Is the GDPR and its Right to Data Portability a Major Enabler of Citizen
Citizen science is an emerging trend with an ever greater number of adherents. It involves the
collection and contribution of large amounts of data by private individuals for scientific
research. Often such data will concern the individuals themselves and will be collected
through processes of self monitoring. This phenomenon has been greatly influenced by the
Internet of Things (IoT) and the connectivity of a wide range monitoring devices through the
internet. In collecting such data use will often be made of the services of various commercial
organisations, for example that offer cloud storage services. The possibility of data
portability is extremely important in citizen science as it allows individuals (or data subjects)
to be able move their data from one source to another (i.e. to new areas of scientific
research). This article explores the limits and possibilities that legal rights to data portability
offer, in particular the new right as outlined by the European Union's General Data
Protection Regulation. In doing so this article will look at where this right (and how it
operates in the international legal context) is able to facilitate the phenomenon of citizen
The amount of data in existence that can be used for research is increasing in an exponential
fashion. Similarly, the ability of individuals (both technically and legally) to to collect,
assemble and deliver their data for research purposes is also increasing. These developments
have boosted movements and attitudes that have often been termed as citizen science. This
movement relates broadly to the idea that individuals can play an active role in collecting
personal data and providing it for scientific research. In doing so it is argued they are able to
boost the chances that certain types of research may occur. Central to the concept of citizen
science is the idea that data should be portable, i.e. that individuals should be able to transfer
their data from various sources to research institutions.
This article looks at the phenomenon from a legal perspective, focusing on the the
role data portability as a legal right has to play in boosting this movement. In particular, it
will focus on the right of data portability as described in the EU's recent General Data
Protection Regulation (the GDPR). In doing so it will look at how the GDPR facilitates the
right of data portability throughout the European Union, and potentially to jurisdictions
beyond its borders. The ability of individuals to use this right to have their personal data
transferred from existing data controllers to research institutions may allow initiatives
associated with concepts of citizen science to prosper. As this article discusses however there
are a number of aspects concerning the formulation of this right within the GDPR that may
serve to lessen its impact.
Section 2 of this article discusses the concept of citizen science and why it has been
growing in prominence in recent times. Section 3 discusses the importance of data portability
to citizen science. Section 4 will look at how, on the one hand the GDPR introduces a right of
data probability and how it offers potential for individuals interested in participating in citizen
science based initiatives and on the other, it leaves areas of data processing that will not be
subject to the right of data portability and the likely effects this may have on citizen science.
Section 5 analyses what the limited application of the 'right to data portability to limited legal
bases for the processing of personal data is likely to mean. Section 6 discusses the likely
territorial application of the right to data portability and its implications for citizen science
initiatives to op-operate on an international level.
2. Citizen Science as a Growing Phenomenon
Citizen science is not a new phenomenon but it is certainly a growing trend that is allowing
important changes in the way scientific research is occurring.1 Prominent examples of citizen
science go back hundreds of years, including for example a prominent experiment in 1830s
Britain that involved hundreds of members of the public to monitor 650 different costal
locations.2 Whilst there are numerous other examples in the intervening period of the use of
large groups of private individuals to coordinate and execute the collection of data for
experimental purposes the phenomenon of citizen science had been greatly boosted in recent
times. This is due to developments in the both the digitization of personal data and the ability
to coordinate and share such data that have come with the development of the online web and
social media.3 This is primarily for two reasons. First, the digitisation of personal data allows
individuals to record and organise their data in ways that were not previously possible. This
includes the capture of new forms of data (though the Internet of Things (IOT) and devices
such as 'wearables') and the ability to store and organise it more efficiently e.g. using mobile
phones, powerful personal computers and online storage. Second, online connectivity,
including through social media platforms allows data subjects to contact each other and
researchers. This allows the formation of groups who have the desire to promote scientific
research certain areas through the collection, organisation and sharing of personal of data
concerning a particular issue. These developments have allowed individuals to come together
and pool potentially interesting data in ways that was not previously possible. Individuals
may for example be able to learn through social media that there are others that share health
issues that requires further research. Using wearables and access to electronic health records
individuals for instance can in theory pool large longitudinal data sets that are potentially
interesting to researchers.4
Such endeavours are seen as being conducive to research in potentially different ways
with visons of what actually constitutes citizen science that vary in breadth and scope.5 A
narrower view sees an important role for groups of engaged individuals to be able to respond
to open calls by researchers to come forward with data on a particular issue. In such a vision
researchers remain both the inspiration and architects of the research programme that is to be
carried out. They may conceive of the need for it and design the experiment in question,
appealing to individuals to come forward with useful data that they have collected in order to
allow the experiment in question to be carried out. In such a scenario the data subject can be
thought of as a benevolent form of 'free labour'; that makes itself available to a research
project in order to further its aims.
1 DEVICTOR, V., WHITTAKER, R. J. & BELTRAME, C. 2010. Beyond scarcity: citizen science programmes
as useful tools for conservation biogeography. Diversity and Distributions, 16, 354-362.
2 MADISON, M. 2014. Commons at the Intersection of Peer Production, Citizen Science, and Big Data:
Galaxy Zoo. In: FRISCHMANN, B., MADISON, M. & STRANDBURG, K. (eds.) Governing Knowledge
Commons. Oxford University Press.
3 NEWMAN, G., WIGGINS, A., CRALL, A., GRAHAM, E., NEWMAN, S. & CROWSTON, K. 2012. The
future of citizen science: emerging technologies and shifting paradigms. Frontiers in Ecology and the
Environment, 10, 298-304.
4 PURCEL, R. & ROMMELFANGER, K. 2017. Biometric Tracking From Professional Athletes to Consumers.
The American Journal of Bioethics, 17, 72-74.
5 SILVERTOWN, J. 2009. A new dawn for citizen science. Trends Ecol Evol, 24, 467-71.
A broader and perhaps more ambitious conception of citizen science sees the citizen
as the true master of the research in question (i.e. in place of the research institution). In such
a vision, it is the citizen (i.e. the data subjects themselves) who through networking and
discussion see the need for research to be conducted in a certain area.6 It is their ability to
collect, store and collate the data that they see as being useful that provides them with the
power to induce certain forms of research.7 In being able to create such pools of data they are
able to attract researchers who may find the research opportunity it presents to be attractive.
