Tietosuojavaltuutetun toimisto (Finland) - 10048/182/20

From GDPRhub
Tietosuojavaltuutetun toimisto - 10048/182/20
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 12(5) GDPR
Article 20(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 02.12.2022
Decided: 22.03.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 10048/182/20
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: Eetu Salpaharju

Finnish DPA held that a feature that allowed the users of an email service to export their emails one by one did not fulfill the data subject's right to data portability under Article 20 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

A registered user of an email service (the data subject) requested their data from the email service provider (the controller) in a structured, commonly used, and machine-readable format pursuant to Article 20 GDPR. The controller denied the request, stating that the data subject could export their emails one by one in an '.eml format'. Furthermore, the controller argued that it is still uncertain whether Article 20 GDPR applies to emails. The controller stated to be in the process of developing an import/export -tool. The tool was not yet available to all users, at the time. The data subject requested the Finnish DPA to investigate whether the controller had fulfilled its obligations under Article 20 GDPR.

The DPA requested an explanation from the controller aiming to understand how the controller facilitated the right to data portability in relation to the email service. Furthermore, the DPA sought to determine whether the controller treated this right differently based on whether the user paid for the service or not.

According to the controller, their intention was to provide data import and export tools for all users. However, due to technical reasons, such as encryption technologies, users had to perform these tasks manually themselves. The controller said to have been working on an automated tool to facilitate mass data export. However, they explained that they were unable to offer it to the entire user base due to technical and development-related challenges. Initially, access to the tool was limited to users with a subscription as a beta version, allowing for testing its stability and functionality on a progressively larger scale.

Following the DPA's request, the tool was made available to free plan customers as well. The version released to them was the same one that had been available to paid customers for over a year.

The data subject argued that the controller intentionally delayed fulfilling its obligations under the GDPR until an investigation by the supervisory authority would be initiated. In the meantime, controller had been generating revenue by charging users for the implementation of rights guaranteed by the GDPR, resulting in financial gain for at least two years.

Holding[edit | edit source]

The DPA held that the controller has violated Articles 20(1) and 12(5) GDPR.

The DPA highlighted that making the automated tool available only for paying customers has practically led to the fact that fully exercising the right to data portability according to Article 20 GDPR has been chargeable. Furtmermore, the DPA considered that the controller had not implemented the data subject's right free of charge as required by Article 12(5) GDPR.

Furthermore, it was noted by the authority that a user of the free plan of the email service can send 150 emails per day. Thus, after just one month of use, the user can have more than 4,000 email messages within the service. Manually exporting messages one by one is slow and transferring all the data would be very time consuming. As a result, the DPA considered that the possibility to export email messages only one by one has practically made it difficult and prevented users from excersising their rights under Article 20 GDPR.

Consequently the DPA issued a reprimand to the controller.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The right to transfer data from one system to another in the e-mail service
Keywords: e-mail
the right to transfer data from one system to another
data subject's rights
Legal basis: decision in accordance with the EU General Data Protection Regulation
Diary number: 10048/182/20
Thing
The right to transfer data from one system to another

Registrar
Email service provider

The applicant's requirements with justification
On December 2, 2020, the applicant has asked the data protection commissioner's office to find out whether the data controller has implemented the applicant's right to transfer data from one system to another in accordance with Article 20 of the General Data Protection Regulation.

The e-mail service of the registrar provides a platform for sending encrypted e-mails to other users of the e-mail service. In addition, incoming e-mails from other services are encrypted with the user's encryption key, which is encrypted with the user's password on the e-mail service's servers.

According to the applicant, free users of the e-mail service have the option to export their messages from the service in EML format one at a time. There are two tools available for paid users, both of which allow you to export messages in bulk.

According to the applicant's view, the data controller should offer these latter tools or similar to free users as well, and exporting messages individually does not meet the requirements of Article 20 of the Data Protection Regulation.

Statement received from the applicant
On 13 November 2020, the applicant has been in contact with the controller and requested to receive his data in a structured, commonly used and machine-readable format in accordance with Article 20 of the General Data Protection Regulation. The applicant has submitted to the data protection commissioner's office the e-mail correspondence he had with the data controller.

