17(3) GDPR that lists a variety of exceptions to the RtBF, substantially mirroring Article 6(1) on the legitimate bases for data processing. The RtDP is prescribed in Article 20(1) GDPR, comprising two constituent rights. The first right allows the data subject to receive a copy of personal data in a certain format whereas the second right allows transmitting those data from one controller to another. Both rights are subject to the proviso that the data processing concerned is either automated and based on either consent or performance of a contract. Article 20(2) entails a technical condition for direct transmission of data without human participation. Unless direct transmission is ‘technically feasible’, meaning that the databases concerned are interoperable, data controllers are allowed not to comply with a portability request.32 In accordance with recital 68, interoperability is not an obligation for data controllers.33 The tension between the two rights is obvious. The unilateral exercise of the RtBF by one data subject may deprive the others of the chance for exercising the RtDP. Similarly, when the RtDP is exercised, the subsequent exercise of the RtBF (by another) would fail to make the data ‘forgotten’ by removing just a copy of it. Regarding this tension, Articles 20(3) and (4) appear relevant at first sight, and the text of these provisions is provided as follows: Art 20(3): The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Art 20(4): The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.34 The former clause makes a reference to Article 17 but is silent on the issue whether one or more data subjects are involved. In contrast, Article 20(4) explicitly concerns rights of others but stops short of clarifying the nature of those rights. It remains unclear whether the term ‘rights and freedoms’ in Article 20(4) includes the RtBF, and whether another term ‘the others’ in the same clause includes data subjects. In this regard, recital 68 GDPR provides an explanatory note that ‘where, in a certain set of personal data, more than one data subject is concerned, the right to receive the personal data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation’.35 On the one hand, this note appears to elaborate on Article 20(4) and arguably replaces the term ‘not adversely affect’ with ‘without prejudice to’. In so doing, it may imply that these terms can be used interchangeably. On the other, the recital is also likely to refer to Article 20(3) by using the term ‘without prejudice to’. If that were the case, Articles 20(3) and 20(4) would be functionally identical. The A29WP guideline may provide some clarity on this point. By interpreting the term ‘without prejudice to’ in a context where only one data subject is concerned, the A29WP confines the Article 20(3) to the case where he or she exercises both rights at the same time.36 In addition, the term ‘rights and freedoms of others’ in Article 20(4) is broadly interpreted, including subject rights of other data subjects under the GDPR, such as the RtBF.37 Assuming that the two clauses apply to distinct cases, it can be stated that Article 20(3) relates to the joint exercise of both the RtBF and the RtDP by one data subject whereas Article 20(4) is applicable where the two rights are exercised by different data subjects in a conflicting way. It is also interesting to note that Article 17 GDPR entails no similar rule for balancing the RtBF with other subject rights. Among the exceptions to the RtBF, subject rights eg the RoA and the RtDP are absent as well. This may suggest a hierarchical relationship between subject rights in the GDPR: the RtDP appears higher in rank than the RoA or the RtDP. This is not to argue, however, that the RtBF shall categorically override other subject rights in a conflict. It is suggested, in the next section, that this hierarchy does not prevent these conflicting rights from being balanced against each other. Some may argue that Article 17(3)(a) GDPR, prescribing that the freedom of information is an exception to the RtBF, may be relied upon to resolve the conflict in question. Such an exception is only relevant based on the assumption that the RtDP corresponds to the right to freedom of information. Indeed, some rules have been developed in the Luxembourg jurisprudence for balancing the RtBF with the freedom of information. In Google Spain, for instance, the Court of Justice of the European Union (CJEU) established that the RtBF ‘overrides, as a rule, the interests of the general public in finding that information upon a search relating to the data subject’s name’.38 However, it also ruled that the RtBF can be overridden in particular cases