The ability to collect, store, collate and transmit such data to interested researchers represents
a source of power for citizen scientists potentially allowing them collectively bargain with
competing research institutions and and ensure that the type of research they want occurs. 8
This latter interpretation of citizen science sees the individual lay person acting more out of
self-interest (rather than a sense civic virtue) and through the power that comes of grouping
with other similarly minded individuals, deciding what research is to take place (in place of
the professional scientist and the institution he or she is attached to).
Of course, these points exist on a spectrum at either end of potential manifestations of
citizen science. There are many manifestations that are possible between the two and many
that may share elements of both. Individuals may for example become citizen scientists both
out of self interest and a a result of a sense of civic duty.9 Similarly it may well be difficult in
reality to draw a clear line in discerning whether research is proposed and conducted because
of the availability of data through active citizen science or whether such citizen scientists are
mobilised in response to institutional calls for research data. Whatever the particular
manifestation there are a number of criteria that must be met in order for citizen science to
occur. These include, the ability to record data, the ability to store it, the ability to access it,
and that it is portable (i.e. that it can be transferred to a research institution). The importance
of transferability or portability is discussed below.
3. The Importance of Data Portability to Citizen Science.
(i) The Need for Both 'Interoperability' and 'Transferability'
All of the requirements described above (i.e. the ability to record and observe) are without
doubt indispensable for citizen science to occur. Even if they are fulfilled however the ability
to transfer (or share) data (i.e. that it is portable) is a sina qua non for citizen science to
occur. Even if individuals are able to record and store their data, practicing citizen science
will not be possible in situations where individuals and groups of individuals are not able to
transfer useful personal data to interested researchers. The same goes if data subjects are
simply provided with access to their personal data by a data controller (imagine for example
the provider of a mHealth service). Access alone to personal data (a well established right in
6 One of the most important areas for citizen science that is not focused upon in this paper is within ecology
and environment projects. See: BONNEY, R., COOPER, C. B., DICKINSON, J., KELLING, S., PHILLIPS, T.,
ROSENBERG, K. V. & SHIRK, J. 2009. Citizen Science: A Developing Tool for Expanding Science
Knowledge and Scientific Literacy. BioScience, 59, 977-984. KELLING, S., FINK, D., LA SORTE, F. A.,
JOHNSTON, A., BRUNS, N. E. & HOCHACHKA, W. M. 2015. Taking a 'Big Data' approach to data quality in
a citizen science project. Ambio, 44 Suppl 4, 601-11.
7 EVANS, B. J. 2017. Barbarians at the Gate - Consumer Driven HEalth Data Commons and the
Transformation of Citzen Science American Journal of Law & Medicine, 42, 651-685.
8 For further discussion on this see an article publish on the online site 'The Conversation entitled " Expanding
citizen science models to enhance open innovation" available at:
9 MORRIS, M. E. & AGUILERA, A. 2012. Mobile, Social, and Wearable Computing and the Evolution of
Psychological Practice. Prof Psychol Res Pr, 43, 622-626.
data protection law)10 may mean little if it if it does not equate to a possibility to transfer data
to a researchers for further analysis. 11 Rights of access to one's personal data as is
traditonally found in data protection may not be sufficient to fully facilitate citizen science.
This is because to ensure portability two important elements are required, elements that may
not be present in tradtional rights to access data. The most important of these elements are
A Requirement of Interoperability -A right to access for instance may not not provide a right
to receive personal data in a form that is 'interoperable' with the processing systems of
another potential controller, including those of a potential researcher institution. This was for
example the situation with the right to access in the EU Data Protection Directive (95/46/EC).
Providing data in a form that is 'intelligible' to the data subject does not entail providing data
in a form that is functionally readable by other controllers. 'Intelligible' would rather seem to
refer to the ability of humans to be able to comprehend the data that is provided (and does not
refer to interoperability with other processing systems).12 Intelligible can thus best be thought
of as a duty to provide data, even if complex in some manner that will allow human data
subjects to comprehend it in terms of it what can be deduced from it. In modern information
society where data sets may be enormous and complex, this may in reality translate into a
duty to effectively summarise the data in 'human readable format' so that the data subject can
understand it. Providing data in its raw form would be unlikely to meet a duty to provide
intelligible data, largely because it would be meaningless to the data subject (largely because
such data would be stored in a way that is machine readable). In this regard the right to access
found in the GDPR certainly goes further than the Directive 95/46/EC does stating: 13
"The controller shall provide a copy of the personal data undergoing processing. Where the data
subject makes the request by electronic means, and unless otherwise requested by the data subject, the
information shall be provided in a commonly used electronic form."
Whilst a requirement of providing personal data in "a commonly used electronic form" goes
far further in providing requirements in terms of interoperability (see further discussion in
section 4), it still provides arguably little in terms of direct transferability (discussed below)
A Duty to Facilitate a Data Transfer – A Right to Access does not provide any any right to
have data transferred to a third party, including a research institution. Transferability is
important because it places the responsibility of data transfer with the data controller and not
the data subject. This is important for a number of reasons.
Perhaps most importantly the data controller is likely to have a higher level of
technical ability and experience than the data subject. It may have numerous personnel other
organizational strengths (in comparison with an individual data subject). It may also
importantly possess a key advantage in terms of economies of scale. This is because a single
service provider, especially if it is a large one with a key position in the market, may receive
10 That data subjects might want access to their data is something that has been long recognised in data
protection. The original European Data Protection Directive (95/46/EC) Data Protection (in recital 41)
recognised a right of data subjects to access their data stating: "Whereas any person must be able to exercise the
right of access to data relating to him which are being processed, in order to verify in particular the accuracy of
the data and the lawfulness of the processing; whereas, for the same reasons, every data subject must also have
the right to know the logic involved in the automatic processing of data concerning him, at least in the case of
the automated decisions…)"
11 HUNTER, P. 2016. The big health data sale: As the trade of personal health and medical data expands, it
becomes necessary to improve legal frameworks for protecting patient anonymity, handling consent and
ensuring the quality of data. EMBO Rep, 17, 1103-5.
