Supporting effective portability under the DMA
On April 19, MyData Global, The Coalition for Online Data Empowerment (CODE), and the Ethical Commerce Alliance (ECA) penned an open letter to the European Commission regarding data portability compliance under the DMA. The letter acknowledges that designated gatekeepers have taken important steps to “level the playing field and give consumers more choices” to date, but asserts that they have yet to consistently or meaningfully comply with their new legal obligations.
At DTI, we work closely with some of the companies designated by the European Union, notably our founding members Apple, Google, and Meta. Together with them, we offer some portability tools powered by the open-source Data Transfer Project. We’re not in a position to comment on any company’s individual DMA compliance efforts, though, as we operate independently from our members and partners.
But we do wish to engage on the subject of this letter, as it relates strongly to our mission of empowering people through a vibrant data portability ecosystem. To begin, we very much welcome MyData, CODE, and ECA engaging on portability. Our view has always been that the more stakeholders who engage in this space, the healthier the ecosystem will be.
We also want to offer some thoughts from our own perspective on two substantive points from the letter and DTI’s role in this space.
First, the letter highlights the importance of third-party developer access in order to help make the DMA’s portability obligations meaningful in practice. At DTI we agree wholeheartedly with the importance of third-party access in this context.
While Article 6(9) of the DMA requires facilitating direct porting to third parties at the direction of the user, nothing in the law specifies how to mitigate potential harm; there are no details or requirements as to how third parties could or should be authorized from a security or privacy perspective. In other words, there is no universal method for establishing trust between parties involved in the direct transfer process and many important questions arise: How can the receiving or originating service be confident that data will not introduce security or other risks? How will users be confident that transfers reflect their understanding and intention?
DTI’s trust model work offers a potential solution to this point. In an effort to protect the interests of 3rd parties, end users, and data services, DTI recently published an initial draft of a security and safety trust model, the goal of which is to enable services receiving data and sending data to mutually authorize each other for direct transfers. In doing so, we’re tackling the problem of how to establish trust through a process that neither undermines the user nor compromises the benefits of data portability intended for the market. Our main goal is to help guide, structure, and align independent implementation of trust processes in a way that provides more consistency and harmonization for companies of all sizes and in different jurisdictions. A shared trust model developed through such a process will allow many more companies to participate and align on trust more quickly and efficiently.
We are pleased that CODE has signaled its support for the general direction of our work. We are planning more in this space, including extending on the initial trust model to add specificity in data verticals and proposed questions, as well as exploring structures and processes for implementing the trust model we have proposed. We look forward to working with all stakeholders in reaching the right outcomes here as this effort moves forward.
Second, the letter asks gatekeepers for firm commitments and timelines related to implementation of continuous and real-time data flows, a novel obligation under the DMA. On a number of occasions, DTI has highlighted the differences between “traditional” data portability as we have normally thought of it to date, and continuous and realtime portability. As we have noted previously, there is broad acknowledgement that implementations will need some room and some time to evolve. Consequently, we would hope that any specific commitments or deadlines do not interfere with or undermine the necessary iteration and adaptation needed to tailor continuous and realtime implementations to meet user needs.
For both of these points, as with portability in general, the path to accomplishing implementation in practice differs on the use case, technology vertical, type of data, and use. It will be important to get specific in addressing technical questions in portability–to help unpack verticals, use cases, and contexts to determine what benefits users in practice.
DTI looks forward to working alongside our members and partners, the Commission, and all other stakeholders in the portability ecosystem including MyData, CODE, and ECA to build a healthy portability ecosystem that centers on and serves people.