On September 22, 2020, the Federal Trade Commission (“FTC”) hosted “Data to Go,” a virtual workshop on data portability. The workshop convened experts from civil society, academia, and industry to discuss the potential risks as well as consumer and competition benefits of data portability, as well as issues and best practices related to its implementation in legislative and industry-led initiatives. The discussions emphasized five key themes regarding data portability efforts in the U.S. and globally.
- Competition and Privacy or Competition versus Privacy?: Throughout the workshop, stakeholders discussed the potential for data portability to promote competition by lowering switching costs for consumers, and reducing barriers to entry by enabling new entrants to more easily accumulate necessary data. Several workshop participants highlighted potential benefits of data portability for small businesses and new entrants in data-driven industry sectors, though some noted that more research is needed to determine how ported data can meaningfully serve as the basis of new and competitive products. Panelists also reflected on the potential benefits of data portability for consumer privacy by facilitating consumer choice and control, which could, in turn, enable consumers to favor services that reflect their privacy values.
At the same time, workshop participants cautioned that privacy and cybersecurity risks could undermine the privacy benefits of data portability, for example in the areas of user verification, security in transit, secondary use limitations, and re-identification risks for de-identified data. Panelists also highlighted the need for a nuanced understanding of the relevant privacy and cybersecurity risks, so as not to allow them to be used as a pretext for denial of data portability requests. Striking the appropriate balance between minimizing privacy and cybersecurity risks, while also maximizing privacy and competition aims, was a recurring theme throughout the workshop.
- General versus Sectoral Approaches: Two sessions of the workshop focused on comparing general approaches to data portability—those that apply generally, and those that apply to specific sectors, such as health or financial data. The General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) are the most prominent examples of a general approach to data portability. Each framework applies broad portability mandates to a wide range of organizations that process personal data, with only narrow exclusions. Panelists compared these general approaches to the narrowly applied portability requirements of U.S. health and financial frameworks as well as Open Banking initiatives in the UK and India.
Based on U.S. experience with sector-specific portability requirements in the health sector, participants emphasized the importance of interoperability and standard setting rules to maximize the benefits of data portability. As an example of a current standard setting regime, the Office of the National Coordinator for Health Information Technology (ONC) recently enacted rules with the goal to increase the portability of healthcare information for consumers through standards setting. Another panelist noted that the Dodd-Frank Act may offer authority to enact similar standard setting rules in the financial sector.
Panelists reflected that a challenge involved with sectoral data portability is that the sector-specific privacy requirements may not apply to the business receiving the ported information, who may be outside of the sector. However, panelists noted that a general U.S. federal privacy law would likely allay this concern. Panelists suggested that safeguards such as authentication and building a framework of consumer trust may also help minimize these concerns.
- Scope and Ease of Use: By evaluating current models of data portability and emerging trends in newer data portability proposals, panelists discussed the appropriate scope of a data portability regime and how to ensure that it remains effective and easy to use for consumers. In particular, panelists debated whether the right to portability should include inferences about individuals derived from their personal data, with panelists noting differences between the scope of the GDPR’s and CCPA’s portability right in this respect. Participants noted that India’s proposal to create a general right to data portability that expressly includes profiles created about an individual could be evidence of a broader global trend in favor of more expansive portability.
In addition, in evaluating how effective current data portability regimes have been in providing consumers with control over their information, panelists reflected that there have been relatively few data portability requests made under the GDPR in the past two years. This may reveal that the current model is difficult for data subjects to use. The CCPA has only been in effect since the beginning of 2020, and has not yet provided clues on how California consumers engage with their data portability rights.
- Social Nature of Data and Third Parties’ Information: Panelists also reflected on the challenges raised by social or co-mingled data, where one person’s information is associated with or bound up with another’s information. For example, a photo posted to a social media service may include another person in it, or a message sent over a messaging service would include information about the message recipient and the sender. Panelists discussed the complications involved when one consumer requests portability of their information that involves the information of another individual, including whether the third party’s identity should be verified and what rights the third party has to approve or reject the portability request.
- Port IA Impact Assessment: One concrete proposal to emerge from the workshop was to introduce a robust analysis of the potential privacy, cybersecurity, and competition costs and benefits into any data portability implementation. The Portability Impact Assessment (“PORT IA”) framework proposed by Peter Swire, Professor of Law and Ethics at Georgia Tech, aims to balance the challenges involved with data portability, leverage lessons learned from existing frameworks, and maximize the privacy and competition benefits to a data portability framework. Modelled on existing privacy impact assessment frameworks, including the GDPR’s Data Protection Impact Assessment, PORT IA would require organizations to analyze: (1) the challenges and opportunities involved with the proposed port; (2) the benefits of a proposed port, including the rationales based in competition, noncommercial benefits such as furtherance of individual rights, and regulatory or legal benefits; and (3) the risks and costs, including whether the port would involve the data of third parties and risks to competition.
As part of its data portability work, the FTC sought comments on topics related to portability, which closed on August 21, 2020 but are available here. We will continue to monitor data portability updates moving forward.