12 Article 29 Working Party Guidelines on the right to data portability. WP242 (13 December 2016) p14.
13 GDPR Article 14(3)
many requests from individuals who whish that their data is transferred to a particular
research institution. In such a context it will likely be a far more simple affair for one or a few
data controllers to contact and liaise with a particular research institution (than it would be for
thousands of data subjects). In such a manner discerning the necessary technical and
organizational arrangements that must be made in order to facilitate transfer is likely to be far
more efficient. An alternative scenario whereby research institutions had to liaises
individually with every data subject on technical adjustments that would have to be made in
order to facilitate transfer would in reality entail many more technical discussions between
research institutions and individual research subjects. Furthermore, such discussions would
likely be much more difficult given that individual research subjects would not be likely to
possess the same technical knowledge or abilities. The ability of data subjects to comply with
the technical requirements for transfer posed by the research institution are likely to be much
less than it would be for a large data controller. Alternatively, whilst research institutions
might in certain circumstances be willing to take on the all the responsibility themselves for
making data compatible for their research ends, the ability to do so would be severely
reduced where all data is provided by research subjects on a completely individual basis. In
such instances data may vary in format or even the method in which it is delivered (e.g. by
online file transfer, by DVD or by email). Taking on such variability would represent a costly
affair that could well hamper research. The ability therefore to deal with one or a few data
controllers who would transfer numerous data sets would be advantageous and encourage
research institutions to engage with citizen science initiatives.
4. The GDPR and its Right to Data Portability.
In what may be seen as an advance for the concept of citizen science the GDPR includes a
new right to data portability. Article 20 states:
"The data subject shall have the right to receive the personal data concerning him or her, which he or
she has provided to a controller, in a structured, commonly used and machine-readable format and
have the right to transmit those data to another controller without hindrance from the controller to
which the personal data have been provided."
There are two things that are immediately apparent and of potential relevance to this paper.
The first is that there is a right to receive code in a 'machine readable format' (also found with
the GDPR's strengthened 'right of access''.14 This appears to supplement the GDPR's right to
access (discussed above) and link it firmly with a right to data portability. This is important
from the perspective of interoperability of the data in question and thus increasing the
chances that it can be used for the purposes of scientific research. The second is that is
bestows the right upon a data subject of asking for direct transfer to another controller. As
section 3 discusses this requirement is important from the perspective of citizen science given
that for a number of reasons, it may often be the original data controller and not the data
subject who is best placed to execute the transfer of data. Article 20 can therefore be thought
of as improvement of the situation vis-à-vis the needs of citizen scientists. As the following
pages of this paper will discuss, this will facilitate citizen science activities in a number of
areas and should therefore be welcomed. At the same time there are however a number of
important elements that will likely serve to limit the ability of individuals and researchers to
use this article to further citizen science. The most important are summarized in the sections
14 GDPR Article 14(3)
Limits to the concept of 'machine readable'
Whilst the concept of 'machine readability' might sound promising it is important not to read
it in too expansive a maner. In particular a duty upon data controllers to produce machine
readable data to not entail an obligation to make such data compatible for all purposes that
might be desired. As the Article 29 Working Party points out "portability aims to produce
interoperable systems not compatible systems".15 The latter (i.e. compatibility) would entail
an obligation upon the data controller to ensure that the data provided was directly
compatible with the intended purposes and processing systems of the proposed new controller
(to whom the data was to be passed). Although such a vision would make things easier for
both the data subject and the new controller (who would receive data that would be directly
ready for use) this would represent a heavy (if not impossible burden) on the original
controller.16 This is because all of the burden in terms of ensuring compatibility would fall
almost entirely upon that original controller. This would entail ensuring that the data that was
being transferred was completely compatible (i.e. ready to use) with whatever processing
systems were being used by the new controller. Given that there could be numerous different
formats and systems used by a new controller this would effectively mean a duty to modify
and tailor data to the needs of any data controller that a data subjected demanded transfer to.
Such a duty would likely act as a deterrent to data processing in general given that data
controllers would have to ensure that they had the capacity (in terms of both personnel and
technical expertise) to make such modifications if they were demanded.
It is for such reasons that a duty of 'compatibility' of transferred data is not realistic. It
also explains why the Article 29 working party emphasized that Article 20 of the GDPR
amounted to a duty of 'interoperability'.17 This represents a lower threshold and consequently
poses less of a burden on the original data controller. Such a duty represents a shared burden
where not only the original data controller but also the new one (a research institution in this
context) would have to make efforts so as to ensure compatibility. This is because
interoperability is normally taken as referring to a a duty to use one of a number of
commonly available formats.18 Although such formats may not be directly compatible with
the processing systems of a new controller they should be in such a form that that new
controller will be able to work upon and make compatible. Interoperability thus entails work
for both the original controller, who must ensure that the data meets such a format and for the
new controller who will have to further process the data into a new form that is compatible
with its desired purposes. Such a duty can not thus be considered as representing a maximum
facilitation of citizen science though it may however be a more realistic requirement. This is
because Article 20 will still entail a large amount of work on behalf of a research institution
from to make data compatible. Given that this will require resources that research institutions
15 Article 29 Working Party Guidelines on the right to data portability. WP242 (13 December 2016)
16 As the Article 29 Working Party guidelines state (p13): Given the wide range of potential data types that
could be processed by a data controller, the GDPR does not impose specific recommendations on the format of
the personal data to be provided. The most appropriate format will differ across sectors and adequate formats
may already exist, but should always be chosen to achieve the purpose of being interpretable. Formats that are
subject to costly licensing constraints would not be considered an adequate approach.
