Fu Lixia, He Yuli
(Center for Studies of Intellectual Property Rights, Zhongnan University of Economics and Law,Wuhan 430073, China)
Abstract: Against the background of rapid data circulation, the Personal Information Protection Law of the People's Republic of China introduced the right to data portability to bolster the capacity for self-determination in personal information. This right is one of the powers of the rights and interests concerning personal data, legitimizing its regulation under private law. Therefore, it is critical to articulate the claim and relative attributes of the right while further clarifying the specific operational rules. The right to data portability is only entitled to natural persons, with "identifiability"serving as the decisive criterion for the object of the right. In addition, the right content includes the right to "access"and "transmission", but it is also subject to intellectual property rights and the privacy rights of third parties. When the right is infringed, remedies can be sought via the pathways of contract law and tort law according to the Civil Code,stemming from the consistency of the legal system.
Keywords: the right to data portability; the Civil Code; the self-determination right to personal information
With the rapid development of big data and artificial intelligence technology, massive data, like fossil oil carrying huge commercial interests, is being confronted with increasingly high data security risks nowadays. In this context, how to keep the balance between social economic development and personal data security has become an urgent issue for laws in different countries. Based on this consideration, the European Union law took an educated leap of faith to take action to enhance citizens' data-control ability and promote personality freedom. Specifically, the General Data Protection Regulation (GDPR) of the EU came into force in May 2018 stating that the right to data portability "allows for data subjects to receive the personal data that they have provided to a data controller in a structured, commonly used, and machine-readable format and to transmit those data to another data controller without hindrance"①The European General Data Protection Regulation, translated by Ding Xiaodong, http://www.calaw.cn/article/default.asp? Id=12864 Accessed on January 19, 2023.. Afterwards, countries have begun to debate the existence and operation of this right heatedly in succession, and some of them have confirmed it in legislation. For example, the California Consumer Privacy Act (CCPA) stipulates that enterprises requested by consumers should disclose and submit personal information free of charge[1]. Given this, the Personal Information Protection Law of the People's Republic of China (PIPL), which was officially implemented on November 1, 2021, has also introduced the right to data portability. Nevertheless, the provision of the right in the PIPL appears to be overly declarative. It takes the form of incomplete legal provisions, submitting the premise for the right to the national network information department for regulation. As a result, its right framework and attributes remain unclear, and how to further implement them thoroughly is still uncertain. Therefore, this article selects the right to data portability as the research object, exploring its basic legal attributes, implementation requirements, and remedies to ensure its real implementation under the existing legal framework.
Since the right to data portability was brought up in Europe, there has been controversy about whether to introduce this new right in China's legislation in theoretical circles. Besides, there is no shortage of cases in practice to provoke thinking about whether data can be portable, such as the Ling v. TikTok Case②The case of privacy infringement dispute of Ling and Beijing Weibo Vision Technology Co., Ltd.,(2019) First Trial of Civil case of Beijing Internet Court(No. 6694)., the Juketong v. Tencent Case③The case of unfair competition dispute of Shenzhen Tencent Computer System Co., Ltd., Tencent Technology (Shenzhen) Co., Ltd.,Zhejiang Soudao Network Technology Co., Ltd., Hangzhou Juketong Technology Co., Ltd.,(2019)First Trial of Civil Case of Hangzhou Railway Transportation Court(No. 1987).,and so on. Based on the extraterritorial experience and the consideration of local practice, the PIPL has introduced the right to show the legislative stance. It provides the right to data portability, allowing individuals to carry personal data under the conditions specified by the National Network Information Department. As mentioned, the basic theoretical issues remain unclear, such as the right attributes and implementation requirements. However, according to the existing literature, domestic research highlights its anti-competitive feature but neglects the exploration of the basic rights theory. In the long run, the right might become a mere scrap of paper that cannot be put into practice. Therefore, it is necessary to clarify the right attribute and seek the current realization path through legal interpretation.
