Yesterday, on September 22, 2020, the Federal Trade Commission held a public workshop, “Data To Go,” examining the benefits and challenges of data portability frameworks for consumers and competition. As a panelist during the first discussion, FPF’s Gabriela Zanfir-Fortuna discussed: how data portability operates in different commercial sectors; lessons learned from the GDPR and other global laws; and observations on the dual nature of data portability, as both a means to facilitate competition and a right of individuals to exercise control over their data.
- See the agenda here,
- Watch the recording (FPF’s Gabriela Zanfir-Fortuna’s remarks begin at 01:16),
- Read comments submitted from 25+ stakeholders in advance of the workshop (see the full comments here).
The day-long workshop featured a wide range of privacy advocates, academics, government regulators, economists, and other experts. Below we provide key highlights from the workshop’s four panels: (1) Data Portability initiatives in the European Union, California, and India, (2) financial and health portability regimes, (3) reconciling the benefits and risks of data portability, and (4) realizing data portability’s potential: material challenges and solutions.
Panel 1: Data Portability Initiatives in the European Union, California, and India
FPF’s Gabriela Zanfir-Fortuna served as a panelist during Panel 1 of the workshop, discussing lessons learned from the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other data portability initiatives in India, Brazil, and Singapore. Other panelists included Inge Graef (Tilburg University), Rahul Mattan (Trilegal India), Stacey D. Schesser (Office of the California Attorney General), and Karolina Mojzesowics (European Commission), and the panel was moderated by Guilherme Roschke (FTC).
Panelists agreed that the GDPR and the CCPA both conceptualize data portability as a right of the data subject, underpinned by the idea that individuals should have control over how personal data is collected and used. Panelists also agreed that portability plays an important role in competition, with Inge Graef noting the unique role in removing barriers to entry for data-driven startups. This is being reflected more and more in policy documents in the EU. Rahul Mattan shared details about the complex and innovative framework that is currently being set up in India to allow portability and interoperability in the financial services sector.
Gabriela Zanfir-Fortuna added that many complex questions remain for how to make portability workable in practice, including: authentication and verification; personal data of the portability requestor that also includes personal data of third parties (such as in photographs or conversations); risks and responsibilities when porting data to services with weaker security or privacy protections; and other downstream uses of data, as reflected by the debates at the intersection of the Payment Services Directive 2 and the GDPR.
Panelists also discussed and mostly agreed on key similarities and differences between the GDPR and the CCPA. The right of data portability is more limited and nuanced under the GDPR, excluding “inferences” from its scope. Unlike the GDPR, the CCPA also combines the right of access and portability — requiring personal data to be provided in a portable format following an access request. One of the key points emphasized by both Gabriela and Karolina Mojzesowics was that the experience of more than two years of the GDPR shows that the right to data portability is not used at its full potential, with very few requests being made to organizations. This is an issue that the European Commission intends to work on, increasing awareness, but also through initiatives to make portability practical.
As CCPA enforcement begins, Stacey Schesser indicated that the Regulations adopted by the California Office of the Attorney General aimed to provide greater clarity on authentication and verification mechanisms, to ensure that the “right to know” will not lead to unauthorized access to data. In addition, she mentioned that California’s Ballot Initiative (Proposition 24) may change the legal requirements if passed, as it would no longer explicitly refer to data portability, but still require data in subject access requests to be made available in a machine-readable format (an implied right to portability).
Panel 2: Financial and Health Portability Regimes (Case Studies)
Panel 2, moderated by Katherine White (FTC), explored case studies from the financial and health care sectors, including new health IT rules from the U.S. Office of the National Coordinator of Health Information Technology (ONC) and the UK’s Open Banking Initiative. Panelists from both the financial and healthcare sectors discussed the growing role of data portability in each sector, agreeing that consumer trust remains an important underlying issue for both.
In the healthcare industry, panelists remarked on the trend of data portability being used to improve individual access to their medical records. Dan Horbatt (Particle Health) discussed some of the technological and economic barriers to embedding data portability, and remarked that the biggest trend is towards more seamlessness in communicating patient permissions for collating medical records. Dan Rucker (US Department of Health and Human Services) remarked that individual data portability has long been a goal of HIPAA. Following the recent newly mandated US healthcare interoperability rules, Rucker envisions the proliferation of new apps to facilitate portability in the next few years, as well as more opportunities for the Internet of Things (IoT). Rucker highlighted the ongoing need for standardized tools to facilitate interoperability and portability for medical records.
In the financial sector, panelists discussed Open Banking efforts in the United States and the UK. Open Banking refers to the use of open Application Programming Interfaces (APIs) to enable third-party financial service providers to access consumer transactions and other financial data from banks through new financial apps and services. According to Bill Roberts (UK Competition and Markets Authority), the UK’s Open Banking Rules were driven by a desire to address competition and promote an emerging fintech industry. Ongoing challenges remain with identification and authentication mechanisms, and Roberts noted that many banks are increasingly turning to biometric methods for authentication. Michael S. Barr (University of Michigan) observed that the UK, Singapore, India, and Australia have all made progress in Open Banking to improve user control over financial information, and to increase market competition. Although the US lags behind the U.K. in implementing open banking rules, Barr believes there is huge potential for consumers and greater competition.
