As our personal information gets distilled into ones and zeros, comma-separated values, and other standardized forms, it should be easy for users to take their data and run to any platform they wish – but it frequently isn’t. Instead, information on commercial platforms is locked in proprietary silos or not made available to users in a move-friendly way.
The inability for users to seamlessly move their data among platforms is one casualty in the age of big data that points to a bigger loss: the role of individual decision-making power over personal information. Big data has made it nearly impossible for a person to have complete control over their data. And data protection regimes built upon the concept of an individual’s right to control their data have struggled with this new reality.
Big data has made it nearly impossible for a person to have complete control over their data.
In collaboration with the Bertelsmann Foundation, CDT released a paper that explores how legal regimes founded on principles of individual control (that is, a person having some say in what happens to their data) have fared in the big data world. We examine legal frameworks in the United States, the European Union, and Germany to understand how their approaches have been challenged by big data. We also shine a light on the public’s view of their own control in big data products and services, and reflect on how these views differ in the US and abroad.
Finally, the paper considers how data sovereignty and data portability might replace outdated notions of individual control to inform new data protection regimes, as well as any benefits or drawbacks that they might present for regulators and for individuals.
Discussions around data portability, in particular, aren’t academic; next year, the data portability mandate envisioned by Article 20 of the EU General Data Protection Regulation (GDPR) will go into effect. Sandwiched alongside the rights of access and deletion, Article 20 permits data subjects to have personal information they provide to a data controller delivered to them in a structured, commonly-used, and machine-readable format, and have that information transmitted to a third party without hindrance. In December, the Article 29 Working Party took a first stab at providing guidance on this new right, but this only raised more questions as to what data portability entails under the GDPR.
Portability, while it sits adjacent to subject access and deletion rights, is only tangentially about protecting user privacy. But it speaks directly to the concept of individual control. According to the Article 29 Working Party, data portability supports user choice, user control, and consumer empowerment, and the GDPR’s version is also about promoting innovation and online competition. For years, regulators have acknowledged that portability could lead to business innovation, better product quality, and increased competition, while advocates have noted that portability requirements will, at minimum, help new players enter markets by giving them easier access to new data at scale.
At a roundtable on the future of data portability, convened and moderated by CDT at RightsCon in early March, participants noted that portability could have tremendous applications for when long-term data is collected. For instance, stateside efforts such as the Veterans Administration’s “Blue Button” program for health records and the Department of Energy’s “Green Button” initiative to make energy-usage information available demonstrate the potential of portability.
The larger challenge is that the responsibility for securing and managing portable information may have to be shared by a combination of different stakeholders, and if portability is embraced by new start-ups and other small- or medium-sized businesses, the security risks could become enormous – data export and import capabilities offer a tantalizing doorway for thieves.
There also remains considerable debate about what information can – or should – be subject to the data portability right. The Article 29 Working Party has explained that portability includes “observed” data provided by users by virtue of using a service or device but does not include “inferred” or “derived data” such as certain algorithmic results or personalization measures. It is unclear exactly how regulators will determine compliance with this requirement since it could force businesses to reveal information they consider proprietary or business-sensitive.
Few companies do a good job explaining their data import or export functionality…
Another potential problem raised by data portability is the need to educate the public about it. Few companies do a good job explaining their data import or export functionality, and fewer still make it a core part of their business proposition. In comments to the White House Office of Science and Technology Policy’s abbreviated data portability project last year, CDT suggested civil society highlight efforts by industry to implement technical protections or to provide transparency reports that have helped raise awareness about basic security and surveillance practices, and portability approaches from different companies or industries could be evaluated in a similar manner. There is also room for civil society organizations to bring public officials and businesses together to outline any emerging best practices or potential pitfalls in data portability.
Data portability is neither a privacy nor innovation panacea, but if deployed correctly, it may oblige companies and regulators to give a second thought to what information belongs to users.