Specifically, the EU safeguards the right to data portability as a fundamental right, but China has not yet elevated the status of the right to a constitutional level. Instead, China protects personal data and personal information as civil rights and interests. The legal framework for personal data protection mainly consists of the relevant provisions of the PIPL and the Civil Code. Although the Civil Codedoesn't explicitly outline the right to data portability, there is a close relationship between them. On the one hand, from a legal textual perspective, PIPL places the right to data portability within the same legal provision as the right to retrieve and copy data, a right expressly outlined in Book Ⅳ of the Civil Code. This arrangement suggests that lawmakers may intend to position the right to data portability as a natural extension of the right to retrieve and copy data. On the other hand, the right to data portability emphasizes the intrinsic value of human beings and citizens' information self-determination, whose functional orientation has high similarities with the rights regarding personal data in the Civil Code. These connections further raise the following issues: Can the right to data portability be treated as an independent civil right? How should it be systematically situated within the context of personality rights as delineated in the Civil Code? And how should we define the relationship between it and the right to copy, erase, and other personal data rights and interests? All of these issues necessitate further exploration.Consequently, this article elects the right to data portability as the research object and puts it under the threshold of the Civil Code, trying to examine the nature, positioning, and specific elements of the right and to explore viable solutions for asserting and remedying the right within the existing legal framework.
To bring the right to data portability into the threshold of the Civil Code, we should first clarify its orientation in the private law system to further explore the possible path to realize the right to data portability.
Defining the orientation of the right to data portability in the private law system and clarifying its nature are both important prerequisites to ensuring the conduction of the right, which determine its specific content and relief path.
2.1.1 The Legitimacy of Private Regulation of the Right to Data Portability
It is the premise and basis for proving the legitimacy of the private regulation of the right to data portability when discussing it from the perspective of private law. Based on the complex attributes of both the public and private aspects of the PIPL, it has been controversial whether the right to data portability exists as a constitutional right in public law or as a civil right in private law. This is a pre-question to be answered before discussing the specific attribute of the right to data portability. Constitutional scholars tend to explore the nature of the right from the perspective of public law. For example, some scholars believe that personal instrumental data rights, like the right to data portability, are all basic rights in the Constitution protected by national public power[2]. In addition, some scholars believe that it does not have the conditions to become a basic right, so it should be treated as a "flexible right" or even just an effort goal[3]. In general, the above scholars have denied the private attribute of the right to data portability. However, civil law scholars believe that a bundle of personal data rights, including the right to data portability, is surely a civil right and could be protected by private law norms[4].
Civil rights are the spiritualization and embodiment of constitutional rights in private law, so these two attributes are not mutually exclusive. Therefore, for the above dispute, it is only necessary to prove the legitimacy of the civil attribute of the right to data portability. This article tries to justify the civil attribute of the right to data portability from the pros and cons. Above all, it is necessary to mention that the doctrine of public law has room to be overturned.Some scholars believe that a right can't be defined as a private right because it may lead to administrative liability.However, it's hardly enough to deny its private nature. Due to the the complexity of China's legal system, the same act could lead to legal consequences of different natures, so it is common that an act infringing civil rights and interests leads to administrative liability. Moreover, strong evidence could be provided to prove the private attribute of the right to data portability. On the one hand, the object of the right to data portability coincides with the protection object of civil law. It cannot be ignored that data carries important personal rights and interests such as privacy and personal dignity, which are also important objects protected by Civil Law. Specifically, the title of Chapter VI in Book Ⅳ of the Civil Code-"Privacy and Personal Information Protection"-supports the regulation of personal information interests by private law. On the other hand, the right is a continuation of other civil rights and interests to some extent. From the perspective of system interpretation, the right to data portability is stipulated in the same article in PIPL as the right to retrieve and copy data, and their connotations are also interconnected[5]. It could be seen that the right to data portability is the natural extension of the right to retrieve and copy data, and the latter is the due meaning of the former, conversely.