by ‘preponderant interest of the general public in having access to the information in question’.39 In the subsequent case Manni, the CJEU seemed to ‘sway the pendulum a bit away from Google Spain’,40 ruling that data subjects do not have the right to erasure of personal data which ‘have been entered in the [public] register’, after ‘a certain period of time from the dissolution of the company concerned’.41 Still, some legitimate reasons may ‘justify exceptionally that access to personal data entered in the register is limited, upon expiry of a sufficiently long period [of time] to third parties’.42 These rules are not applicable in this case, however, because the RtDP should be clearly differentiated from the right to freedom of information. Banisar observes that the two rights are ‘intertwined constitutionally in many countries’.43 The data protection right (of access) has been used to ‘obtain policy information in the absence of right to information law’ and vice versa, the right to freedom of information has been exercised to ‘enhance privacy by revealing abuses’.44 In countries like Canada, Hungary, Mexico and Thailand, both rights are even prescribed in one piece of law.45 Still, in the EU legal order where these rights are co-existent, freestanding, and evolved in distinct legal instruments, the confusion between the two should be avoided. Therefore, instead of Article 17(3) or Article 20(3), Article 20(4) GDPR should serve as the normative basis for resolving the conflict of rights in question. Balancing the RtBF with the RtDP In its guidelines, the A29WP takes the view that data controllers ‘must not take an overly restrictive interpretation (of Article 20(4) GDPR)’.46 This seems to carve out some space for balancing the two GDPR rights, given that the RtBF generally overrides the RtDP. However, the A29WP is circumspect about this case, especially in a context where data is ported and used for different purposes, eg digital marketing.47 It therefore suggests that another legal basis must be identified for further processing, and the onus falls on the ‘receiving controller’ to justify its processing in every case.48 The A29WP requires that such further processing should be limited to ‘a purely personal or household activity’.49 Lynskey argues that this limitation is ‘nowhere stipulated in the GDPR’, and may ‘unduly interfere with the innovation such portability is hoped to engender’.50 This article further argues that establishment of a new legal basis for data processing is insufficient to comply with the GDPR. The exercise of the RtBF may potentially prevent every kind of further data processing, either by the incumbent controller or by the new one. Even in cases where the new controller is able to justify the further processing, the RtBF would nevertheless be adversely affected by data portability. The legitimacy of further data processing therefore does not prevent the two rights from conflicting against each other. To resolve this conflict, it is crucial to further clarify the relation between these rights.51 The issue of the RtBF versus the RtDP reflects a longstanding tension between the RoA and the right to privacy. It is observed that the RtDP and the right of access actually share a rule for balancing with the RtBF. This is not only visible in the GDPR provisions ie Article 15(4) and Article 20(4) but can also be drawn from the existing access rules. The implementation of GDPR provisions should therefore be aligned with existing principles and case law. Aligning with the subject access framework The principle to ease the traditional tension can be originally found in Article 13(1)(g) DPD, permitting member states to restrict the RoA for the ‘rights and freedoms of others’.52 This principle has been incorporated into domestic law of member states. For instance, the UK’s Data Protection Act of 1998 (DPA) requires, in section 7(4), that data controllers are not obliged to comply with access request if it cannot be satisfied ‘without disclosing information relating to another individual who can be identified from that information’.53 This may suggest that the RoA is not absolute, and as a rule, the exercise of this right is outweighed by the protection of another individual’s private information. Cormack suggests that this rule also applies to the RtDP exercised against another individual’s privacy, meaning that the right to privacy generally prevails over the RtDP.54 However, the right to privacy should not be absolutely prioritized. As prescribed by both the EU and the UK law, a fair balance should be struck in some cases between the conflicting rights. At the EU level, the CJEU notes in Lindquist that the DPD