Global developments in data portability law
In an earlier post from DTI, Chris wrote: “tech policy doesn’t stop being relevant when laws are adopted; to the contrary, that’s when the real work begins.” Implicit in what he wrote is that the first step is the law. Today’s post will check in on the law in the context of data portability.
Five years after the GDPR went into effect, policymakers around the world appear to have a renewed or newfound interest in data portability. Privacy laws often advance portability, and sector-specific data portability regulations now join them. Meanwhile, laws like the Digital Markets Act in the EU are now expanding data portability requirements beyond the GDPR’s baseline, and we expect this trend to continue in Europe and around the world.
DTI will engage in this landscape, and we’re sharing more of what we’ve researched to help build a shared foundation of awareness and understanding.
The GDPR and DMA as baselines
Under Article 20 of the GDPR, the data portability right consists of: (1) a right to receive personal data for later reuse, (2) a right to transmit that data to another controller, and (3) the right to **directly **transmit the data where technically feasible. Personal data must be received in a structured, commonly used and machine-readable format so that it can be transferred to another controller in a manner that is readily usable and without hindrance (in other words, the format provided should not impact or hinder the ability to reuse data).
The GDPR articulates rights, rather than any particular implementation path. To help clarify expectations for businesses, the EU has released guidance documents specific to data portability. Of course, when a new jurisdiction borrows concepts or even language from the EU, it also takes on any ambiguity in the original language–and none of the accompanying clarifications to help inform implementation or intent.
The DMA, on the other hand, significantly expands on the GDPR’s approach to data portability and approaches it from a competition perspective, imposing obligations on certain large platforms (or “designated gatekeepers”) in its efforts to ensure fair and open digital markets. Article 6(9) of the DMA introduces new requirements for designated gatekeepers to provide businesses and users with tools that facilitate “continuous” and “real-time” data portability, raising new legal and technical questions about the intended scope of the laws. It also requires gatekeepers to give users and authorized third parties tools to access users’ data, so that they may port it to a competitors’ products and services. The text of the DMA, however, does not include any details or requirements as to how third parties should be vetted or authorized from a security or privacy standpoint.
On August 17, the Korean Personal Information Protection Commission (“PIPC”) announced its new data portability strategy—also known as “MyData.” On September 27, the PIPC released security guidelines (available only in Korean) for data transfers under MyData. And in October, they are expected to release additional plan details for consultation from the public. Among questions for consideration are the scope of data subject to the data portability right, as well questions related to the right to request transfer to third parties. The rulemaking is expected to apply to ten identified sectors—including healthcare, telecommunications, and energy. Notably, the PIPC established a task force in charge of implementing policies in practice and is expected to focus on promoting standardization.
In the UK, the Data Protection and Digital Information (No. 2) Bill was introduced in March 2023, prompting discussions as to whether to provide enhanced data portability rights beyond the right to data portability in Article 20 of the GDPR. Explanatory notes accompanying a bill highlight the concern that the GDPR does not guarantee provision of customer data in “real time” or in a useful format.
Meanwhile, some jurisdictions have recently decided to require direct portability (for example, Nigeria and Quebec) and some countries (like Saudi Arabia) are amending their existing privacy protections with stronger data portability requirements. DTI plans to more closely track new developments and provide updates in the coming months.
Federal interest in the U.S.
While no national laws have been adopted to require portability in the United States, there is growing interest in the issue in several places. In March 2023, The White House released the 2023 Economic Report of the President, in which the President referenced the importance of multi-homing and the ability for switching costs to hinder its pro-competitive effects due to factors such as a lack of data portability. The report noted the importance of both interoperability and data portability to competition and innovation, and acknowledged the role the EU’s Digital Markets Act is playing in this regard.
One bill before Congress, the ACCESS Act, would mandate data portability and interoperability for certain tech companies. Re-introduced in the current session, the bill was first proposed in 2019. Like the DMA, the ACCESS Act brings a competition-centric narrative to portability, rather than the individual or privacy grounding of the GDPR and most state laws. A bill to similar effect has been proposed in the state of New York, Senate bill 6686, specifically looking at social media companies. DTI has prepared a legislative analysis comparing these draft bills, which is available on our website.
