Jeni calls on governments around the world to ensure data portability supports open innovation and competition while preserving people’s privacy, by creating data infrastructure, educating the public, stimulating innovation, targeting their efforts and experimenting cautiously
By Jeni Tennison
I’ve written before about the potential of data portability, and the barriers that may prevent it fulfilling that potential. In the mainstream news recently, we’ve also seen what can happen when data portability goes wrong, with data about 50 million Facebook users, unbeknownst to them, ending up in the hands of Cambridge Analytica.
Some data protection rights focus on ensuring people know what happens with data about them. Others focus on ensuring people can stop things from happening to or with data about them, such as enabling them to correct or delete it.
Data portability rights focus on enabling people to do more with data about them, so that they can move to new service providers or use products that give them additional insights. They are more focused on promoting innovation and competition than data protection directly (though arguably they may encourage more ethical data practices by ensuring people can move away from services that do not follow them).
Here, I’ll look more specifically at the roles governments around the world could play to ensure data portability supports open innovation and competition while preserving people’s privacy.
Creating data infrastructure
Data infrastructure consists of data assets, the organisations that operate and maintain them, and guides describing how to use and manage the data. Trustworthy data infrastructure is sustainably funded, with adequate safeguards to protect people from harm, and is directed to maximise data use and value to meet society’s needs.
Strong data infrastructure is as open as possible, but the data assets that contribute to our data infrastructure are not, and cannot, all be open. Our data infrastructure includes personal data held by public and private sector organisations through our use of different products and services. It also includes data about us captured for research purposes, such as the results of the census or longitudinal surveys that inform public health policy. This should only be shared in secure ways.
Data portability should be a mechanism for strengthening our data infrastructure, making it more trustworthy and enabling us to get more value from it.
Governments can play several roles here to strengthen this part of our data infrastructure:
- They can ensure the security and privacy of people porting data by developing and encouraging the adoption of common approaches around things like identity, authentication and permissions. They can direct innovation funds to prototype and work through the difficult problems such as when ported data holds information about multiple people.
- They can exercise regulatory powers so that data portability rights are upheld, including acting quickly and strongly against organisations that mislead users to get access to data about them or misuse data they get access to.
- They can legislate in ways that tackle some of the gaps that limit the ability of the data portability right to improve competition or support consumers. For example, they could require some companies (eg those large enough to be able to take the burden, or those in particular sectors) to provide instant access to data (rather than allowing them a month to respond to requests), and extend the right to businesses as well as individuals. They can require transparency about how and with whom data is shared and used to enable regulators and consumer rights organisations to support consumers effectively.
- They can monitor the effects of data portability. This monitoring will need to include ensuring organisations are open about how personal data is being used as well as how equitably the benefits are spread, and who is being harmfully impacted. The results should be published as openly as possible. This is necessary to help societies shape technological progress towards the outcomes they democratically decide on, and to help governments understand whether, where and how to intervene.
- They can support interoperability by working with the private and third sectors to develop and encourage the adoption of open standards for data, including for ported data and data that supports transparency around data portability, such as lists of applications to which you have granted access.
- They can contribute to the data infrastructure themselves by providing access to the data they hold about us. They can do this in a way that demonstrates good practices, including in interface design and security measures, and make available open source libraries that help other organisations to follow suit.
Educating the public
One fear around data portability is that people may not be aware of the right or how to exercise it wisely. Governments should look to tackle this through public information campaigns and guidance that helps people to avoid passing data about themselves, or people they are connected to, to untrustworthy organisations.
Governments should work with consumer rights organisations and those companies who people trust with data on these campaigns. They should emphasise to people the need for those accessing data to explain why they need it, and data hygiene practices such as reviewing and removing permission for applications to access data on a regular basis. If harmful impacts do occur then consumer rights organisations should have the power to work with the courts to support consumers.
Governments should also provide guidance that helps organisations design applications that support data portability in ways that help people understand what is going on. The patterns developed by IF are an excellent foundation for this.
Data portability on its own does not address the power of platforms. If anything, I expect that left to the market data portability will encourage the development of market-dominating data stewards like Facebook and Google. We will need additional measures to level the playing field. I suspect forward-looking companies will be positioning themselves to become one of these platforms in their sectors, at the centre of an ecosystem of services, and making money not by selling data but by selling services or winning extra customers through those that rely on the data they hold.
A good outcome would be for data portability to encourage and facilitate competition at a layer above these data stewards, amongst the applications that provide direct value to people. It may not address horizontal monopolies but it could help to break down vertical monopolies and artificial silos between sectors such as telecoms, transport, health or sports.
Governments can help this to happen. Indeed, if they do not, it’s likely small organisations seeking to compete at the layer above the platforms will either be squeezed out by the investments the big players can make, or bought up. Both regulatory actions against the formation of monopoly power and stimulating innovation through investment, prizes, and so on could help here.
A final question for governments is which sectors or areas to intervene in, especially where to make more active interventions such as mandating the development and adoption of standards for data portability.
There are five categories of sectors or areas governments could target:
- Those in which competition is an issue, which are likely to be those in which there are already regulators such as telecoms, energy, water and banking.
- Those where there is existing strong innovation around particular sectors that are well positioned to take advantage of data portability with organisations that can create jobs and attract investment; for example in the UK this might be around transport; in Mexico it might be fintech.
- Those where data portability of data from the sector could create value for public services, for example in wearables to support access to data that can be used in health and social care.
- Those in which the data that would be made portable could provide real utility for consumers across a range of products and services, for example account data (name, address etc), location data, social graph data, clickstream data, spend data.
- Those in which the data that would be made portable could provide real utility for businesses, particularly smaller businesses, and in particular as they scale and wish to switch services, for example accounting data, customer relationship data, or employee data.
We are at the beginning of the journey to understand what greater data portability will do to our lives and the market. It is likely its impact and the types of interventions governments need to make will vary from sector to sector, and unlikely one-size-fits-all solutions will succeed.
These impacts could be large and could affect many people and communities. We need to be particularly careful with data portability of more sensitive data, whose use could lead to more damaging harms. In some circumstances having some friction around moving personal data to new services will be a good thing.
Governments should therefore actively monitor the consequences of data portability on people and the market, and build in transparency requirements to legislation to ensure this monitoring can be done effectively. They should work to stay aware of initiatives in other countries, and ones that arise without its intervention. They should consciously, deliberately and carefully experiment with different approaches to learn what works and what doesn’t.
Getting the best from data portability requires organisations to be both open and trustworthy. It is hard to predict the degree to which this will happen without intervention. Government has an important role to play in monitoring, supporting and regulating the market to ensure we get the best outcomes from data portability as consumers, as citizens and as communities.
You can read all of our thought pieces and interviews on the Facebook and Cambridge Analytica story in our ODI View page. If you have comments or experience that you’d like to share, pitch us a blog or tweet us at @ODIHQ.
If you are getting to grips with ethical data use in your organisation, the ODI offers workshops, coaching and resources designed to help you navigate them. Speak with us at [email protected] to find out more.