Reciprocity, and when it matters most
With most things in life – and tech policy is no exception – I tend to approach issues and challenges with an analytical mindset. I try to be balanced and honest about what the evidence is saying, and pragmatic about what can be achieved. I’m ambitious and also a realist. I am impatient to make progress quickly, but I am also committed for the long haul.
I also recognise all of these traits in DTI. We are brave to call out nuance, and to adapt our thinking as the facts and context change, even where others may claim to see only black or white. As Chris put it in his opening remarks at our event in Brussels a few weeks back, “we don’t believe in forcing square data pegs into round API holes.”
But when it comes to nuance, there is one small elephant in the room that we need to talk about. The elephant’s name is reciprocity.
There is no doubt in my mind that DTI is on the right side of the debate when it comes to the need for reciprocal data transfers, both in principle and in practice. And now feels like the right time to add some more layers to our approach to this topic. That’s my aim for this newsletter.
Why does reciprocity matter for data transfers?
One of DTI’s founding policy principles is that data transfers should be reciprocal in order to ensure that users can transfer data from any service. In other words, if we take the principle at face value, data transfers should not be required to be supported to destinations that do not enable a return journey. A user can always download a copy of their data and upload it anywhere; but reducing the friction of falling into a data black hole by supporting direct transfers to non-reciprocal services doesn’t seem like a good policy outcome.
Chris brought this challenge to life rather neatly at Christmas time with a neat metaphor with holiday gift returns. In most contexts, markets will work best when consumers have the option to change their mind if the product or service isn’t up to scratch. Portability de-risks choices, and helps consumers feel free to try new things.
Take music streaming services as a prime example. A user may be reluctant to switch (or multihome) to a new streaming service if it will mean losing – and then manually recreating – the library and playlists that have been carefully curated over many years, providing the soundtrack to their lives. The tools built within the Data Transfer Project to facilitate the transfer of playlists between Apple Music and YouTube Music have demonstrated the art of the possible for reciprocity in this context, but the value will continue to be limited until more market participants are willing to join in.
And yet, reciprocity is not just about promoting choice and competition – it is also well grounded in data protection law (at least in Europe). The right to data portability, enshrined in Article 20 of the GDPR, places responsibilities on all businesses to support direct data transfers for their EU and UK customers. If we had something even close to full compliance with this existing regulatory requirement – admittedly a significant leap from where we are today – then further discussion of reciprocity would be gilding the data transfer lily.
However, a lot has changed in the world of data portability since DTI set out its founding principles at launch 2023. We no longer talk predominantly about data transfers as a way of empowering consumers to switch to new services (although that is still important!) – we increasingly discuss portability in the context of innovation and value creation. This shift in demand is consistent with the new data portability tools that have emerged in response to the EU’s Digital Markets Act (DMA), which facilitate the creation and sharing of new copies of a user’s data, enabling its simultaneous use in multiple locations. And very often these copies are being shared with adjacent or even unrelated services, not competitors. This evolution in the purpose of data transfer suggests it is time to revisit what we mean by reciprocity, and when we think it matters most.
When to prioritise reciprocity
At DTI we are encouraged to dream big. We want to work towards a world where it is considered the norm for an online service to proactively and voluntarily develop a data portability solution. Where incentives and market forces align so that it pays to support user-led transfers. Regardless of the service, company size, or geography, we aspire for technology users to have universal access to effective data transfer tools. This is a world of reciprocal transfers, with no exceptions.
But dreaming big is not the same as being unrealistic. This outcome is a long way off, and the journey to get there won’t be in a straight line. It is simply not plausible for everyone to act at the same time. We might hope for a hockey stick, but not a big bang.
As we trend in the right direction, we will need to think carefully about the circumstances where reciprocity is most important – the situations where it is most impactful for users. Equally, we will need to be honest with ourselves about where it is a lower level priority, and can be accepted as a challenge for another day.
We can and should be purist about our long term goals, and at the same time we must be pragmatic about the route we take to get there. As we do so, we might consider the following factors in influencing how willing we are to die in a reciprocity ditch:
- Resources and capability of parties involved – we should set expectations high on companies with large numbers of users around the world, those with large numbers of skilled engineers, those used to handling data or working with APIs, and those generating millions in revenue etc. In contrast, we can afford to be more patient with very small businesses, pre-revenue startups, or those without in-house engineering capability.
- Competitive dynamics – we should consider whether data recipient services are substitutes or complements to the data holder. There is far greater value and impact from reciprocity for transfers between rival services (where a user may be permanently moving the master copy of their data) than there is between complements (where a user may be creating additional copies). But of course, we should still expect portability and reciprocity in the downstream market between the competitors there.
- Type of transfer – related to the above, it is important to consider whether the data is being moved from one location to another to facilitate switching, or being duplicated to facilitate additional uses. Reciprocity is most critical in the former, where the potential for dead ends and consumer lock-in is intensified. If additional copies of the data are shared with additional services, the user is likely to retain the master copy at its original source.
- Type of recipient – the nature of the destination organisation and its objectives are relevant. For instance, reciprocity will be more applicable to private sector organisations seeking data access for commercial purposes than it will for others such as, for example, researchers using data donations to carry out medical research. We might also consider whether the service provided by the data recipient generates new unique data that holds value, or alternatively is just a recipient and aggregator of data copied from elsewhere. In the absence of material new data creation, there appears to be a weaker case for reciprocity.
- Regulatory environment – whether existing laws support or discourage reciprocity. For example, interventions designed to overcome competition challenges, such as the DMA, are deliberately designed to be asymmetric in nature.
Let me illustrate my thinking with a couple of examples.
First, let’s consider the portability of a user’s chat history with a generative AI virtual assistant. Such portability can prevent consumer lock-in, enabling users to switch to an alternative AI virtual assistant without losing the history of their prompts and responses, which they may have been developing iteratively over months or years. Losing this history may act as a barrier to switching for some users, and eventually dampen competition. This is a scenario where our collective expectations for reciprocity must be high from the outset. Generative AI virtual assistants offer substitutable services, each generating high volumes of unique user data, and are generally developed by companies with the capacity and capability to develop data transfer technology. One directional transfers in this scenario will send users down dead ends, and the result will be a continuation, if not acceleration, of competition concerns.
Now, as an alternative thought experiment, we consider transfers of account data from a social media platform to a personal data store that provides users with data insights. Reciprocity in this scenario could lead to some user benefits, but these are less immediately apparent. The transfer is likely to be of a new copy of the data, with the original holder maintaining control of the master copy and the user remaining on the social media platform. The personal data store is likely to be predominantly ingesting data rather than creating new data that doesn’t exist elsewhere. In this scenario, the user would likely gain greater value from the data store provider prioritising the building of functionality for data transfers to other data stores, so they are not locked in to any single provider in that market.
It’s hard to imagine a scenario where reciprocity would be bad. But we do need to start somewhere, and that means being clear what we can afford to do later.