Panel 3: Reconciling the Benefits and Risks of Data Portability
In Panel 3, moderated by Ryan Quillian (FTC), panelists discussed the benefits and risks of data portability with an eye toward the twin aims of protecting consumers and promoting competition. Panelists agreed that data portability has a range of policy goals, including individual autonomy, access to data, and the broader societal promotion of consumer welfare, innovation, and competition, with panelists offering individual remarks: global initiatives (such as the Data Transfer Project); the sector-specific nature of portability; or particular risks arising from lack of uniform regulation in the United States.
Ali Lange (Google) described the privacy and security protections in place for two existing data portability tools: Google Takeout, for individual exports and transfers of data across Google services; and the open-source Data Transfer Project, which is an open source initiative of big online platforms and service providers, including Apple, Microsoft, Google, Facebook and Twitter, which facilitates service-to-service data transfers.
Several commenters offered perspectives on the sector-specific nature of portability. For example, Gabriel Nicholas (New York University) commented that the competitive effect of data portability is not uniform across sectors, arguing that the FTC should use alternative methods to promote competition. One key point he made was about “group portability”, and how portability could be very useful as a group function or even a group right, for example allowing a group of friends to move from a platform to another. Hodan Omaar (Center for Data Innovation) explained that there is a greater need for data portability in sectors where there is a greater disparity between the goals of organizations that hold data and the intent of the data subjects.
Meanwhile, Pam Dixon (World Privacy Forum) outlined risks associated with onward transfers. Particularly in the healthcare sector, she observed that regulatory gaps exist in the United States for non-HIPAA covered entities. In contrast, she noted that the EU’s GDPR provides baseline data protection rules to prevent regulatory gaps. Peter Swire (Georgia Tech) argued in favor of keeping the theory of data portability in check with practical scenarios, pointing out that studying use cases in detail can be very helpful to understanding the limits and benefits of portability. For example, Professor Swire noted the concept of “multihoming” for data, a way to describe the fact that very often in practice portability is not about moving the data altogether from one provider to another, but simply about transferring a copy of the data to another service that the individual would like to try out. Thus, data portability might help create a place for users to have multiple “homes.”
Panel 4: Realizing Data Portability’s Potential: Material Challenges and Solutions
Panel 4, moderated by Jared Brown (FTC), considered the challenges of data security, privacy, standardization, and interoperability with a range of industry representatives (Mastercard, Digi.me), civil society (Mission:data Coalition), and consumer privacy advocates (Public Knowledge and Electronic Frontier Foundation).
Overall, panelists agreed on the need to: promote trust among individuals; provide individuals with greater control over their data; and protect and use consumer data responsibly. According to Erika Brown Lee (Mastercard), a consumer-centric approach to data portability involves basing the data transfers between services on consumer requests (i.e., consent), and reducing friction for consumers. Brown Lee also noted that security is the critical challenge for companies offering data portability, referring to verification and authentication in particular. Security risks also vary depending on how data portability is implemented, with panelists agreeing that utilizing APIs for data transfers is generally better from a security perspective than the widespread practice of credential sharing (“screen scraping”). Julian Ranger noted that screen scraping has a greater potential for abuse, and Michael Murray (Mission:data coalition) referred to screen scraping as expensive, buggy, and inconsistent.
Consumer privacy advocates emphasized the need for greater privacy protections for individuals and accountability for companies. Sara Collins (Public Knowledge) emphasized the important need for comprehensive federal privacy legislation to close regulatory gaps, and to set minimum standards. In addition, Bennett Cyphers (EFF) stated that to solve many of wider competition issues in the technology sector, regulation in areas other than data portability could incentivize data sharing. Discussing how responsibility and liability for downstream data should be allocated in the data portability context, Cyphers stated that liability should rest with an actor responsible for wrongdoing. However, in cases where data is shared without the consumer’s knowledge, he stated that liability ought to rest with the data transferrer.
Many complex questions remain in terms of how to make data portability workable for organizations to implement in practice. In his keynote remarks for the FTC workshop, Peter Swire (FPF Senior Fellow) discussed his recently published article, “Portability and Other Transfers Impact Assessment (PORT-IA).” The Impact Assessment aims to provide a framework for multi-disciplinary experts to use in a particular data transfer context to assess issues of data portability, including what Swire refers to as “Other Required Transfers” (e.g., a transfer of an entire database). Due to the sectoral nature of the issues that arise involving data portability, there is unlikely to be a one-size-fits-all solution. However, as legal regimes and policymakers around the world increasingly conceptualize and implement portability and interoperability regimes, data portability tools and commercial practices will continue to develop in the data ecosystem.
Thank you to Kai Koppoe, Hunter Dorwart and Veronica Alix for their contribution to this blog.