is ‘necessarily general, entailing rules with a degree of flexibility’.55 At the UK level, it is stated in Durant that section 7 DPA only ‘creates a presumption starting point that the information relating to that other, including his identity, should not be disclosed without his consent’.56 This presumption, as Lord Justice Auld suggests, ‘[may] be rebutted if the data controller considers that it is reasonable “in all the circumstances”, including those in section 7(6) [DPA], to disclose it without such consent’.57 The flexible balancing scheme did not exist in the first generation of the UK data protection law—the Access to Personal Files Act 1987 (in addition to the DPA of 1984).58 For that reason, it was challenged before the European Court of Human Rights (ECtHR). The court found in Gaskin that the consent-based UK Act, without a balancing scheme, was disproportionate since a third party is likely to fail to answer or to improperly withhold a consent request from a data controller.59 The Gaskin case led to the DPA of 1998, in which a balancing scheme was introduced, thereby rendering third-party consent indeterminative for the compliance of access requests.60 Notably, the ICO undertakes a three-step approach to guide application of section 7 DPA.61 The first step is to evaluate the risks for third party privacy. If certain personal data contains information relating to a third party, such a risk can then be mitigated by editing or deleting the third-party information. As the ICO indicates, however, some types of information comprise ‘mixed personal data’ that are inextricably linked to each other.62 In DB v General Medical Council, the UK’s High Court of Justice ruled that an expert report into a doctor’s professional competence contains personal data of both the doctor and the patient, which are ‘inextricably mixed therein’.63 It is burdensome, if not impossible, to have personal data as such clearly differentiated from the third-party information. The second step constitutes a consent mechanism for the protection of the third-party privacy. As stated above, this step is not determinative: where the data controller can demonstrate that it is reasonable in all circumstances to comply with the access request, it is appropriate to disclose the requested information even when the third party has withheld its consent.64 To determine the reasonableness of disclosure without consent, it is crucial to undertake the last step—that is, a balancing of the rights concerned. The British High Court observes in Durant that ‘much will depend, on the one hand, on the criticality of the third party information forming part of the data subject’s personal data to the legitimate protection of his privacy, and on the other, to the existence or otherwise of any obligation of confidence to the third party or any other sensitivity of third party disclosure sought’.65 Wary of devising any principles of general application, Lord Justice Auld stressed the ad hoc basis for the balancing of rights.66 From the RoA to the RtDP The new RtDP and the old RoA have many uncanny similarities. Van de Sloot, for instance, suggests that the right to data portability is ‘partially based on the data subject’s [existing] right to obtain the personal data being processed about them’.67 Both Hustinx68 and Albrecht69 opine that the RtDP is by nature ‘a specification of the present right to require communication of any personal data’—the existing right of access under the European data protection law. This proximity is also reflected in legislative history. As an extension to the RoA, the RtDP was not considered fundamentally new at the beginning. The European Commission stated that the RtDP serves as ‘a precondition and in order to further improve access of individuals …’.70 This perception culminated in the European Parliament’s amendment to the GDPR, in which the RtDP was no longer a freestanding right. As a result, it was removed from the section ‘Rectification and Erasure’ and re-formulated as a component of the RoA under the section ‘Information and Access to Personal Data’.71 Like the way the right to erasure is rebranded as the RtBF, the RtDP initially appeared to be a mechanism for clarifying and enhancing the RoA. However, the two rights are not essentially identical, at least not in the final version of the GDPR. The A29WP acknowledges that the new RtDP is ‘closely related to the right of access but differs from it in many ways’.72 In its opinion, the RtDP complements the RoA by removing ‘the constraint of data format chosen by the controller’.73 Lynskey argues that the two rights should be clearly differentiated. Aside from the format requirement, she