It's Time to Re-think Data Portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

GDPR Article 20

As we approach the tenth year of GDPR's enactment, we've seen privacy technologies and implementations evolve across Europe and the world. With over half US states considering or implementing some version of privacy reform and dozens of countries implementing GDPR-like laws, the practice has evolved to treating GDPR's requirements as an effective gold standard.

To its credit, the GDPR has done a fantastic job at carving out a set of core principles that can be more or less translated into business and engineering practices. Other governments differ along the specific nuances of where the rights start and end, but have roughly adapted the same structure. Today, I want to talk about one of the less clearly defined rights: portability.

In conversations had with other privacy professionals, the right of data portability is often lumped together with the right of access. A person should have some right to access data that an organization has about them within some reasonable time frame. In order to provision this right to access, businesses and non-profits alike have had to build a sweeping picture of data that their organization contains. This process can take months if not years to complete. Most organizations have still not reached (and may never reach) a point where this picture is clear to people within their ranks (let alone their customers).

For the companies and businesses that have managed to tackle right to access, you often have a web form or in-app button that says something to the effect of "download my data." For the most part, these do a reasonable job of providing a picture of what the average user expects to find across the different sites they use. Some websites even provide interactive data archives that allow you to browse your data with a local web-page that users can open in their browsers. But fundamentally, I think that there is still more that needs to be done; we need to think of what it is to meaningfully take your data from one place to another.

Before we dive in more, how is the right to portability defined? The GDPR states that data subjects have the right to receive their data in "commonly used and machine-readable format[s] and have the right to transmit those data to another controller without hindrance." Many other laws avoid mention of an explicit right to portability. The laws that do mention portability, fail to adequately distinguish it from the right of access and erasure. Rather, they conflate these two and, in effect, ignore it as a separate, distinguishable right.

There hasn't been any interesting action in the legal space either, within Europe, the IAPP found that there have been "very few [data portability] developments...[with] most jurisdictions report[ing] none at all. Data portability rarely ever seems to be used by data subjects — let alone debated before a court." Most of the other rights that have been required by privacy laws have been relatively easy to interpret into cohesive business guidelines or engineering principles; portability seems one that's just...there.

Perhaps we should consider this from the opposite perspective, that is what are the cases and situations where customers want the ability to move data from one place to another and how can this case be resolved without "imposing hindrance."

To understand how to approach this challenge, we need to understand the scale by which data is created. The average human generates approximately 50 gigabytes of data per day (not accounting for inequities in internet access). A fraction of this is data that is directly addressable to data access rights while another portion likely consists of analytical data that perhaps doesn't directly translate to a right of access. While each web app and site that individuals use may hold only a fraction of that data, there will come a point where even downloading this data is untenable.

Furthermore, there ultimately is a desire to still have use of that data once you have it. It's unreasonable to think that in a world where roughly half of users interact with the web using their phones (including the vast majority of users in developing nations), that the offering of a simple download is a reasonably sufficient implementation of data access let alone portability.

So what's to be done in this case? The solution will likely require pushing businesses and organizations to build the solutions that allow for seamless transfers of data. Most companies are going to be hesitant to do this especially in the wake of the third-party data sharing woes of Cambridge Analytica. In order to craft a portability right which provides meaningful practicality to data subjects, regulators are going to have to define the use cases where direct portability required. This could entail:

• Music streaming services being required to offer a way to export your playlists and libraries to make switching easier.
• Direct transfer options for photo storage services.
• Financial transaction history between financial planning applications.

Fundamentally, a data portability right has to consider the situations in which a user wants to move their data around; and regulators should be more bullish on this as a consumer right.

Speaking of data portability...

If you're receiving this post as an email, you may have noticed that we've switched Code and Consequence over to Ghost. Primarily, this is due to Substack taking an ambivalent stance on hate speech but also I'm a bit more interested in supporting a platform that has a more creator-friendly approach. We'll see where this goes but after seeing a number of creators, publishers, and writers using this platform, I decided to take the plunge.

Additionally, I've turned on paid subscriptions to Code and Consequence. If you find the content I'm providing interesting and/or useful, consider subscribing. The more people we have, the easier it will be to publish more deep-dives, reflective pieces, and observations of where technology policy is going and how we can be ahead of the metaphorical curve.