2.1.2 Logical Proof of the Power Nature of the Right to Data Portability
Because of the legislative absence of the right to data portability in the Civil Code, scholars have been discussing the following basic rights issues: what is the relationship between this right and the personality rights of the Civil Code;whether it would become a civil right; what nature it has, etc. These are three of the most representative theories: "independent right", "claim of personality right", and "power of personal data rights and interests". First of all, the theory of"independent rights" believes that the right to data portability is an independent civil right. Furthermore, some scholars attribute it to a personality right[6], while others consider it a new compound civil right with both the attributes of personality and property right[7]. Secondly, there is a view that the right to data portability is a claim of personality[4]. Thirdly, there is also a view that the right to data portability is a power rather than a right. For example, some scholars have proposed that the right to data portability and other powers, including the right to erase data, and the right to retrieve and copy data, constitute the protection system of personal data rights and interests[5]. This kind of view holds that the right to data portability is not an independent personality right but a positive power of personal data rights and interests. It means that it is not the right itself, but the form and tool of personal data rights, which couldn't exist unless they were attached to their maternal rights.
For the above views, the theory of "independent rights" is theoretically indefensible. Different rights represent different interests, and there should be clear boundaries between different independent rights[8]. However, the right to data portability involves privacy, dignity, and many other personal interests, which are hard to distinguish from other personal data rights. Furthermore, it is attached to personal data rights and interests, whose objects have multiple attributes.It follows that the right to data portability lacks a clear appearance, so it does not have the conditions to become an independent civil right. Moreover, the theory of "claim of personality rights" also lacks proper ground. According to Article 995 of the Civil Code, the claim of personality right is a negative defensive right that can be required only when its relevant rights and interests are infringed. Contrarily, the right to data portability has a positive power attribute that could request the operator assist in the transmission of data under certain conditions. At the same time, the claim of personality rights listed inArticle995 of the Civil Code includes the claim for stopping the infringement, removing the nuisance, eliminating the danger, and so on, but it doesn't include the right to data portability④Article 995 of the Civil Code: "If the right of personality is infringed, the victim has the right to request the perpetrator to bear civil liability in accordance with the provisions of this Law and other laws. The provisions of the limitation of action shall not apply to the victim's right to stop the infringement, remove obstacles, eliminate risks, eliminate impacts, restore reputation, and apologize.". Finally, the theory of"power of personal data rights and interests" is the reliable attribution of the right to data portability. The difference between rights and powers is that powers have no relatively independent meaning, have not been separated from the maternal right, and cannot be assigned separately[9]. According to this judgment standard, the right to data portability is not independently assignable, and the maternal right will still maintain its basic structure when the right to data portability has disappeared[10]. Therefore, in conclusion, the right to data portability is not yet enough to become an independent right. It depends on the rights and interests of personal information and should be oriented toward power.
To sum up, it is more appropriate to define the right to data portability as a power. From the perspective of private law, the right attribute and status should be consistent with other powers of personal data rights and interests, such as the right to access data, the right to retrieve and copy data, the right to erase data, etc. This personal data right represents the attributes of a claim and a relative. In addition, it is an instrumental right aimed at protecting the civil rights and interests attached to personal data. The right to data portability itself cannot become the object of the tort, but when the personal and property interests attached to it are infringed, the relevant provisions of the Civil Code could be used to seek remedies.
