Data Portability Language in U.S. Federal Law
Six months ago, we wrote about global developments in data portability law, noting that there is “growing interest” in portability in the United States. Since that blog post, two major bills in Congress have included portability obligations in their text, one of which has been signed into law. At DTI, we’re glad to see Congress taking note of the value and importance of portability, although it will be critical to guide future steps to ensure that portability in practice empowers people and contributes to growing a healthy ecosystem for data transfers.
First, the recently adopted foreign aid package included a section designed to force the sale of TikTok. The law includes a provision mandating the portability of TikTok user data upon request. Specifically, it stipulates that in the event of a ban of the platform, entities behind foreign adversary-controlled applications must furnish users with “all the available data related to the account of such user with respect to such application.”
Data portability includes well-known edge cases of information held by a company and associated with a user that is not contributed or created by the user nor derived from a user’s activity, and where providing the information could compromise either internal business processes or the privacy of other users. A classic example of this is social media, where one user uploads a picture and another user replies with a comment. The original picture could be interpreted to be “reasonably linkable” or “related” not only to the initial poster, but also the commenter; would either of these bills allow the commenter to transfer the picture? Would that require permission from the original uploader? Could, for example, a link to a public URL of the picture be used instead? The answers to questions like these can vary by the technology and the specific context, and the assumptions and expectations of users of the service.
The foreign aid package does not address any of these questions. The Attorney General is charged with enforcement, and therefore has prosecutorial discretion, up to a point. More practically, the law’s prohibition language drowns the portability provisions in significance, and TikTok has made clear they will challenge this section of the law in court. Should the portability language somehow come into effect during or after the court proceedings, it will be important for the privacy of individual TikTok users to ensure a balanced interpretation and realistic implementation of the portability language.
The American Privacy Rights Act of 2024, a newly introduced comprehensive federal privacy bill, includes a similarly broad scope for its data portability obligation. Covered entities under APRA must allow individuals to request the export of covered data, defined as “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual.” Portability is not permitted if “exercise of the right would require access to another individual’s sensitive covered data;” and the data provider may reject a portability request, with an explanation given to the requesting user, if granting it would “require the covered entity to release trade secrets or other privileged, proprietary, or confidential business information.”
The Federal Trade Commission is charged under APRA to “issue guidance to clarify or explain the provisions of this section and establish processes by which a covered entity may verify a request.” Should APRA become law, the FTC has an important task ahead to provide more precise definitions for data within scope of portability obligations. DTI’s policy principles articulate the proper balance as a “focus on user-created content [that] should not extend to data that negatively impacts the privacy of others or that is used to improve a service (e.g. “inferred data”).”
To the extent that the U.S. government is seeking to advance data portability, engaging in thoughtful dialogue and refining the language of portability rules will help ensure that the rules in practice effectively serve the interests of both individuals and society at large. We at DTI look forward to working with all stakeholders to champion data portability as a cornerstone of digital empowerment.
DTI Updates
- Chris published a new blog post last week on effective portability under the Digital Markets Act, writing about trust in third-party transfers and the meaning of “continuous and realtime.”
- Delara spoke at the Berkman Klein Center on May 2 as part of a workshop on “Platforms and the Right to Information.”
- Lisa is speaking next week, May 15, at an in-person event in San Francisco organized by Bay Area Women in Machine Learning & Data Science.