17 Recital 68 of the GDPR states: "The data subject's right to transmit or receive personal data concerning
him or her should not create an obligation for the controllers to adopt or maintain processing systems which are
18 As the Article 29 Working Party guidelines state (p15) "As such, data portability implies an additional layer
of data processing by data controllers, in order to extract data from the platform and filter out personal data
outside the scope of portability (such as user passwords, payment data, biometric patterns, etc.). This additional
data processing will be considered as an accessory to the main data processing, since it is not performed to
achieve a new purpose defined by the data controller."
do not always have, it may arguably in some instances discourage their willingness to engage
in projects that involve citizen science and article 20 requests for data portability.
A Right of Transferability Only Applies to Personal data
Another important caveat that should be placed on the right of data portability as described
by the GDPR is that it applies only to personal data as provided by the data subject. This can
be split into two separate requirements i.e. (i) that the data be personal in nature and (ii) that it
be provided by the data subject.
Requirement (i) may appear self evident given that the GDPR in general only applies
to personal data. It would therefore be bizarre to expect that a right of data portability as
described in the GDPR could be applied to data that was not of a personal nature. Despite
being self evident this limitation nonetheless has some important implications. It means for
example that any data that has been anonymized does not fall under such a right. This
includes for example data that although anonymous may have been derived using personal
data (that may have been subsequently deleted). Even though such data may have been
derived from their personal data, a data subject will have no right to demand that such data be
transferred to another controller for purposes of scientific research.19
Requirement (ii) applies to data that may even be personal in nature. It places a limit
on the types of personal data that are subject to the right under Article 20 to the data that the
data subject has himself provided. This importantly excludes all other forms of secondary
personal data that has been derived from further processing. This will include for example the
results of various forms of analysis that have been performed on the original data that had
been provided by the data subject. Such a limitation exits inter alia to protect the commercial
secrets and strategies of commercial data processors who may have developed innovative
forms of data analysis.20 This exception however is likely to limit the application of the right
to data portability in a number of areas that could be of interest from the perspective of
citizen science. Imagine for instance the analysis of lifestyle data or the data that had been
provided by data subjects through wearable or other IoT devices. Such analysis could have
enormous research potential. Indeed, it may be such analysis (and not simply the storage of
the data) that represents the unique selling point of many data monitoring or storage
services.21 Imagine a commercial organization for example that offers fitness enthusiasts the
ability to (though wearable devices) monitor and upload their data to a cloud service and have
various forms of analysis provided to them concerning their performance and ways in which
they may be able to improve Such analysis may provide data subjects with knowledge and
useful perspectives that might not be apparent from the data alone. Such data may for similar
reasons also be appealing from the perspective of citizen science. The analyses performed on
such primary data may furthermore be highly innovative in nature and not easily repeatable
by other parties (for this reason it may often be considered a commercial secret), including by
researchers and research institutions. An assumption therefore that research institutions
maybe able to perform such an analysis may be misplaced (particularly for example when
one compares the relative resources and technical expertise of certain multinational data
controllers (e.g. Google, Amazon etc.) and those possessed by individual research
19 Recital 26 of the GDPR confirms that the regulation in general does not apply to anonymized data.
20 LAGOS, L. 2013. Why the Right to Data Portability Likely Reduces Consumer Welfare- Antitrust and
Privacy Critique. Maryland Law Review, 72, 341-380.
21 PURCEL, R. & ROMMELFANGER, K. 2017. Biometric Tracking From Professional Athletes to
Consumers. The American Journal of Bioethics, 17, 72-74. LUPTON, D. 2016. The Quantified Self, John Wiley
& Sons, SWAN, M. 2013. The Quantified Self: Fundamental Disruption in Big Data Science and Biological
Discovery. Big Data, 1, 85-99.
institutions).22 Even if it were possible, it might entail the use of resources that may not in
reality be at the disposition or particular research institutions. As a result of this the lack of
applicability of article 20 of the GDPR to such data means that data subjects will not be able
to use it to invoke the transfer of various forms of data that could be particularly valuable for
It should be noted that this issue does not only apply to commercial service providers
in the area of fitness/lifestyle data but also controllers in a number of other important areas
also.23 This could include the providers of various medical or healthcare services that involve
the analysis of personal data. Imagine for instance medical clinic or institution that performed
various analytic techniques to draw conclusions on the health status of individuals. This could
be through an analysis of their medical records or data taken from various monitoring
devices. Once again, although such data could in theory be useful for scientific research it
will not be covered by the the right to data portability. The same would also apply to other
data that could be useful for research purposes including relating to social media.24 Such data
is the subject of constant and complex analysis for commercial reasons such as improving
targeted advertising. Such analysis may involve the discovery of correlations and
relationships that would be of immense interest inter alia to those interested in scientific
research given the potential links with areas ranging from medicine to sociology to
economics. Such data will not however be covered by article 20 GDPR.
5. The Importance of the Grounds for the Processing of the Data in Question.
(i) Grounds for Processing to Which Article 20 GDPR is Applicable
Article 20 is also limited given that it only applies to data that is processed on the basis of
two (of the many) grounds that are described in the GDPR. These cover data that is processed
after obtaining the "express consent" of the data subject or alternatively that the processing
was "necessary for the performance of a contract to which the data subject is party or in order
to take steps at the request of the data subject prior to entering into a contract".25 These
grounds will cover some but by no means all of the potential types of personal data that might
be thought to be of use to citizen scientists. The first may for example cover the types of
relationship described above where individuals agree through formalized processes of
consent to provide their data so as to have it stored and or further processed. This could
include for instance lifestyle monitoring services or certain forms of processing related to
healthcare (where consent is the basis for processing - see discussion in (ii) below)). It may
also interestingly include data that had previously been provided to researchers or scientific
institutions precisely for the purpose of research (again where consent was the legal basis for
processing - see discussion in (ii) below). Imagine for instance where a data subject had
22 HUNTER, P. 2016. The big health data sale: As the trade of personal health and medical data expands, it
becomes necessary to improve legal frameworks for protecting patient anonymity, handling consent and
ensuring the quality of data. EMBO Rep, 17, 1103-5.