As a component of the bundle of personal data rights, the right to data portability not only has similarities with other data rights but also has its own independent status and role. To understand its nature, we should explain it from a systematic perspective rather than in isolation. More precisely, we need to examine the status of the right to data portability by comparing it with other powers of personal data rights. From a vertical perspective, there are countless ties between the right to data portability and other personal data rights and interests. Both of them take personal data rights as the upper concept and have the same status. More importantly, they have consistent theoretical principles. The whole bundle of personal data rights is based on the information self-determination theory, which comes from the famous "Demographic Census Case" in Germany[11]. In this case, self-determination was derived from the general personality right of the Constitution by the Federal Constitution Court through an explanation of "personal dignity" and "free development of personality", which are present inArticles 1 and 2 of the Basic Law for the Federal Republic of Germany. Then self-determination became the basic right to personal data protection. Since then, the right to information self-determination has become a constitutional right in many developed countries and the theoretical basis of the legal system of personal data protection in the EU. In the beginning, self-determination means that people have the right to decide the extent of their data being accessible in public in order to prevent others from obtaining their personal information improperly. However, with the increasingly prominent commercial value of data, personal data has become a transaction object on a large scale. Against this background, the connotation of personal information self-determination begins to change to enhance citizens' personality protection. Apart from the passive defense of personal information, natural persons are entitled to decide how their data is collected, processed, and utilized in what kind of way and extent from a positive perspective. On the one hand, it is embodied in the right to determine the content, method, and degree of data to be made public; on the other hand, it is reflected in the right to decide how to deal with the data that has been made public. In general, the essence of this theory is to ensure full control of personal data to realize the consistency of data utilization with the expectations of the data subject. Although the right to data self-determination has not been explicitly listed as a basic right in the Constitution, China's legal system of personal data protection revolves around the theory of self-determination. Exactly, the Civil Code and the PIPL clearly stipulate that personal information processing is based on "informed consent", and individuals have the right to access, copy, transmit, and delete their personal data in the processing process. Therefore, the whole bundle of personal data rights is rooted in the doctrine of self-determination. The right to data portability is conducive to controlling the porting mode and path for data subjects, which is also the typical embodiment of self-determination.
From a horizontal point of view, the right to data portability and other powers perform their respective duties and play different roles in personal data protection. The powers of personal information rights and interests include knowing,changing, transferring, deleting, etc. These powers constitute the complete links and steps of data processing and have a corresponding legal effect on the actions of data processors. In terms of internal relationships, they are linked and restricted to each other. On the one hand, the right to data portability presupposes the right to retrieve and copy data. The primary objective of the right to data portability is to enable the transfer of personal information amongst data processors, the precondition for which is the precise definition of the scope and content of the data to be transferred. Therefore,exercising the right to retrieve and copy data is a preparatory step for exercising the right to data portability, without which the latter would lack a foundational basis. On the other hand, the right to erase data is the post-protection right to data portability. According to the relative provisions, it doesn't mean the data will be deleted from the original data processor only by exercising the right to data portability. As stated in Paragraph 3,Article47 of the PIPL, after the data subject has exercised the right to data portability, they may also request data processors to delete their personal information by withdrawing their consent, thereby enabling a complete transfer of their personal information to a third party.
Based on the clarification of the nature of the right to data portability, the further question to be answered is how to put the right into realization in order to maximize the value of this right and realize the freedom of data circulation.Therefore, we should examine the elements of the right to data portability according to the current provision and its purpose to present the complete structure exactly. Specifically, we need to expound on the right subject, object, content,and boundaries from the standpoint of legal interpretation.
The EU GDPR stipulates that only a natural person could be the subject of the right to data portability, which has been debated heatedly at home and abroad. Based on the anti-competitive feature of the right to data portability, some scholars have proposed that juridical persons and unincorporated organizations can also become the right subjects.Some scholars supported part of this proposal; they believe only specific enterprises could be endowed with the right[12].In response to such a dispute, extraterritorial legislation has taken relevant actions. For example, Australia's Competition and Consumer (Consumer Data Rights) Rules 2020 stipulate that some enterprises have the right to port consumer data⑤Australia's Competition and Consumer (Consumer Data Rights) Rules 2020 provide for the portability of consumer data by product or service providers. See《Competition and Consumer (Consumer Data Right) Rules 2020》, https://www.legislation.gov.au/Details/F2021C00076, visited on January 19, 2023..