In the response sent to the applicant on November 16, 2020, the registrar has stated that the Import-Export tool is not yet ready for free users. The registrar has urged the applicant to take advantage of the opportunity to download the messages individually until then.

The applicant has inquired about the matter again and the controller has stated in the reply sent on November 30, 2020 that the applicability of Article 20 of the Data Protection Regulation to e-mails is not yet completely clear according to the controller's knowledge. According to the registrar, it aims to offer the feature to free users as well, but development requires time and effort. According to the registrar, they cannot commit to having the feature ready within three months.

Statement received from the registrar
The Office of the Data Protection Commissioner has requested an explanation from the data controller on September 26, 2022. The Office of the Data Protection Commissioner has tried to find out how the data controller implements the right to transfer data from one system to another in connection with the e-mail service, according to Article 20 of the General Data Protection Regulation, and whether the data controller implements the right differently depending on whether the data subject pays for the use of the service or not. The registrar has submitted the report within the requested deadline of October 28, 2022.

According to the registrar, its purpose has been to make data import and export tools available to all users. According to the registrar, users have always had the option to manually import and export e-mails and other personal data individually to the platform. For technical reasons, especially encryption technologies, the user had to do this manually himself.

The registrar notes that they have been working on an automated tool for some time to make it easier to export data in bulk. According to the registrar, they have not been able to offer it to the entire user base for technical and development-related reasons. Access to the feature was limited to users with a subscription (beta version) so that its stability and functionality could be tested on an increasingly large scale.

However, according to the registrar, the feature has recently been considered stable enough to be made available to the entire user base. The registrar notes that importing and exporting messages is now also possible for free users.

The controller has confirmed that all users can automatically import and export e-mails in a computer-readable format, and the right to transfer data is not exercised differently depending on whether the user is a paying customer or not.

The applicant's equivalent
The applicant has been given the opportunity on 10.11.2022 to give a response in the case. The applicant has submitted the response on 22 November 2022.

In his reply, the applicant has confirmed that the Import-Export application of the e-mail service is now also available for free users and that it works with free IDs. In his response, the applicant states, among other things, the following:

After two years, the registrar concluded that the tool is indeed stable enough to be allowed even for free users, and this "coincidentally" coincided with the period immediately after TSV's inquiry.

The version of the application that is now available for free users is 1.3.3.

This version has already been available on 2021-08-17 (e.g. [2]), i.e. no changes have been made to the application provided to end users for over a year, and not in this context either.

In my view, the data controller has made a conscious choice to delay fulfilling the requirements under the GDPR until one of the data protection authorities starts investigating the matter. In the meantime, money has been demanded from users for the implementation of the rights guaranteed by the GDPR, so in this case the company has benefited financially from it for at least two years.

A legal question
The Data Protection Commissioner evaluates and decides the case based on the General Data Protection Regulation (EU) 2016/679. The matter has to be resolved:

1. Has the data controller implemented the data subject's right to transfer data from one system to another in accordance with Article 20 paragraph 1 and Article 12 paragraph 5 of the General Data Protection Regulation?

Decision of the Data Protection Commissioner
The controller has not implemented the data subject's right to transfer data from one system to another in accordance with Article 20(1) and Article 12(5) of the General Data Protection Regulation.

Note
The Data Protection Commissioner gives the data controller a notice in accordance with Article 58, Section 2, Subsection b of the General Data Protection Regulation.

The Data Protection Commissioner points out that the possibility given to the applicant to export e-mail messages one at a time has not fulfilled the obligation laid down in Article 20, Paragraph 1 of the General Data Protection Regulation to implement the data subject's right to receive the personal data concerning him/her that he/she has provided to the controller in a structured, commonly used and machine-readable format, and the right to transfer the data in question to another data controller without the interference of the data controller to whom the personal data has been delivered.

The Data Protection Commissioner points out that making the automated tool available only to paying customers has practically led to the fact that fully exercising the right according to Article 20 of the Data Protection Regulation has been chargeable. The Data Protection Commissioner considers that the data controller has not implemented the applicant's right as required by Article 12, paragraph 5, free of charge.