particular notes the difference in the scope of application: the RoA potentially applies to all sorts of personal data whereas the scope of portable data is subject to a few limitations under Article 20 GDPR. Similarly, Swire and Lagos disagree with the perception that RtDP is ‘a precondition for further access of individuals’.74 They argue that new RtDP should be recognized as ‘a distinct and new right’ seeing that ‘it goes far beyond existing access requirements’.75 In their view, the data controller is not allowed to narrow down the scope of portability request in a way that they are allowed to do so against an access request.76 Further, controllers bear the additional burden of laying down a technical infrastructure for automatic transmission.77 However, the differences noted above do not stop the two rights from sharing a rule for settling the conflict with rights of others. Similar to Article 20(4), the GDPR entails another Not Adversely Affect rule in Article 15(4), stipulating that the right to obtain a copy of personal data shall ‘not adversely affect the rights and freedoms of others’.78 From privacy to the RtBF The issue of how the RtBF relates to privacy appears to be murky. As a data protection right, one of its main purposes is to ‘protect fundamental rights and freedoms, notably the right to privacy’.79 Sartor observes that the RtBF is ‘an expanded capacity to control personal data with regard to the privacy threats … that did not exist at the time when the DPD was issued’.80 Rubinstein observes that the traditional consent-based model, established in the 1990s, has been greatly challenged by technological advances.81 In an age of big data analytics, the refusal or withdrawal of consent contributes little to the protection of privacy, with personal data de facto controlled by potentially discredited controller. While the controller is not allowed to further process data without a legitimate basis, the risks of data abuse cannot be eliminated by refusing to or withdrawing consent. For that reason, Mayer-Schönberger observes a necessary shift of paradigm from individual consent towards new rights like the RtBF to ‘shape her participation in society’.82 It should be noted that the RtBF is not created purely for the protection of privacy. As Mayer-Schönberger opines, the information power the RtBF enables may be ‘larger than what the concept of informational privacy traditionally entails’.83 In accordance with the GDPR, the RtBF can be exercised regardless of whether privacy-related harm exists or not. However, it is likely that the RtBF is exercised subsequent to or based on the withdrawal of consent, in opposition to access/portability right of others. In this case, the RtBF is exercised mainly for the protection of privacy, and therefore may fit into the subject access framework examined above. The alignment Mirroring the conflict between privacy and access, the issue of the RtBF versus the RtDP can be resolved with a similar solution. In principle, the RtDP should be overridden by privacy of other data subjects. If they choose to exercise the RtBF for the protection of privacy, bringing the two GDPR rights into a conflict, Article 20(4) should be applied in a way that the privacy-protective RtBF overrides the privacy-threatening RtDP. However, the RtDP may prevail in exceptional circumstances in face of the counter-exercise of the RtBF by others and in this regard, several factors should be taken into account. First, this conflict may be technically resolved without a balancing practice. This approach depends on the nature of personal data concerned—whether personal data can be clearly differentiated from the data to be ported. However, as redaction may affect the reusability of personal data, it remains to be explored how GDPR provisions would challenge this technical approach. Secondly, the consent factor appears easier to manage when the two GDPR rights clash against each other. This is because the RtBF is likely to be exercised based on the withdrawal of consent. In this case, the third party may have already indicated the intention of declining any form of further data processing, as well as the exercise of the RtDP. The trickiest part is the balancing of two GDPR rights. While the RtBF can be exercised for the protection of privacy, what the right to data portability is for remains contested. Hence, it remains unclear what exactly sits at one hand of the balancing in opposition to the privacy-protective RtBF at the other end. Invented as a data protection right, the RtDP is also controversially considered as an important mechanism for fostering a competitive market. The right has therefore been substantially