However, it should be unequivocally acknowledged that the subject of the right to data portability in China's law is still within the scope prescribed by the GDPR-only natural persons can become the subject of the right to data portability. In other words, legal persons and unincorporated organizations cannot claim the migration of their data. On the one hand, from the perspective of teleological interpretation, the right to data portability should be exclusive to a natural person. The reason is that both the provisions of the PIPL and the Civil Code regarding personal data rights and interests are designed to address personal information and privacy risks in the era of big data, protect natural persons' interests in their personal data processing, and mitigate the negative impact caused by information asymmetry between individuals and corporations. On the other hand, from the perspective of literal interpretation,Article2 of the PIPL,which governs the entire legislative text, stipulates that "the personal information of natural persons is protected by law", explaining that the "individual" of the right subject expressed inArticle45 of the PIPL refers to natural persons.
According to the provisions of GDPR, the object of the right to data portability is "personal data provided by the data subject". It can be concluded that the EU's criteria for identifying the scope of portable data are determined by the interpretation of the term "provide". This provision is so vague that it has caused controversy in the academic field,which focuses on whether portable data includes only original data, or observation data and derivative data⑥The original data here refers to the data that individuals intentionally or voluntarily provide to the platform; Observation data refers to the monitoring data generated by the data controller through observing user behaviors such as "likes" and "comments"; Derived data refers to the data processed or synthesized by the data processor through processing and calculation.. To solve this puzzle, the Working Group onArticle29 (hereinafter called the Working Group 29), which was established underArticle29 of the Data Protection Directive (DPD) of the European Union in 1995, explained the right object to some extent. It has stipulated that the original data and observation data can become the right objects, but the derived data are still excluded from the scope of "portable data".
In contrast, PIPL stipulates that the object of the right to data portability is "all kinds of information related to an identified or identifiable natural person recorded electronically or by other means". It could be concluded that the criteria for judging whether the data is portable are whether it can be "identified"⑦Paragraph 1 of Article 4 of the Personal Information Protection Law of the People's Republic of China: "Personal information" refers to various information related to an identified or electronically or by other means, and does not include anonymized information.. By combining this provision with the concept of "personal information" in the Civil Code, it can be considered that only identifiable personal information is deemed a portable object. Compared with the EU, the scope of portable data in China is narrow. Besides, there are difficulties in the interpretation of "identifiable". For example, it is debatable whether consumers' evaluation data, shopping records, and other analogous data are "identifiable", because these data do come from specific natural people, but they cannot be able to identify the specific subject through themselves alone[13]. However, if we deny the "identifiability" of these data, it will harm consumers' interests because the user's consumption habits and behavior cannot be migrated when replacing the e-commerce platform. Therefore, an expanded interpretation of "identifiable" is urgently needed. Reference can be made to the relevant provisions of the EU GDPR to bring "original data" and "derivative data" into the scope of portable data in the form of judicial interpretations.
According to the relevant provisions and the practice of the right to data portability, scholars generally divide the rights into two aspects: The right to obtain personal data and the right to transmit personal data, which will be described separately below.
3.3.1 The Right to Obtain Personal Data
Obtaining personal data is the premise for transmission and thus should be an integral part of the realization of transmitting data. The right to obtain data means that the data subjects have the privilege to obtain the personal data provided by themselves from the data processor without obstacles, including the results of the relevant processed data and the copies of the data being processed. However, it should meet certain prerequisites, typical of which are the format requirements. In order to facilitate the acquisition, transmission, and reuse of personal data by the data subject,GDPR stipulates that the data to be ported should meet the formal requirements of "structured, commonly used, and machine-readable". Although PIPL has not stipulated the presentation form of personal data provided, the data processors should commonly provide the user's data according to the legislative purposes of the right to data portability. It cannot be maliciously presented in a complex form, resulting in the data subject being unable to make normal use of the data obtained, let alone concealing or losing the user's complete data.