23 MURDOCH, T. & DETSKY, A. 2013. The Inevitable Application of Big Data to Health Care. Journal of
the American Medical Association, 309, 1351-1352, BELLAZZI, R. & ZUPAN, B. 2008. Predicitive data
mining in clinical medicine: current issues and guidelines. International Journal of Medical Informatics, 77, 81-
24 MORRIS, M. E. & AGUILERA, A. 2012. Mobile, Social, and Wearable Computing and the Evolution of
Psychological Practice. Prof Psychol Res Pr, 43, 622-626.
25 In terms of "consent", there is in is reality two legal grounds given that there are two type of consent
foreseen in the GDPR. The first is the "unambiguous informed consent" described in Article 6(1) that applied to
the use of personal data in general. The second is explicit consent for the use of special forms of data (e.g. health
data) described in Article 9(2).
consented to provide his or her medical, socioeconomic or other data to a research project in
the past. Given that such data may conceivably be of interest to other subsequent research
projects at other institutions it is possible that data subjects might want to make use of the
their rights under article 20 to transfer their data in order to facilitate research. The reuse of
research data is indeed something that has been encouraged more and more in recent years
(with the term 'recycling' often being used in a metaphor that seemingly sees not using 'old
data' as being wasteful).26 Such reuse of old research data could be seen as being compatible
with many of the aims of citizen science.
With regards to to the second ground discussed above one can imagine various
contracts that may have been concluded with various organizations to provide services or
deliver physical products. Imagine for instance streaming services for movies or music,
online stores such as Amazon etc. Whilst such information may appear banal viewed from the
perspective of a single individual, on a larger scale (i.e. where such data is available for many
individuals) it may provide extremely useful research material, allowing important
information relating to socioeconomic factors or even health status. Article 20 thus provides
the option of transferability for such data.
(ii) Grounds for Processing that Are Not Covered by Article 20
The two grounds discussed above, though important, represent only two of many potential
grounds for processing described within the GDPR. This essentially means that many types
of processing that are permitted under the GDPR will not be covered by the right to data
portability. Whilst a full consideration of the relevance of all such types of data processing to
citizen science is beyond the scope of this paper27 some potentially striking examples (given
their obvious relevance to research) are immediately obvious and are discussed below.
Processing is necessary for the purposes of preventive or occupational medicine - Whilst the
processing of health data is possible on the basis of explicit consent, this is not the only, or
perhaps the most important grounds for the processing of such data within the healthcare
sector.28 This is because there exists another legal basis that permits the processing of heath
data for processes of occupational medicine. The equivalent provision within Directive
95/46/EC (which has seemingly been widened within the GDPR)29 was traditionally used to
process medical data within the bounds of an ongoing treatment relationship with an
officially recognised medical professional who was subject to rules on confidentiality.30 Such
a ground has been traditionally used to process patient data in ways that were required as a
result of continued treatment within a particular practice or institution. It is such an exception
26 DYER, C. 2007. Stringent constraints on use of patients' data are harming research. British Medical
Journal, 335, 1114–1115, KAYE, J. 2012. The Tension Between Data Sharing and the Protection of Privacy in
Genomics Research. Annual Review of Genomics and Human Genetics, 13, 415–431, MURDOCH, T. &
DETSKY, A. 2013. The Inevitable Application of Big Data to Health Care. Journal of the American Medical
Association, 309, 1351-1352.
27 Numerous grounds for the processing of sensitive and non-sensitive data are described in articles 6 and 9 of
28 QUINN, P., HABBIG, A., MANTOVANI, E. & DE HERT, P. 2013. The Data Protection and Medical
Device Frameworks ? Obstacles to the Deployment of mHealth across Europe? European Journal of Health
law, 20, 185-204, MANTOVANI, E. & QUINN, P. 2013. mHealth and data protection – the letter and the spirit
of consent legal requirements. International Review of Law, Computers & Technology,
29 This ground currently exists in Article 9(2) of the GDPR.
30 Article 29 Data Protection Working Party. 2007. Working Document on the Processing of Personal Data
Relating to Health in Electronic Health Records (EHR), 00323/07/EN WP 131.
that allows a patient's data to be further processed without having to continuously re-obtain
consent, something which would be extremely laborious in large institutions. The practical
value of such a grounds for processing is that medical professionals and institutions do not
have to continuously ask patients for consent to process their data each time they have a new
consultations or undergo a new procedure. The availability of this pragmatic and frequently
used ground for processing means that an enormous quantity (if not most) personal medical
data is processed in such manner. Given that article 20 does not apply to processing
performed using such grounds this means that large quantities of health data may not be
subject to requests for transfer to a third party.
This may be unfortunate for citizen science enthusiasts given the potential for
research use of such data.31 Patient health records for example may go back years and contain
data on health, lifestyle and socioeconomic factors that are extremely useful for research.32
The fact that article 20 does not apply to such data does not mean of course that it can not be
used for research. There is nothing to stop researchers requesting the data in question from
healthcare providers and indeed from such providers providing the data (if they so wish).
They can not however be compelled to transfer such data, ether by the data subject or the
research institution. Likewise patients will still enjoy a right of access to their medical data
and will be able to receive a copy and then transfer it themselves to researchers or a research
institution. This however is subject to the many practical difficulties discussed in section 3
and must be considered to be an inferior option (in terms of facilitating citizen science at
Processing is necessary for archiving purposes in the public interest, scientific or historical
research - Data used in and produced by scientific research may often be suitable for use in
subsequent research. To a certain extent it could be argued that there is a role for citizen
science in facilitating such reuse. This could occur for example were groups of research
subjects are able to demand that their research data be passed to further institutions for further
research. As discussed above, where the processing of such data was based upon consent this
may be possible. As with the processing of data for medical purposes however, whilst consent
is an important grounds for for processing of personal data by researchers or research
institutions, it is by no means the only one. This is because Article 9(2) of the GDPR also
provides that 'Scientific Research' is itself a valid ground for the processing of personal data.
There are therefore two grounds that exist in the GDPR for those wishing to conduct
scientific research. The former (i.e. consent) may often be seen as appealing from an ethical
perspective (indeed it may often be demanded by ethics bodies based at research institutions.
