09/10/2020

The ability of consumers to easily move their data between online platforms (data portability) could be a consumer ‘super power’, allowing us to monitor, compare and switch products and services like never before. What follows in the market should be a flurry of innovation and competition that ushers in new entrants and forces dominant suppliers to improve.

Globally, data sharing is gaining momentum. On 22 September 2020, the United States Federal Trade Commission (FTC) held a public workshop on data portability. And under Europe’s Genera Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA), companies are required to offer their customers the right to port data.

In Australia, data portability has been making headlines this year thanks to the introduction of a Consumer Data Right (CDR) that allows customers to require their banks to share data with other financial service providers. Mandatory data sharing is being rolled out to other parts of the economy, like energy and telecommunications.

And in a rare display of collectivism, Apple, Facebook, Google, Microsoft and Twitter have created the Data Transfer Project to develop an open-source, service-to-service data portability platform so that users can easily move their data between online service providers whenever they want.

So, what’s needed to ensure consumers are no longer marooned on the data islands of our digital economy?

It’s time we learned to share

In their comments to the FTC, the world’s largest tech firms, e-commerce suppliers and industry groups tend to agree: it’s good to share.

Facebook say they believe in a free and open internet where people can share their data with the apps or services they like most. If you give your data to one service, you should be able to move it to another. In Google’s submission: bring it on! If it’s easy for people to move their data (and the high price it attracts), there’s pressure on Google to innovate “and that’s how it should be.”

The cynics argue that the platforms’ enthusiasm reflects the reality that data portability will never curtail the volumes data that Google, Facebook, Amazon and others can harvest from users with every click. According to Consumer Reports, broader consumer data rights are required to limit the monetisation of data collected solely for the purpose of selling it on to major platforms.

What emerged from the FTC’s call for comment is a growing consensus that we need more rules and greater guidance to make mandatory data portability work. Such rules ought manifest in new legislated privacy protections, clear guidance about what data should and should not be portable, protocols to delineate whose data should be ported if its owned by more than one user (like group photos or content created with other people); and monitoring regimes to ensure that data sharing platforms aren’t liable to third-party abuse.

But amongst all this consensus there are big battles to come. Under the GDPR and the CCPA, individuals have the right to access data that is collected on them (e.g. demographic and location data) as well as data that is being processed. What they don’t have the right to access is the result of the processing itself. Industry Groups like Developers Alliance and platforms like Facebook caution against data portability rules that allow individuals to access “non-human understandable data, such as outputs of machine learning” or data that can’t be processed or understood without access to proprietary technology.

Portable but not interoperable?

While the major players tend to agree on the goals and challenges of data portability, there is no broad agreement about how to get it done.

Porting data means that platforms need to talk to each other. As noted above, the Data Transfer Project involves building a neutral ‘meet me here to swap’ platform.

However, others are arguing that online platforms, like mobile phone networks, should be directly interoperate with each other. This is the approach most commonly explored by Governments when designing regulation to give patients more access and control over their healthcare data. For instance, New Zealand’s Ministry of Health has recently published a roadmap to interoperability.

But interoperability may be a bigger solution than is needed to achieve portability. Many warn, that requiring that platforms to grant third-party access to copy, change or process data may stymie innovation, impose significant design costs on smaller players, or create critical security risks for consumers and platforms.

In Europe, policymakers skirted this issue with legislation that encourages interconnectedness rather than mandating technical standards for interoperability. Under the GDPR, consumers have a right to “have data transmitted from one controller to another”; the way that transmission occurs is up to the platforms.

For now, it seems major platforms are holding all the data chips. Policymakers need their cooperation and support to make data portability a reality for consumers. The question is whether the platforms are headed that way already or whether a market-led solution is unlikely to ever hand over full choice and control? If consumers can’t escape their data islands, we might have to settle for #datapelagos.

 

""

""