3.3.2 The Right to Transmit Personal Data
There are two ways for the data subject to realize data portability: one is the "acquisition + transmission" mode. It means the data subject can retrieve the personal data from the data processor and transfer it to the third-party data processor by claiming the right to data portability; the second one is the "request direct transmission" mode. It gives the data subject the direct right to request that the data processor transmit the data to the designated third party. No matter which mode, the realization of data portability requires at least a certain degree of consistency in the data storage format. Among them, the implementation of the "request direct transmission" mode requires a more interoperable environment and thus depends on a certain technical basis. Therefore, GDPR adds the premise of technical feasibility to the transmitting mode of "request direct transmission" between two data processors. PIPL of China also stipulates that the"request direct transmission" mode needs to meet the conditions stipulated by the national network and information department. These provisions are aimed at solving the interoperability problem and creating feasible technical conditions for data circulation. With regard to achieving interoperability between data platforms, there have been relatively successful cases abroad for reference. For example, the DTP project, co-operated by Apple, Facebook, Google, Microsoft,and Twitter, has created a service-to-service data portability platform so that all individuals on the network can easily transfer data between the cooperative online service providers at any time[14]. The realization of interoperability is one of the important conditions for the real implementation of data portability, which depends on the further research of relevant departments and technical fields. For reference, interoperability can be achieved by establishing a uniform data format and application program interface through industry standards[15].
The right to data portability is not an absolute right. As a positive power of personal data rights and interests, it cannot be performed at will and hence should be subject to some restrictions. Otherwise, there will be a risk of violating social public interests and other citizens' rights and interests and further violating the basic principles of the Civil Code due to the overly broad scope of the right. Given this, we should clarify the relationship between the right to data portability and other legal interests. Specifically, the right to data portability may conflict with the following civil rights and interests during the exercise process.
3.4.1 Intellectual Property and Trade Secrets
The right to data portability may conflict with intellectual property rights and trade secrets. On the one hand, some scholars believe that the transmission of personal data may infringe on the intellectual property rights of others, especially in the field of copyright. For instance, it is universal that the personal data requested by an individual includes others' written works, photographic works, and audio-visual works[16]. On the other hand, some scholars believe that porting personal data may infringe on the business secrets of enterprises. For example, sometimes the data requested by individuals includes the customer list and pricing data formed by enterprises after sorting out or investing their data,which is legally protected as trade secrets[17]. For the former situation, if others' data provided to the original data processor has been permitted by the copyright owner, then the porting act itself will absolutely not infringe others' copyright. However, if there are other subsequent exploitations after transmitting data that may infringe the copyright, the copyright owner's permission should be obtained separately. In the latter situation, when defining the object of the right to data portability, the derivative data formed by the organization and the utilization behavior of the enterprise have been excluded. It means that if the user requests to port the derivative data, the enterprises have sufficient reasons to refuse. It may cause huge losses to enterprises if they allow customers to migrate data at their will, because data with commercial value, such as customers' shopping records or browsing records, is the key for enterprises to enhance user stickiness and then success in market competition. From the perspective of balancing the interests of different subjects,certain restrictions should be imposed on the right to transmit such data.
3.4.2 Privacy Rights of Third Parties
The conflict between the right to data portability and third-party privacy is commonly reflected in the migration process because the same data may not only involve the personal data of just one person. For instance, the group photo published on social software and online chat records may be related to others' privacy and other personal information interests. In response to this dilemma, the Regulations on the Administration of Network Data Security (Draft for Comments) of China made a preliminary attempt to establish a "consent mechanism" to give legitimacy to the exercise of the right to data portability by obtaining the consent of the third party⑧Article 24, paragraph 1, of the Regulations on the Administration of Network Data Security (Draft for Comments): "The data processor shall provide transfer services for other data processors designated by the individual to access and obtain their personal information if the request for transfer of personal information meets the following conditions: (1) The personal information requested for transfer is personal information collected based on consent or necessary for the conclusion and performance of contracts; (2) The personal information requested to be transferred is his own information or the information of others lawfully obtained by the requestor and not against the wishes of others; (3) Be able to verify the legal identity of the requester. ". However, this mechanism requires a large number of tedious steps and procedures to carry out, which is not very realistically operable. In order to cope with the above difficulties, the Principle of Proportionality can be used as a general principle for the measurement of legal interests in the implementation of the right to data portability[18]. It requires us to explore the proportionality of the exercise of the right to data portability according to the specific situations and not blindly exclude the portability attribute of all other data.