Additionally, on October 20, the CFPB announced its highly anticipated rulemaking related to the data portability and interoperability of personal financial data rights. Among issues the CFPB solicits comments on are obligations for third parties accessing a consumer’s data–including important privacy protections for that data–and how to develop standards that provide fair, open, and inclusive access to data.
U.S. state developments
As noted, the United States does not have any general-purpose federal legal obligation to provide data portability. However, this year, eight new American states—Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, and Florida—joined five earlier states—Connecticut, Utah, Virginia, Colorado, and California–in passing comprehensive privacy laws. Most states draw upon language from the GDPR’s right to data portability in Article 20, but others depart significantly from its well-established terms or introduce new terms without defining them, creating uncertainty about the bounds of the law. In short, in all of the laws, there remains room for interpretation and further clarifying of rights.
In general, most data portability provisions at the state level closely track some version of the following language: “A right to obtain a copy of the consumer’s personal data previously provided by the consumer to the controller, in a portable and, to the extent technically feasible, readily usable format that allows consumers to transmit the data to another controller without hindrance.”
Let’s dig into some of the differences that arise.
“Provided By vs. Processed.” In 2023, half of the states that passed laws with portability provisions limited the right to data previously provided by the consumer (as opposed to any data that is “processed”). Under the GDPR, it is generally understood that “provided by” includes not only information that a user knowingly and actively provides to a controller—but also includes observed data as a result of the user’s use of a service or device. It does not, however, include inferred or derived data. States lack this explicit clarification, and questions remain about the extent to which data that includes inferences can be subject to the data portability right.
“Portable” and “Readily Usable.” Every state uses the term “portable” without clarifying whether it refers to: (1) a right to receive (download and export) personal data for later reuse, (2) a right to transmit that data to another controller (by requiring certain formats that enable users to later upload and easily reuse their data with a new service), or (3) the right to directly** **transmit the data where technically feasible. Furthermore, while the GDPR requires that information is provided in a structured, commonly used, machine-readable format–the majority of states (with the exception of California) generally only require that the data be “readily usable,” leaving outstanding questions as to the required format and extent to which data must be made portable for consumers.
Technically Feasible. None of the states define what this term means. Furthermore, some states (such as Utah, Indiana, and Iowa) have lowered the standard to require portability only when “technically practicable” or “practicable,” prompting concerns from some that companies may unnecessarily withhold data or portability options.
Access vs Portability. There are also notable outliers that fail to capture the goals of portability. These bills more closely remember the GDPR’s right of access, which differs significantly from the right of portability in both its goals and associated requirements.
Florida differs significantly from the GDPR and other state privacy laws in that it omits language that a consumer be able to transmit the data to another controller without hindrance. Arguably, this significantly weakens the right to data portability in that it requires only that a user be able to obtain and reuse their data for their own purposes—and not that a company play any role to make it smoother and easier for consumers to transfer (which requires enabling some level of interoperability).
Indiana is a notable outlier in that—although it claims to have a data portability provision—that right more closely mirrors a right to access. The bill requires either a copy of personal data or a representative summary. This is problematic in that, while this law would be sufficient to meet the goals of the right to access (where the purpose of providing personal data is to make a user aware of the types of data collected about them), it would fall well short of helping users transfer their data to another service as the data may not even be available to the user. Moreover, the statute leaves it completely up to data controllers to determine when a representative summary would be more appropriate.
Trade Secrets. Virtually all of the state privacy laws (with the exception of Virginia) explicitly exempt requirements to disclose information when there is a violation of trade secrets. States differ in who they choose to allow to exempt from requirements to disclose information. Laws passed recently in Utah, Iowa, Texas, Tennessee, Florida apply the exemption equally to the controller, processor, third party, and consumer. Others—such as Oregon, Montana, Delaware, Connecticut, and Colorado—permit only the controller to take advantage of the exemption, with Colorado going so far as to specify that the exemption applies when controllers disclose trade secrets to consumers.
From law to practice
Data portability laws around the world, existing and proposed, include varying levels of responsibilities for companies to make it easier for consumers to switch services, but it’s unclear if these requirements are going to be meaningful in practice until implementing regulations come along. As the EU implements its new data portability requirements – and as other countries will undoubtedly follow suit – DTI will be ready to serve as a resource and help translate principle to practice with the end goal of working towards greater user agency and empowerment.