It does entail however a number of disadvantages.33 These notably include the administrative
complexity of organizing (the creation, dissemination and storage) consent forms, the
potential difficulty in tracing all data recipients, instances where data subjects may not
possess the capacity to give consent (e.g. the young or those with a lack of cognitive
capacity). Given these issues consent may often not be feasible and in suitable circumstances
31 TENE, O. & POLONETSKY, J. 2013. Big Data for All- Privacy and User Control in the Age of Analytics.
Northwestern Journal of Technology and Intellectual Property, 11, 239-274. JENSEN, P., JENSEN, L. &
BRUNAK, S. 2012. Mining electronic health records: towards better research applications and clinical care.
Nature Reviews Genetics, 13, 395-405
32 MURDOCH, T. & DETSKY, A. 2013. The Inevitable Application of Big Data to Health Care. Journal of
the American Medical Association, 309, 1351-1352, JENSEN, P., JENSEN, L. & BRUNAK, S. 2012. Mining
electronic health records: towards better research applications and clinical care. Nature Reviews Genetics, 13,
33 QUINN, P. 2017. The Anonymisation of Research Data — A Pyric Victory for Privacy that Should Not Be
Pushed Too Hard by the EU Data Protection Framework? European Journal of Health Law, 24, doi
(where important conditions are met) researchers may process personal data without the
consent of those involved. Where this is the case researchers may, if a number of conditions
are met, process personal data for scientific research without consent.34 This legal basis for
processing is often useful in large research projects that depend upon the use of extremely
large data sets (e.g. potentially harvested from electronic health records) and where obtaining
consent would not be feasible.
6. Transfer Outside of the EU
The world of modern research is truly global. The availability of online connectivity and the
ability to share information means that individuals may want, and be able, to share their data
with research institutions that are not located close by in physical terms. Such potential for
worldwide collaboration increases the chances that individuals or groups of individuals may
be able to find a research institution that could perform useful research on their data.35
Conversely, where individuals are restricted to small geographic areas or alternatively certain
legal jurisdictions, the chances of such a 'fit' between potential research subjects and
institution is reduced.
The good news (for advocates of citizen science) is that the one of the raisons d'être is
actually to facilitate the sharing of data over a wider area. It has for instance, as one of its
main aims, the facilitation of the sharing of data throughout the EU. Indeed, as the GDPR
itself states, it "seeks to harmonise the protection of fundamental rights and freedoms of
natural persons in respect of processing activities and to ensure the free flow of personal data
between Member States." As a result EU Data Protection legislation, including the GDPR
aims to create a situation where it is possible to move data around the European Union as if it
was a single legal jurisdiction.36 Moving data, inter alia for the purposes of citizen science
from one part of Europe should therefore pose little problems (where of course data
protection requirements have been met).37
The price of such a liberty to move personal data around Europe however is the
ability to transfer data outside of the EU. This is because, as the GDPR points out, the ability
to allow free movement of personal data across the EU can be permitted because of existence
of the same standards of data protection throughout the Union. This allows data subjects to be
sure that if their data is transferred from one part of the Union to another a similar standard of
protection will apply. This balance however does not hold for potential transfers outside the
EU. There the regulatory situation vis-à-vis data protection may be different, if not inferior.
This makes it difficult for for European data subjects to have confidence that their data will
be handled in a similar manner, or even have an idea of how such data may be handled. It is
for this reason that the GDPR (and its predecessor Directive 95/46/EC) imposes important
restrictions on the transfer of data outside of Europe.
In principle personal data can not be transferred out of the EU unless one of a number
of conditions are met. These include for example an adequacy decision on the part of the EU
Commission. This can occur where the Commission agrees that a " third country, a territory
or one or more specified sectors within that third country … ensures an adequate level of
35 BONNEY, R., SHIRK, J., PHILLIPS, T., WIGGINS, A., BALLARD, H., MILLER-RUSHING, A. &
PARISH, K. 2014. What Next for Citizen Science? Science, 343, 1436-1437.
36 GDPR Recital 3
37 It should however be recognized that Member States are, according to Article 9(4) of the GDPR able to
maintain their own respective laws that create additional requirements for sensitive data. This means that there
may for example be extra requirements on inter alia the transfer of health data. Such requirements may vary on
a state by state basis according to Member State Law.
protection"38 Such a decision may occur where the commission, after considering a number of
factors described in the GDPR has decided that an adequate level of protection will be
provided concerning the use of personal data.39 This includes the level of the rule of law in
the jurisdiction concerned (also taking into account any data protection legislation), the
existence of an data protection supervisory bodies, and any international agreements that may
exist with the state in which the jurisdiction in question is based.