The Civil Code and the PIPL jointly constitute the protection system for personal data rights and interests. From the perspective of the consistency of the legal system, when the enterprise refuses to cooperate with the data transmission, even if it has met the implementation requirements, the data subjects can seek corresponding remedies through the provisions of the contract part and the tort liability part of the Civil Code[19].
According to the provisions of the contract part of the Civil Code, when there is a contract regarding data transmission between the personal data processor and the data subject, the two parties should abide by the legal agreement. If the data processor has breached a contractual obligation, the data subject may request that it bear the liability in accordance with the provisions ofArticle577 of the Civil Code. Therefore, the processor should obey the explicit provisions of the contract to collaborate with the data subject, no matter whether to provide its personal data or directly transfer the data to other data processors.
It is worth noting that, against the background of the extremely developed Internet and the widespread use of APPs, could the APP privacy policy be recognized as a contract? Although this question has not been officially answered,some of the most popular APPs tend to treat their privacy policies as contracts in practice, such as the Taobao Platform Service Agreement and Alipay Privacy Policy[20]. An effective contract should include the following elements: Both contracting parties make expressions based on sincere intentions; the perpetrator has the corresponding civil capacity; the content of the contract does not violate public order, good customs, or the mandatory provisions of the law. If the above requirements are met at the same time, the privacy policy can be recognized as an effective contract. Therefore, it is suggested that the APP platforms should give users the right to request data transmission and obey the obligation to provide the transfer path in the privacy policy of the login interface. At the same time, they should clearly indicate the preconditions for exercising this right, so that the data subject can clearly understand the content and exercise of this right. In this way, it can provide more protection and relief paths for the information subjects to exercise their rights.When the right to data portability has not been coordinated by the operator, remedies can be found by investigating the liability for breach of contract.
In order to provide proper guidance for enterprise compliance, it is necessary to clarify the specific rights and obligations of platforms when cooperating with porting data. In this way, contract terms and contents can be specified in advance, and infringement can be avoided. Combined with the content of the right to data portability, the whole porting process is divided into three steps: The data controller obtains data, the data subject raises a claim, and the data controller receives the request. At first, when the data controller obtains personal data, the controller should inform them about the right to data portability. As mentioned above, it is necessary to inform the public of the existence of the right and specify the operation procedure. In addition, the data controller should clarify the form of the requirements, such as by phone, mail, or other convenient means. Furthermore, when the data subject claims the right, the platform should take action to identify the subject's identity. To avoid data leakage and ensure data security, the platform must provide data after confirmation. The specific measures to verify identity include face recognition, security verification, and so on. If the subject's identity is still in doubt, the platform has the right to require further proof. Finally, when receiving a request, the data processor has the obligation to reply timely. When the data controller receives the request, it must react, whether it agrees or not. In particular, I should give a probable reason for refusing to cooperate. The data processor shall reply within a reasonable time limit. If the refusal is unreasonable, the data subject can claim again after adding information or complain to the regulatory agency for relief.