reconceptualized in the context of competition law. Swire and Lagos raise the concern that the RtDP is ‘a bad fit with US antitrust and EU competition law’.84 Engels opines that data portability is conducive to competition in limited circumstances.85 Lysnkey is wary of the obsessed attempts to ‘squeeze the GDPR right into a competition law straitjacket’ and she argues that the GDPR right should be ‘decoupled from the competitive logic and given an independent interpretation’.86 This disparity in the nature of data portability does not challenge the validity of the general rule under Article 20(4) GDPR. As Cormack points out, privacy should prevail when the RtDP is by nature a data protection right, and ‘the argument for limiting the right is even stronger if it is designed to address competition issues’.87 Cormack is right when he argues that the RoA and the RtDP pose a threat to privacy.88 However, it can also be argued that the RtDP helps protect privacy through the power of the market, enabling the data subject to switch over to a privacy-friendly service.89 The RtDP is also concerned with individual control over data or informational self-determination, a fundamental value intertwined with protection of privacy. For instance, Zanfir argues that the RtDP amounts to ‘an accentuated right to information self-determination’.90 How these diverse and competing values interplay with each other is debatable. The elusive nature of data portability has created a challenging task of interpretation and implementation for the data controllers, data protection authorities, and the EU courts. Coordinating with CJEU Jurisprudence: the Google Spain Judgment As noted above, the CJEU jurisprudence has developed some parameters for balancing the RtBF with other competing values. This article examines in particular the balancing with economic interests developed in the Google Spain case. In this case, the CJEU recognized a right to prevent formation from being included in a list of search results, what is commonly known as a ‘right to delist’. In essence, such a right corresponds to an attenuated right to be forgotten established based on Article 12(b) DPD.91 The CJEU balanced this right with legitimate interests of economic operators and users at large.92 It established that the RtBF ‘cannot be justified by merely the economic interest which the operator of an engine has in the processing [of personal data]’.93 This economic rationale may fit into the issue of the RtBF versus the RtDP, considering the proprietary nature of data portability iterated by scholars, industry leaders and EU institutions. Tene and Polonetsky have made a convincing case for ‘allowing [users] to engage with and benefit from information already collected, thereby harnessing big data for their own personal usage’.94 They argue that ‘through “featurisation” or “applification” of privacy’, economic benefits may be generated for individuals.95 This idea was endorsed by the European Data Protection Supervisor (EDPS), who suggests that the data portability empowers individuals to ‘benefit from the value created by the use of their personal data’.96 In particular, they can ‘use the data for their own purposes or license the data for further use to third parties, in exchange of additional services, or for cash value’.97 Applying this rationale to the conflict between the RtBF and the RtDP, it is concluded that the RtBF should prevail over the economic interests in most cases, regardless of whether the stakeholder concerned is a person or an entity. The same rule would apply when the individual has been empowered to co-determine the purpose of data processing. However, as noted above, the nature of data portability is highly context-dependent and there may be various underpinnings at the same time. The RtDP can be efficacious for fostering a competitive market and conducive to user autonomy at the same time. A competition-based understanding may downplay the RtDP whereas a human rights-based one would give it more weight.98 Consequently, discrete results can be produced upon different understandings of the RtDP. Conclusion This article flags an emerging but overlooked conflict between two data protection rights—the RtBF versus the RtDP. This conflict is fuelled by a phenomenon of ‘multiple linking’—that two or more data subjects can be easily linked by a same set of data. When data subjects are encouraged to use the new GDPR rights to wrest control over personal data, the conflict is almost inevitable. A survey of GDPR provisions leads to the conclusion that Article 20(4) GDPR serves as the normative basis for resolving the conflict. This article is also consistent with Article 