Global Data Portability Policy Round-Up
It’s been a while since we last updated you on global data portability developments. Previously, we wrote on data portability language in U.S. federal law and provided an overview of the global landscape. Here are a few new updates on where things stand around the world today.
Europe and the UK
As we’ve noted before, the Digital Markets Act (DMA) in Europe introduced some novel elements to data portability, and despite taking effect in March of this year, significant questions around its implementation remain unresolved. Meanwhile, for some time now, regulators around the world continue to adopt their own take on Europe’s GDPR data portability requirements, and now have new sources of European inspiration in both the DMA and the EU’s Data Act and Data Governance Act as well.
We’ve also written about the United Kingdom, where the Digital Markets, Competition and Consumer Act 2024 (DMCC) has been adopted (although its implementation still lies ahead). While the DMCC does not include specific data portability obligations, its broader themes of empowering people, expanding markets, and creating opportunities for digital economy growth are certainly relevant to DTI’s work in data portability. And as we have detailed in our vision for the UK, the country’s Smart Data agenda also has implications for secure data transfers in the digital sector and its impact on the UK economy.
More Jurisdictions Recognize a Right to Portability
Malaysia
In July 2024, a set of new privacy protections—including the right to portability—passed as part of a bill to amend Malaysia’s existing privacy law, the 2010 Personal Data Protection Act. The new data portability right requires electronic notice and is subject to “technical feasibility and compatibility of the data format.” On September 6, Malaysia concluded a public consultation period on how best to implement the new privacy protections. The country’s Personal Data Protection Department (PDPD) asked questions about the appropriate scope of data portability requests as well as difficulties associated with responding to requests. In doing so, the PDPD appeared to signal an understanding of the challenges associated with technical interoperability, while considering the extent to which data portability requests should be honored even in the face of technical challenges. The Digital Minister of Malaysia has noted that several guidelines are being developed to accompany the new laws and we expect that the public will gain insight into any new data portability guidelines in the near future.
Canada
A new data portability right went into effect in Québec on September 22, making it the first and only jurisdiction in Canada to require data portability. The right was part of a set of amendments (known as “Law 25”) to the Act Respecting the Protection of Personal Information in the Private Sector. Barring “serious practical difficulties” (i.e., complexity of practical procedures and high costs) individuals can request their computerized personal information from organizations in a “structured, commonly used technological format.” They can also ask organizations to transfer this information “to any person or body authorized by law to collect such information.”
In associated guidance here and here, the government of Québec acknowledges that while the implementation of interoperable systems is not a legal requirement, it does facilitate smooth and efficient transfers in a way that allows users to fully benefit from their right to portability. The guidance notes that the right to data portability encompasses both data provided directly and data provided indirectly (i.e., generated through a user’s activity)—but that it excludes certain information from the data portability right, including “personal information created or inferred,” noting the example of a user profile created from the analysis of his or her web activities.
The guidance leaves room for future changes, noting that a “public body” may specify additional clarifications to the right to data portability in the future—including the information covered by the right and the procedure to follow a request. Finally, the guidance also recognizes an important distinction between the right to access data and the right to data portability (a point that is sometimes overlooked or left vague) and lays out the differences between the two.
U.S. State Privacy Laws
In the United States, states continue to pass privacy laws with a right to data portability. In 2024, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey and Rhode Island passed privacy laws; every single one of them includes a general right to data portability. The states generally follow the same formula. In general, their purpose is to allow consumers to easily transmit data to another entity (or “without hindrance,” as phrased in the laws). The laws also recognize that there should be some limits to when and how data portability should be required. This is a stance that DTI strongly agrees with. In general, the data has to concern the individual and the request must be honored if “technically feasible” (although Kentucky has chosen to adopt the phrase “technically practicable,” which, while undefined, could be interpreted as requiring a lower bar for when companies can refuse to port users’ data). Most of the states (Kentucky, New Hampshire, New Jersey, and Rhode Island) explicitly mention revealing trade secrets as an exception to data portability, further recognizing that there is a limit to what is required under the right and suggesting that there is an important difference between data about a user and proprietary information and algorithms.
Sector-Specific Laws
Meanwhile, some countries continue to adopt a sector-specific approach to portability, focusing generally on either health data or open banking. While DTI is focused on data portability as it applies more generally—there are certainly important considerations and parallels to our work in these sector-specific laws and rulemakings that are worth tracking.
For example, in the United States, the Consumer Financial Protection Bureau (CFPB) is reportedly close to releasing its open banking rules based on Section 1033 of the Dodd-Frank Act. The rules are related to the data portability and interoperability of personal financial data rights and were initially proposed and presented to the public for comment in October 2023. Among issues the CFPB solicited comment on were obligations for third parties accessing a consumer’s data—including important privacy protections for that data—and how to develop standards that provide fair, open, and inclusive access to data. The CFPB is expected to finalize and release its final open banking rules in the coming weeks.
While DTI’s work isn’t generally to engage in advocacy, we do seek to be a resource to policymakers around the world, particularly as they look to the implementation phase to turn laws like these into practice. We will continue to track global developments and look forward to opportunities to add value with our expertise.