According to the provisions ofArticle50 of the PIPL, when the processor refuses to exercise the relevant positive rights specified in the PIPL, the data subject can file a lawsuit. Based on the above analysis, the right to data portability is a power of personal data rights and interests that is comprehensively regulated and protected by private law. When it is infringed, it can seek remedies through the provisions of the tort liability section of the Civil Code. Among them, it is necessary to clarify the criteria for judging whether the data processor should bear tort liability. The constitutive elements of infringement include the existence of illegal acts and the damaging result, the causal relationship between them, and the fault of the actor. Above all, the data processor should have violated the provisions of the right to data portability. For example, the data subject's request for data transmission was rejected by the data processor without a proper reason. Secondly, the relevant behaviors of data processors infringe on the personal rights and interests of the data subject. Thirdly, there is a causal relationship between the illegal behavior of the data processor and the infringed consequences of the personal rights and interests of the data subject. Finally, the data processor should have the subjective intention of infringing on the personal rights and interests of the data subject.
When choosing tort provisions as the remedy path, the following points need to be noted: above all, from the perspective of the principle of liability fixation, there should be a difference between different subjects of responsibility.Article69 of the PIPL stipulates that the doctrine of presumption is applied to the infringement of personal information.It means that the data processor should prove the existence of fault, or he shall be held liable. In the theoretical circle,there is a dispute over whether the doctrine of presumption is applied uniformly without any distinction. For instance,some scholars believe that multiple principles of imputation should be applied according to different types of behavior[21]. This article holds that it is reasonable to apply the doctrine of presumption to the acts of non-public organs, but it is more appropriate to apply the doctrine of no-fault liability to public organs. As the biggest data controller, the government holds personal data in bulk. More importantly, there is a great power gap between individuals and public organizations in terms of technical and litigation abilities. In order to bridge the gap and achieve better protection of personal data, the doctrine of no-fault liability has become a necessity. Besides, when applying the doctrine of presumption,it is vital to examine the concept of "fault". This article believes that when the data processor refuses to cooperate with porting data for the following reasons, it can be deemed to be "no-fault": (1) the subject identity is in doubt reasonably;(2) the data required to be port does not meet the conditions made by the relevant department; (3) refuse the requirement to protect rights of a third party or the public interest; (4) the requirement is technically difficult; (5) there are other reasonable situations. Finally, from the perspective of judicial discretion, the judge should expound on the claim and relative attributes of the right to data portability. Therefore, the infringement of the right itself does not necessarily lead to the occurrence of infringement. The standard to judge whether the infringement is constituted is to see whether the sued act infringes the privacy rights and other related rights and interests attached to personal information and protected by the Civil Code. In addition, according to the provisions ofArticle998 of the Civil Code, the mode of bearing civil tort liability should be considered in combination with the identity of the actor, the degree of fault, and the nature of the act.
The concept of the right to data portability was introduced relatively late in China. To practically implement this right, it is essential to first clarify underlying theoretical questions. This right is not an independent right but a power of rights and interests concerning personal data under private law. It exists in conjunction with various civil rights relating to personal data and has instrumental value. It constitutes a component of the bundle of personal data rights, co-functioning with the right to retrieve, copy, and erase data to safeguard the freedom of personality. The right to data portability holds significant legislative implications for the protection of natural persons' privacy and the self-determination of information. By transforming the historically passive defensive stance of personality rights, it confers the power of active rights exercise, marking a valuable endeavor by China's PIPL and significantly supplementing provisions for personal data rights in the Civil Code. At present, from the perspective of China's legal provisions, the subjects of the right to data portability are natural people, and the object takes "identifiability" as the standard of judgment. In addition, the right content includes the right to "access" and "transmission", but the right is also restricted by intellectual property and the privacy of third parties. However, the scope of the object of rights is still controversial, the rank of rights needs to be clarified, and the existing remedies for rights have certain limitations. Therefore, it is necessary to further refine the content of rights and establish supporting measures to guarantee the realization of rights. For example, in the process of requesting the right to data portability, machine recognition techniques and other means can be employed to verify the identity of the right subject to ensure data security. In addition, research should be conducted in the field of Internet technology to break through technical difficulties and achieve interoperability among the original data processors, users, and third-party data processors. The real implementation of the right to data portability requires not only more detailed and explicit legal provisions but also certain technical conditions, which rely on further research and interpretation by technical experts and relevant national departments.