CPDP 2019 Panel: Understanding the limits and benefits of data portability
By Gabriela Zanfir-Fortuna and Sasha Hondagneu-Messner
The Future of Privacy Forum organized a panel at the 2019 Computers, Privacy and Data Protection Conference in Brussels to discuss the limits and benefits of the right to data portability as introduced by the GDPR. This panel was chaired by Thomas Zerdick (EDPS), moderated by Stacey Gray (FPF), and the speakers were Joris Van Hoboken (VUB-LSTS/UvA, Gabriela Zanfir-Fortuna (FPF), Babak Jahromi (Microsoft), and Olivier Micol (DG JUST).
The subject of the panel was prompted by several catalysts, including the discussions that held the front page last year over how Cambridge Analytica accessed personal data of Facebook’s users through an app, without disclosing to users the details and reasoning of the processing at the time they asked permission to install it. The Cambridge Analytica scandal shows the importance of platforms limiting access of third parties to users’ personal data. However, such limitations cannot be absolute. In fact, technical means to ensure interoperability between systems seem to be mandated by EU law.
As a matter of fact, one of the GDPR’s biggest innovations is the introduction of data portability as a new right of the data subject. Data portability presupposes that individuals should be able to transfer their personal data between players in the market, be they old or new, or even between players in different markets. This requires that companies make data users’ available for transfer in an interoperable format and subject to a user’s request.
In addition, Stacey Gray, FPF Policy Counsel, highlighted that the conversation on data portability is equally as relevant right now in the United States, given the debates on federal privacy legislation and the fact that one state law, the California Consumer Privacy Act, already included in its provisions portability as a by-product of the right of access.
How did portability appear in the competition/privacy discourse?
To set up the discussion, Gabriela Zanfir-Fortuna, FPF Policy Counsel, provided context of the right to data portability. She reminded the audience that the first instance of portability mandated by EU law was about portability of phone numbers, as a result of the Universal Services Directive. As shown by its recitals, that provision was introduced to promote competition among telephone service providers. Zanfir-Fortuna also mentioned that the debate on portability in relation to digital data was initiated in the US more than two decades ago and discussed a case from 2000, FTC v. ReverseAuction.com, which raised portability questions since it was caused precisely by a new service porting personal data of users from an established service, but by its own motion and without the prior consent of the users. However, data portability was first regulated in the EU, by the GDPR, which introduced it as a new right of the data subject and which gives the right to an individual either to ask an organization to port his or her personal data directly to another organization, or to receive that data in an interoperable format.
What are the limits of the right to portability in the GDPR?
Olivier Micol, the Head of the Data Protection Unit of DG JUST (European Commission), went into the details of what is the scope of data portability as provided by the GDPR, since the right to data portability only covers personal data that was “provided” by the person to an organization. He pointed out that the easy scenarios are when data is provided by an individual in the form of an upload, such as uploading photos or filling out a form. The EU Data Protection Authorities have issued guidelines on data portability which state that personal data that is provided includes data observed from use, for example the data collected about where an individual puts their cursor on a webpage.
What is not protected, is data that are the byproducts of services such as when a data controller uses an algorithm and processes data. Inferences from data would fall out of the scope of data portability, he said. Later on during the discussion in the panel Zanfir-Fortuna pointed out that, in contrast, data portability as provided by the CCPA also covers inferred data, since there are no limitations in the law in this regard, making its scope wider from this point of view than the scope of GDPR portability. The Commission official concluded his remarks saying that so far there have not been observed many applications of data portability in practice.
Can portability work in practice?
Babak Jahromi, IT Standards Architect at Microsoft, followed and presented the Data Transfer Project that Microsoft, Google, Twitter, and Facebook have all been participating in. Jahromi pointed out three difficulties with data portability in practice: Syntactic (is the data an integer, string, floating, or something else?); Semantic (for example, if data references a “jaguar” is it discussing a car or an animal); and Policy-related (how does it interact with existing regulations and contractual requirements for these companies). The Data Transfer Project was founded based on three principles: making the transfer of data technically feasible; implementing direct data transfer across potentially unlimited number of organizations; and ensuring that everything is open source so as to promote engagement. He emphasized the importance of such a system being open source and with broad appeal among a number of companies and data controllers.
What is the role of platforms in privacy governance?
Joris Van Hoboken, Professor of Law at Vrije Universiteit Brussels, began with a general remark that data portability is a way for individuals to get control over and value from their personal data. However, as he emphasized, a lot of data is very social in nature and many times involves other persons (such as photos or conversations), and there could be issues if someone ports their data to a platform that has weaker privacy protections. Van Hoboken discussed how platforms have become key players in privacy governance insofar as they are involved in: governing access to data; the design of relevant interfaces and privacy mechanisms; establishing policy and technical standards, such as requirements related to privacy policies or specific types of data; policing behavior of the platform’s users; coordinating responsibility for privacy issues between platform users and the platform; and direct and indirect enforcement of a platform’s data privacy standards.
Gray then asked the panel whether a data controller who has received a request has a right to object to the form or the process of the request. Zanfir-Fortuna stated that on first look, the controller could not refuse portability on the grounds of the receiving entity not having sufficient security protections. Micol stated that security is a key concern, but it should not be used as an excuse for porting data. Ideally, each data controller would have the GDPR already as a starting point of compliance, and as such would have applied all protective portions such as transparency, lawfulness, etc. The panel also discussed policy portability and the scenario of whether portability is technically possible or useful if it envisages pseudonymized data.
See the recording of the panel following this LINK.