In its broadest sense, data portability can be interpreted as the ability to share data between people, groups and/or organisations. A company, for example, might ‘port’ data – which could involve the transfer of data, or the provision of access to it – to a third party in order to deliver a particular service. The term is often used within the context of personal data.
In the past, initiatives such as midata have tried to increase data portability by helping individuals to access data about them and use it for new purposes. For example, customers of some energy suppliers can access data describing their energy consumption and upload it to third-party price comparison tools in order to find a better deal.
Coming into force this May, the European Union General Data Protection Regulation (GDPR) will strengthen existing individual rights over personal data and introduce new ones, including the right to data portability. The right to data portability is a more extensive version of the existing right to data access. It gives you the right to get hold of data held about you by an organisation, but goes further in enabling you to obtain the data ‘for reuse across other services’. In doing so, the right has been described as stretching beyond data protection into other fields, such as competition law, intellectual property and consumer protection.
Much of the commentary around GDPR has focused on compliance with the new regulation amid the risk of large fines. However, focusing on the regulation’s teeth obscures its intent; as Information Commissioner Elizabeth Denham describes, “thinking that GDPR is about crippling financial punishment misses the point[…] it’s about putting the consumer and citizen first”. The right to data portability shows promise not only as a measure to support individuals in exercising greater control over data about them, but also in driving innovation and new products and services.
What could the right to data portability enable?
At the Open Data Institute (ODI) we have been exploring the potential of data portability. Through our work in different domains – including banking, retail, telecoms and peer-to-peer accommodation – we have developed a draft set of categories to describe the products and services that portability may enable. These categories describe why an individual may exert their right to data portability, rather than how portability might be enabled. Below, we’ve outlined the categories using examples from the peer-to-peer accommodation sector.
The right to data portability is likely to support individuals in switching between providers of the same, or similar, products and services. This concept is not new to GDPR – the EU’s Payment Services Directive II (PSD2), for example, requires banks to share payment data with third parties at the request of their customers, supporting the development of new payment services.
In issuing guidelines on GDPR’s right to data portability and what it might mean in practice, the Article 29 Data Protection Working Party has outlined the possible role of the regulation in facilitating switching between service providers, whilst articles such as The right to data portability in the GDPR and EU competition law: odd couple or dynamic duo? have framed the right as a means to encourage competition.
Whilst data portability alone will not address the broad set of factors that cause a lack of competition in markets, it could support some users to detach themselves from one provider of a service in order to make use of another. For example, in the peer-to-peer accommodation sector, the right to data portability could help people to use multiple platforms by making it easier to port data between them. For those letting rooms or homes, this could mean porting data describing their property and reputation directly to a new platform or to a tool that manages their property across many platforms.
The benefits of the right to data portability will not be limited to supporting individuals in switching between providers of a particular service. People may also port their data to third parties who provide products or services that complement the data’s original use.
These complementary services are likely to include those that provide deeper insights into a particular type of activity or link together related ones. In the context of peer-to-peer accommodation, a host may choose to port data describing their property from an accommodation platform to an insurer, in order to insure their property more easily.
This pattern illustrates an opportunity for organisations to become platforms for generating and sharing value between different types of actors. In this way, the right to data portability may enable individuals to initiate this type of approach in addition to organisations that currently hold data about them.
As well as supporting both competitive and complementary products and services, the right to data portability may also enable uses of the data that are unlikely to otherwise occur. We are currently referring to these as unrelated (or serendipitous or perpendicular).
Individuals may, for example, decide to port their data to trusted organisations for research purposes. As ODI CEO Jeni Tennison recently suggested, “the data portability right could lead to more people making the positive choice to donate data about themselves for good causes[…] data portability could provide a mechanism for some charities and civil society groups to engage people in collective action.”
In the case of the peer-to-peer accommodation sector, individuals may choose to port data describing their property or usage of accommodation platforms to researchers looking to understand the sector’s impact.
Challenges to effective data portability
Whilst the right to data portability clearly has the potential to support innovation, there are a number of factors that may limit its effectiveness.
Importantly, the right’s strength will depend heavily on the definition of personal data under GDPR. The Article 29 Data Protection Working Party indicates that data which is ‘entered’ by an individual or ‘generated’ through their use of a product or service will fall within that definition, whilst that which is ‘derived’ or ‘inferred’ from this data will not. A narrow definition of personal data will restrict the types of new products and service made possible by the right to data portability. In the peer-to-peer accommodation example, this could mean that a host on an accommodation platform could port basic profile information but not their reputational scores. In practice we expect there to be uncertainty around the types of data that will be subject to the portability right, particularly related to data that is ‘generated’ through an individual’s use of a service.
Jeni has described a range of other factors that may stifle the benefits from the right to data portability, including: delays organisations are permitted to take in porting data to new service providers; a lack of guarantee that data will be able to be ported directly to third parties (meaning that the right could more closely represent the right to data access than true portability); and issues of interoperability. It is likely that the scale of these challenges will become clearer as GDPR is introduced and we understand how it will be enforced.
In the right to data portability, GDPR introduces a new mechanism for individuals to use data about them to power competitive, complimentary or serendipitous products and services. Whilst the right’s effectiveness in driving innovation cannot be assumed, we anticipate that the right to data portability will present opportunities to individuals and organisations across a variety of sectors.