These conditions are not however essential for the transfer of personal data to or
between researchers based outside the European Union. This is because the GDPR allows the
transfer of personal data outside the European Union in the event that informed consent of the
data subject has been secured.40 This is seemingly a good fit with the right to demand a
transfer of one's data under the GDPR. This is because article 20 self-evidently appears to
imply the need for the data subject to proactively make a request for such a transfer. In the
event that such a request concerned a transfer outside of Europe it would seemingly be
important (where a Commission adequacy decision does not exist), in order to be in
compliance with Article 49 of the GDPR, to provide the requisite information so that the data
subject could legitimately provide explicit consent to a transfer of his or her data outside the
EU. This would likely include information concerning the fact that no adequacy decision
existed, what the implications of such an absence are in layman's terms and the situation
concerning data protection in both the jurisdiction the data will be transferred to and the
specific context the data will be processed in. This requirement to provide sufficient
information for informed consent will require the data controller (i.e. who is to transfer the
data) to investigate whether the Commission had made an adequacy finding concerning the
jurisdiction in question and if not to research and take into account both the laws applicable
to the new data controller and the its own particular organizational situation. This is because
in order to provide the type of information that is required to provide truly informed consent
it will be necessary for the data controller (i.e. who is to conduct the transfer) to become
aware of such information and then to convey it to the data subject so that it can be
understood. In this regard a request for a transfer to a data controller outside of Europe would
differ importantly from that within Europe. This is because unlike the case with the latter, in
the former the data controller (who is to transfer the data) must make enquiries about the
ability of the potential new data controller to fulfill data protection obligations and explain
the results of such enquires to the data subject that made the request. There is doubt however
about whether data controller would in reality have to honour such a request for a data
transfer outside of Europe. The author of this paper would submit that there is some
ambiguity in the GDPR about whether a data subject has the right to compel a data processor
to transfer outside of Europe. This uncertainty arises for two main reasons. First, article 20
itself does not explicitly refer to such a situation. Second the articles of the GDPR that relate
to data transfers outside the European Union also do not refer to the right of transferability
described in Article 20. Given this, it seems likely that some data controllers may seek to
deny the applicability of article 20 to situations where they a request for transfer outside
Europe is made and no adequacy decision has been made by the Commission. The author
would submit that this may be seen as reasonable given that data controllers would be
required to investigate the legal situation in the new jurisdiction and the organizational
context of the new controller (including its abilities to provide for data protection
requirements). Such requirements are not part of article 20 in its normal context (i.e. transfers
within the EU) and thus make its applicability in extra EU transfers questionable as they
38GDPR Article 45(1)
39 GDPR Article 45(2)
40 Article 49(1)(a). Article 49 also spells out a number of other exceptions where such a transfer may be
possible. These exceptions are however beyond the scope of this paper and will not be considered futher here.
represent a burden that do not appear to be envisaged in article 20 itself. Case law may
ultimately be needed to settle this question.41
At present we live in a time where there are grave concerns over the privacy of our data in the
social media age. Whilst such concerns are well merited it is important to remember that
concerns surrounding the use of our personal data are not only related to privacy. More
specifically whilst there are occasions where we may wish to prevent large and powerful data
controllers from doing certain things with our data (i.e. negative obligations), there are on
other occasions where we may want to compel them to do something (i.e. positive
obligations). This article looks at one such instance, the ability to of data subjects to compel
data controllers to transfer their data to another controller, in this case for purposes of 'citizen
In addition to technological and cultural developments, the developing legal
landscape will play a major role in deciding what is and what is not possible in terms of
citizen science.42 One of the most important of these developments in the notion of of 'a right
of data portability'' in the GDPR. This right will allow data subjects to ask data controllers to
transfer their personal data to a new data controller. Such a right is important to citizen
science for a number of reasons. First, individuals often do not collect and assemble
potentially useful data alone. Rather they often do so with the aid of third parties, for example
the use of online storage platforms that allow data to be accessed and manipulated in useful
ways. Where individuals want to make such data available for research there may thus often
be a need to have data transferred from one controller to another (e.g. a research institution).
Second, the ability to transfer the data directly between data controller and research
institution may be appealing because individual data subjects may not have the technical
knowledge or correct infrastructure to receive and transport it themselves. Such a right opens
up the possibility of using economies of scale to boost data transfers related to citizen
science. This may occur where where data controller and research organizations are able to
coordinate and arrange transfers – for instance where, in the case of one large data controller,
many data subjects have come forward and asked that their data be transferred to a particular
research institution. The possibility to arrange such transfers on a coordinated basis would
reduce investments in terms of time and cost for both data controllers and research
institutions and thus make many forms of potential research more feasible. Third, a right to
data portability as found in the GDPR goes beyond a right to access which has long existed
under Directive 95/46/EC. This is because unlike a right to access, which only provides for
the provision of data to the data subject in 'an intelligible form', the right to data
transferability allows for the data in question to be provided to the new controller in a form
that is 'interoperable'. This is important because depending solely on a 'right of access' would
not only involve intermediate transfer through the data subject (and all the technical and
organizational problems this may bring), but would also not include a requirement of
'interoperability' with the potential processing systems that might be used by a research
institution. Such a requirement means that the data should be provided directly to the
research institution in a way that would allow them to use it for their desired method of
41 See Article 29 Working Party Opinion on Data Portability, p6
42 For a good discussion on a number of legal requirements HOFFMAN, S. 2015. Citizen Science - The Law
and the Ethics of Public Access to Medical Big Data. Berkley Technology Law Journal, 30, DOI:
As this paper discussed however, there are important limits to the right of
transferability at least as recognized to the GDPR. Four issues were outlined in this paper that
will to various extents, limit the extent of which this right can be used to further concrete
instances of citizen science. First, important limitation is that the right of portability only
applies to personal data that was provided by the data subject themselves. This rules out its
application to data that was derived by further processing of that data. This will have the
effect of ruling out the applicability of the right of portability to important data sets that will
contain potentially valuable information for researchers. This includes analysis of self-
monitoring data (e.g. from fitness or dietary) platforms, various forms of analysis carried out
for commercial purposes (e.g. advertising targeting) and for the purposes of healthcare.
A second is the concept of 'interoperability' itself. As the Article 29 working party
clearly stated, interoperability does not equate to compatibility. Whilst the latter would entail
providing data in a ready to use format, the former requires only the provision of data in a
manner that would allow it to be rendered useable. Such a concept accepts the likelihood that
a new data controller will have to further process such data in order to render it useful for its
purposes. It is therefore likely that that research institutions will have to conduct work on the
data being transferred in order to render it compatible. This could serve as a disincentive
where the resources of potential research institutions may be limited.
A third important factor is that the right of transferability is limited to instances where
the data held was being processed on the legal grounds that i) informed consent was provided
by the data subject in questions or ii) in order to fulfil a legally binding contract. Whilst such
legal grounds will cover a large range of contexts that could be of importance to citizen
science it will not cover many others. This may include for example, large amounts of data of
data that is held held in the electronic health records of medical institutions. Such data is
often processed under another legal basis i.e. for the 'purposes of preventive or occupational
medicine'. Likewise, the right of transferability will not apply to data that is being processed
for purposes of 'scientific research' (i.e. without relying on consent as a legal basis). This
means that individuals will in many cases not be able to demand researchers who have been
using their data to subsequently transfer it to another research institution. These limitations
on the right of transferability will dilute its potency and its potential usefulness to desired
instances of citizen science inter alia ruling out its application to important sources of
potential research data.