17, indicative of a hierarchical relationship between the RtBF and the RtDP. Since the conflict of GDPR rights mirrors a long-standing tension between access and privacy, this article endeavours to align the GDPR provisions with the principles and case law regarding subject access. The existing framework entails a principle similar to Article 20(4) GDPR, along with a flexible balancing scheme. In a similar vein, it is suggested that the application of GDPR provisions should guarantee some room for a balancing between the RtBF and the RtDP. Data portability has been inconsistently perceived as, among others, a data protection right, a competition concept, an attenuated right to informational self-determination and arguably, a market-based approach to protection of privacy. As a precondition for the balancing of rights, it is, therefore, crucial to first define the nature of data portability in a particular context. In this regard, the economic rationale developed in the Google Spain case can be useful for balancing the two rights where the RtDP is exercised for private economic gain. In this case, this RtDP is very unlikely to prevail over the counter-exercise of the RtBF by another data subject for the protection of privacy. Acknowledgement The author would like to express his gratitude to Professor Christopher Kuner, Dr. Rachael Craufurd-smith, Dr. Paolo Cavaliere, Jiahong Chen, Laurence Diver, and two anonymous reviewers for their invaluable comments and suggestions for the previous drafts. The work was funded by the China Scholarship Council (Ref number: 201608060388). Footnotes 1 Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2012] OJ C102/24. 2 Reg (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1. 3 Dir 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31. 4 The right under art 17 GDPR is fully referred to as ‘right to erasure (‘right to be forgotten’)’. For simplicity, unless stated otherwise indicated, this article generally refers to the right under art 17 GDPR as the ‘RtBF’ hereinafter. 5 Orla Lynskey, ‘Aligning Data Protection Rights with Competition Law Remedies? The GDPR Right to Data Portability’ (2017) 42 European Law Review 793, 796. 6 Andrew Cormack, ‘Is the Subject Access Right Now Too Great a Threat to Privacy?’ (2016) 2 European Data Protection Law Review 15, 15. 7 Conceptually speaking, there are other types of conflict between data subjects that this article does not cover. The RtDP may be exercised in conflict with the right to rectification (art 16) or the right to object (art 21). Further, the RtBF may clash with the right of access (art 15) or the right to restriction of processing (art 18). 8 Lynskey (n 5) 813. 9 CIPL, ‘Comments by the Centre for Information Policy Leadership on the Article 29 Data Protection Working Party’s Guidelines on the Right to Data Portability’ (2016) accessed 20 January 2018. 10 Luciano Floridi (ed), The Onlife Manifesto: Being Human in a Hyperconnected Era (Springer Open 2015) 2. 11 Ibid. 12 Paul M Schwartz and Daniel J Solove, ‘The PII Problem: Privacy and a New Concept of Personally Identifiable Information’ (2011) 86 New York University Law Review 1814, 1821. 13 Ibid 1820. 14 Ibid. 15 A29WP, ‘Opinion 4/2007 on the Concept of Personal Data’ (WP136, 20 June 2007) 6. 16 Ibid 7. 17 Information Commissioner’s Office, ‘Determining What Is Personal Data’ (v1.1, 12 December 2012) 24–25. 18 A29WP (n 15) 10–11. 19 Schwartz and Solove (n 12) 1817. 20 Lynskey (n 5) 800. 21 Nadezhda Purtova, ‘The Law of Everything: Broad Concept of Personal Data and Future of EU Data Protection Law’ (2018) 10(1) Law, Innovation and Technology 40, 41. 22 Paul De Hert and others, ‘The Right to Data Portability in the GDPR: Towards User-Centric Interoperability of Digital Services’ (2017) Computer Law & Security Review accessed 20 January 2018. 23 Orla Lynskey, The Foundations of EU Data Protection Law (OUP, Oxford 2015) 35–40. 24 Christophe Lazaro and Daniel Le Métayer, ‘Control over Personal Data: True Remedy or Fairy Tale?’ (2015) 12 SCRIPTed 3, 4 accessed 20 January 2018. 25 Jacob M Victor, ‘The EU General Data Protection Regulation: Toward A Property Regime for Protecting Data Privacy’ (2013) 123 Yale Law Journal 513, 515. 26 Daniel J Solove, ‘Privacy Self-Management and the Consent Dilemma’ (2013) 126 Harvard Law Review 1880, 1887. See also Lynskey (n 5) 811–13. See also Omer Tene and Jules Polonetsky, ‘Big Data for All: Privacy and User Control in the Age of Analytics’ (2013) 11. Northwestern Journal of Technology and Intellectual Property 239, 263. 27 For instance, the Google Transparency Report demonstrates that from 28 May 2014 to 20 January 2018, Google has received 2,027,286 requests for search removal, of which 43.3% requested URLs have been removed. 