Reasoning
On applicable legislation
Paragraph 1 of Article 20 of the General Data Protection Regulation provides for the right to transfer data from one system to another:

The registered person has the right to receive the personal data concerning him/her that he/she has provided to the data controller in a structured, commonly used and machine-readable format, and the right to transfer the data in question to another data controller without the hindrance of the data controller to whom the personal data has been delivered, if

a) the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on an agreement pursuant to Article 6(1)(b); and

b) the processing is carried out automatically.

In accordance with Article 12, Section 5 of the Data Protection Regulation, the information submitted pursuant to Articles 13 and 14 and all actions taken and information provided pursuant to Articles 15–22 and 34 are free of charge for the data subject. If the data subject's requests are obviously unfounded or unreasonable, especially if they are presented repeatedly, the data controller can either

a) charge a reasonable fee, taking into account the administrative costs of providing the information or messages or carrying out the requested action; or

b) refuse to perform the requested action.

In these cases, the controller must demonstrate the obvious groundlessness or unreasonableness of the request.

Applicability of the right to e-mail messages processed in the e-mail service
In the reply sent to the applicant on November 30, 2020, the controller has stated that, according to the controller's knowledge, the applicability of the right according to Article 20 to e-mails is not yet completely clear.

On 13 December 2016, the Article 29 data protection working group (WP29), which precedes the European Data Protection Board, published instructions on the right to transfer data from one system to another. The instructions contain several examples that explicitly refer to email service providers. Instructions on the application of the right have therefore been available several years before, when the applicant has been in contact with the controller.

WP29 has considered in the above-mentioned guideline that the right to transfer data from one system to another covers data consciously and actively provided by the data subject as well as personal data generated by his activities. The data protection commissioner considers that the e-mail messages sent and received in the e-mail service are information provided by the applicant and generated from his activities, which concern the applicant.

The data protection statement of the registrar states that the processing of information about the service's account is based on the user's consent. The Data Protection Commissioner also considers that the processing of personal data in connection with the e-mail service is automatic in the sense of Article 20 paragraph 1 subparagraph b. Based on the aforementioned grounds, the Data Protection Commissioner considers that Article 20 of the Data Protection Regulation applies to the personal data in question.

About transferring data one at a time
Paragraph 1 of Article 20 regarding the transfer of data states that the data subject has the right to transfer the relevant data to another data controller without the hindrance of the data controller to whom the personal data has been delivered. The controller must therefore not prevent or make it difficult to transfer data. As WP29 has stated in its guidance on Article 20, the purpose of the right is to increase data subjects' influence over their own personal data, as it "facilitates the transfer or copying of personal data from one information system environment to another".

The user of the free version of the e-mail service can send 150 e-mails per day. Thus, after just one month of use, the user can have more than 4,000 e-mail messages in the service. Manually exporting messages one by one is slow and results in transferring all the data would be very time consuming. It can therefore be considered that the possibility to export e-mail messages only one at a time has practically made it difficult and prevented users from transferring their personal data. The Data Protection Commissioner considers that the data controller has not implemented the applicant's right to transfer data from one system to another in accordance with Article 20, Paragraph 1 of the General Data Protection Regulation.

About the fee for exercising the right
According to the registrar's report, the use of the automated tool was limited to paying users in order to test the stability and functionality of the service.

The data protection commissioner points out that the matter concerns the implementation of the right of the registered person stipulated in the data protection regulation. As a general rule, exercising the rights must be free of charge for the data subject. Making the automated tool available only to paying customers has practically led to the fact that fully exercising the right according to Article 20 of the Data Protection Regulation has been chargeable.

If the data controller considers that the data subject's request is manifestly unfounded or unreasonable in accordance with Article 12, paragraph 5, it can either charge a reasonable fee or refuse to perform the requested action. The controller must demonstrate the obvious groundlessness or unreasonableness of the request. In the present case, the data controller has not demonstrated why the applicant's request was obviously unfounded or unreasonable.

The Data Protection Commissioner considers that the data controller has not implemented the applicant's right as required by Article 12, paragraph 5, free of charge.

Applicable legal provisions
Those mentioned in the justifications

Appeal
According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the administrative court.

Service
The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

The decision was made by the data protection commissioner Anu Talus.