In addition to these explicit limitations of the right to transferability (as described in
the GDPR) a fourth factor arises through a number of ambiguities that give rise to
uncertainties surrounding its potential territorial application. Whilst the GDPR seemingly
confirms that a right of transferability will apply in instances where transfer is sought
anywhere within the EU, it is not certain as to whether it applies to requests made for the
transfer of data to controllers based outside of Europe. This is because whilst certain
conditionally must exist to allow external transfer (e.g. the existence of an EU Commission
Adequacy Decision or the existence of binding corporate rules on the use of data) such
conditionality can be dispensed with where the transfer in question is associated with the
provision of explicit consent on the part of the data subject. Given that such consent can be
obtained by the data controller when a portability request is made, one might reason that this
exception could also be made to apply to Article 20 requests outside the Union. Doubts as to
such an assumption may however be fuelled by the fact that such an exercise would entail
potentially significant efforts the part of the existing data controller, including the need to
ascertain the status of the proposed new data controller and the jurisdiction in which it is
based. Given that such efforts are not consistent with the light investigational duties that are
invoked within article 20 of the GDPRitself (i.e. on transfers within the EU), its applicability
to transfers outside the EU is at the very least debateable.
BELLAZZI, R. & ZUPAN, B. 2008. Predicitive data mining in clinical
medicine: current issues and guidelines. International Journal of
Medical Informatics, 77, 81-97.
BONNEY, R., COOPER, C. B., DICKINSON, J., KELLING, S., PHILLIPS, T.,
ROSENBERG, K. V. & SHIRK, J. 2009. Citizen Science: A Developing
Tool for Expanding Science Knowledge and Scienti=c Literacy.
BioScience, 59, 977-984.
BONNEY, R., SHIRK, J., PHILLIPS, T., WIGGINS, A., BALLARD, H., MILLER-
RUSHING, A. & PARISH, K. 2014. What Next for Citizen Science?
Science, 343, 1436-1437.
DEVICTOR, V., WHITTAKER, R. J. & BELTRAME, C. 2010. Beyond scarcity:
citizen science programmes as useful tools for conservation
biogeography. Diversity and Distributions, 16, 354-362.
DYER, C. 2007. Stringent constraints on use of patients' data are harming
research. British Medical Journal, 335, 1114–1115.
EVANS, B. J. 2017. Barbarians at the Gate - Consumer Driven HEalth Data
Commons and the Transformation of Citzen Science American
Journal of Law & Medicine, 42, 651-685.
HOFFMAN, S. 2015. Citizen Science - The Law and the Ethics of Public
Access to Medical Big Data. Berkley Technology Law Journal, 30,
HUNTER, P. 2016. The big health data sale: As the trade of personal health
and medical data expands, it becomes necessary to improve legal
frameworks for protecting patient anonymity, handling consent and
ensuring the quality of data. EMBO Rep, 17, 1103-5.
JENSEN, P., JENSEN, L. & BRUNAK, S. 2012. Mining electronic health
records: towards better research applications and clinical care.
Nature Reviews Genetics, 13, 395-405
KAYE, J. 2012. The Tension Between Data Sharing and the Protection of
Privacy in Genomics Research. Annual Review of Genomics and
Human Genetics, 13, 415–431.
KELLING, S., FINK, D., LA SORTE, F. A., JOHNSTON, A., BRUNS, N. E. &
HOCHACHKA, W. M. 2015. Taking a 'Big Data' approach to data
quality in a citizen science project. Ambio, 44 Suppl 4, 601-11.
LAGOS, L. 2013. Why the Right to Data Portability Likely Reduces
Consumer Welfare- Antitrust and Privacy Critique. Maryland Law
Review, 72, 341-380.
LUPTON, D. 2016. The Quanti*ed Self, John Wiley & Sons.
MADISON, M. 2014. Commons at the Intersection of Peer Production,
Citizen Science, and Big Data: Galaxy Zoo. In: FRISCHMANN, B.,
MADISON, M. & STRANDBURG, K. (eds.) Governing Knowledge
Commons. Oxford University Press.
MANTOVANI, E. & QUINN, P. 2013. mHealth and data protection – the letter
and the spirit of consent legal requirements. International Review of
Law, Computers & Technology,
MORRIS, M. E. & AGUILERA, A. 2012. Mobile, Social, and Wearable
Computing and the Evolution of Psychological Practice. Prof Psychol
Res Pr, 43, 622-626.
MURDOCH, T. & DETSKY, A. 2013. The Inevitable Application of Big Data to
Health Care. Journal of the American Medical Association, 309,
NEWMAN, G., WIGGINS, A., CRALL, A., GRAHAM, E., NEWMAN, S. &
CROWSTON, K. 2012. The future of citizen science: emerging
technologies and shifting paradigms. Frontiers in Ecology and the
Environment, 10, 298-304.
PURCEL, R. & ROMMELFANGER, K. 2017. Biometric Tracking From
Professional Athletes to Consumers. The American Journal of
Bioethics, 17, 72-74.
QUINN, P. 2017. The Anonymisation of Research Data — A Pyric Victory for
Privacy that Should Not Be Pushed Too Hard by the EU Data
Protection Framework? European Journal of Health Law, 24, doi
QUINN, P., HABBIG, A., MANTOVANI, E. & DE HERT, P. 2013. The Data
Protection and Medical Device Frameworks ? Obstacles to the
Deployment of mHealth across Europe? European Journal of Health
law, 20, 185-204.
SILVERTOWN, J. 2009. A new dawn for citizen science. Trends Ecol Evol,
SWAN, M. 2013. The Quanti=ed Self: Fundamental Disruption in Big Data
Science and Biological Discovery. Big Data, 1, 85-99.
TENE, O. & POLONETSKY, J. 2013. Big Data for All- Privacy and User
Control in the Age of Analytics. Northwestern Journal of Technology
and Intellectual Property, 11, 239-274.