28 Data Protection Directive, art 12(b). 29 GDPR, art 17. 30 Ibid. 31 Giovanni Sartor, ‘The Right to Be Forgotten in the Draft Data Protection Regulation’ (2015) 5 International Data Privacy Law 64, 66. 32 GDPR, art 20(2). 33 GDPR, recital 68. 34 GDPR, art 20(3) and (4). 35 Ibid. 36 A29WP (n 15) 7. 37 Ibid 11. 38 Case C-131/12 Google Spain SL and Google In. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González [2014] ECLI:EU:C:2014:317, para 97. 39 Ibid. 40 Christopher Knight, ‘Manni from Heaven: The Right to Forget Google Spain’ (Panopticon Blog, 11 May 2017) accessed 7 August 2017. 41 Case C-398/15 Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v Salvatore Manni [2017] ECLI:EU:C:2017:197, para 56. 42 Ibid, para 60. 43 David Banisar, ‘The Right to Information and Privacy: Balancing Rights and Managing Conflicts’ (2011) World Bank Institute Governance Working Paper accessed 7 August 2017. 44 Ibid. 45 Ibid. 46 A29WP (n 15) 9. 47 Ibid 12. 48 Ibid. 49 Ibid 12. 50 Lynskey (n 5) 814. 51 CIPL (n 9) 4. 52 DPD, art 13(1)(g). 53 DPA 1998 (UK), s 7. 54 Andrew Cormack, ‘Is the Subject Access Right Now Too Great a Threat to Privacy?’ (2016) 2 European Data Protection Law Review 15, 25–26. 55 Case C-101/01 Bodil Lindqvist [2003] ECR I-12971 (ECLI:EU:C:2003:596), para 83. 56 Durant v Financial Services Authority [2003] EWCA Civ 1746, [2004] FSR 28 [55]. 57 Ibid. 58 Access to Personal Files Act 1987 (UK). 59 Gaskin v UK (1989) 12 EHRR 36. 60 DPA 1998 (UK), s 7(6). 61 Information Commissioner’s Office, ‘Subject Access Code of Practice: Dealing with Requests from Individuals for Personal Information’ (v1.2, 9 June 2017) 37–39. 62 Information Commissioner’s Office, ‘Personal Data of Both the Requester and Others (section 40 FOIA and regulations 5(3) and 13 EIR)’ (v1.1, 21 May 2013) paras 8–10. 63 Dr DB v General Medical Council [2016] EWHC 2331 (QB). 64 ICO (n 61) 38. 65 Durant (n 56), para 66. 66 Ibid. 67 Bart van der Sloot, ‘Do Data Protection Rules Protect the Individual and Should They? An Assessment of the Proposed General Data Protection Regulation’ (2014) 4 International Data Privacy Law 307, 315. 68 Peter Hustinx, ′EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection regulation′ (EDPS, 15 September 2014) accessed 20 January 2018. 69 Jan Philipp Albrecht, ‘DRAFT REPORT on the proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)’ COM (2012) 0011 – C7-0025/2012 – 2012/0011(COD). 70 Proposal (n 1) 9. 71 Draft European Parliament legislative resolution on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2017] OJ C378/399. 72 A29WP (n 15) 3. 73 Ibid 5. 74 Peter Swire and Yianni Lagos, ‘Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique’ (2013) 72 Maryland Law Review 335, 369. 75 Ibid 371. 76 Ibid 370–71. 77 Ibid. 78 GDPR, art 15(4). 79 DPD, recital 10. 80 Sartor (n 31) 64. 81 Ira S Rubinstein, ‘Big Data: The End of Privacy or a New Beginning?’ (2013) 3 International Data Privacy Law 74. 82 Viktor Mayer-Schönberger, Delete: The Virtue of Forgetting in The Digital Age (Princeton University Press, Princeton and Oxford 2009) 137. 83 Ibid 108. 84 Swire and Lagos (n 74) 338. 85 Barbara Engels, ‘Data Portability among Online Platforms’ (2016) 5(2) Internet Policy Review accessed 21 January 2018. 86 Lynskey (n 5) 795, 810. 87 Cormack (n 54) 26. 88 Ibid 25–26. 89 Commission Staff Working Paper, Impact Assessment Accompanying the document Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, SEC (2012) 72 FINAL 28. 90 Gabriela Zanfir, ‘The Right to Data Portability in the Context of the EU Data Protection Reform’ (2012) 2 International Data Privacy Law 149, 152. 91 DPD, art 12(b). 92 Google Spain (n 38) para 31. 93 Ibid, para 81. 94 Tene and Polonetsky (n 26) 242. 95 Ibid 268. 96 European Data Protection Supervisor, ‘Opinion 7/2015 Meeting the Challenges of Big Data: A Call for Transparency, User Control, Data Protection by Design and Accountability’ (19 November 2015) 13. 97 Ibid. 98 Cormack (n 54) 26. © The Author(s) 2018. Published by Oxford University Press. All rights reserved. For permissions, please email: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/open_access/funder_policies/chorus/standard_publication_model) TI - A tale of two rights: exploring the potential conflict between right to data portability and right to be forgotten under the General Data Protection Regulation JF - International Data Privacy Law DO - 10.1093/idpl/ipy007 DA - 2018-11-01 UR - https://www.deepdyve.com/lp/oxford-university-press/a-tale-of-two-rights-exploring-the-potential-conflict-between-right-to-j8lS0NL438 SP - 309 VL - 8 IS - 4 DP - DeepDyve ER -