We want our data back using APIs!

Cozy Cloud — the French startup that develops a free software personal cloud — has communicated to CNIL (French DPA) and the Art. 29 WP a comment on the modalities of implementation of the portability part of the GDPR. This comment is co-signed by many digital organizations and thought leaders.

Portability of personal data is a major topic for the digital future. In order to make sure it’s effective, it needs to happen by relying on APIs!


In today’s digital world, data has a huge influence on us: the recommendations we receive (advertising, purchases, reading, videos to see), the decisions that concern us (insurance, etc.), taken by us or by others, rely on our data. As such, the subject of data governance is essential: Who has access to data? Who controls the data?

Currently, users have very little control over personal data processed by data controllers, but this will change with the arrival of a European regulation called GDPR. Indeed, among other things, GDPR makes portability of personal data mandatory for May 2018, that is to say very soon!

The devil is in the details

Making personal data portable is a very positive step, but the texts are complicated. Thus, the text of the GDPR specifies that the transfer of a controller to another must be “direct” and “without hindrance”. Unfortunately, this notion is quite relative! In the eighteenth century, the use of the carriage was undoubtedly a direct transfer without hindrance. At the beginning of the nineteenth century, the electric telegraph was probably the best option. In the 1990s, the fax would have been chosen. But in the twenty-first century, the state of the art is the API.

With rare exceptions (very large volume of data for MRI, for example), the service provider who would not put an API to retrieve our data, while this is the most effective and cheaper to transfer data directly, would be objectively seen as trying to create friction.

The issue is this is not specified per se in the GDPR…

Which solution, then?

The Art. 29 WP (Article 29 Data Protection Working Party, which includes representatives of data protection authority of each EU Member) is taking comments about the GDPR. In this regard, Cozy Cloud brought together organizations and leaders in order to co-sign a comment.

The goal of this comment it to make clear that the G29 guidelines on data portability should explicitly mention the use of APIs. Otherwise, it would be necessary to wait for case law to be set, which would generate delays and uncertainty which would benefit established players at the expense of users, smaller and more innovative businesses and services.

Cozy would like to thank all those who have co-signed the comment. Some of them agreed to make their name public. Here they are:



Learn more about GDPR and data portability: