Data Portability

Authors: Vittorio Bertola, Nicolo Zingales and Luca Belli

The current debate on (data) portability finds its predecessor in the discussions on Mobile Number Portability (MNP), which emerged towards the end of the 1990s. MNP requires that, when switching from one provider to another, mobile telephone users must be able to keep their telephone number(s). The world’s first country to introduce MNP was Singapore in 1997, followed by the UK, Hong Kong, and the Netherlands in 1999 (Buehler; Haucap, 2004)¹. As of the early 2000s, many countries had created MNP requirements, especially in Europe.

The rationale driving the introduction of MNP is rather straightforward and understanding it is essential to grasp the importance of the current debate on data portability. Indeed, MNP aims at fostering competition, while maximising consumer interests. Before the introduction of MNP, consumers of mobile telecommunications services were required to give up their number and adopt a new one when switching providers. In practice, this situation represented a considerable transaction cost dissuading users to switch to competing providers thus jeopardising healthy competition. Importantly such cost included informing all their personal and professional networks about their new number, missing potentially valuable calls from people that still had the old number, etc. 

Hence MNP is considered to be beneficial for multiple reasons (Viard, 2004)². Besides avoiding incurring in the above-mentioned cost, consumers switching provider thanks to MNP are more likely to use the services they prefer the most, at the condition that suits them the most. The resulting increase in competition among providers becomes beneficial for both consumers who decide to export their number and those who decide not to do so.

In the same perspective, ‘data portability’ is aimed at empowering consumers, providing them more control over their personal data, while fostering competition between service providers. Data portability is defined as “the right [of a person] to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format”. This definition is contained in Article 20 of the GDPR, which was the first legislative source establishing such right. As per the Article 29 Working Party Guidelines, the right only covers data that was provided to the controller by the user but also includes data acquired by the controller by observing the user’s behavior, such as activity logs; it does not include further elaborations, such as inferred or derived data.

The Guidelines also identify negative conditions for the exercise of this right, in particular, that (1) it does not concern processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (2) its exercise is of no prejudice to the right to erasure provided by article 17 GDPR; and (3) it does not adversely affect the rights and freedoms of others. Of these negative conditions, the third is the most open-ended and uncertain from a business perspective, particularly considering that personal data that is subject to the request may simultaneously involve the personal data of third parties (“networked data”). 

The Article 29 Working Party gives the example of a directory of data subject’s contacts, suggesting that the data controller can only accept to process such requests to the extent that there is a valid legal basis, for example, a legitimate interest, which could be met if the new data controller was to provide a service allowing the data subject to process his personal data for purely personal or household activities. This interpretation, which presumes that the original data controller obtains specific and sufficiently reassuring information about the subsequent use of the received data, seeks to protect the data protection of third parties, which could otherwise be seriously affected by a too broad interpretation of the right to data portability. At the same time, the reference to “private or household uses” is also a safeguard against possible effects on competition derived from strategic use of the right to data portability in order to gather commercial value from third-party data.

Aside from the specific instance of networked data, other concrete possibilities of conflict may arise between the right to data portability and the rights or freedom of third parties. The A29 WP Guidelines merely mention one of these possibilities, specifically the tension with intellectual property or trade secrets, recalling one of the Recitals of the GDPR according to which “the result of those considerations should not be a refusal to provide all information to the data subject”. This is certainly not an exhaustive indication of how such conflicts should be resolved but provides a hint that one-sided solutions (e.g., absolute refusal in deference to trade secrets) would not be acceptable. It can thus be expected that a data controller takes reasonable measures to provide as much information requested as possible by decontextualizing personal data from proprietary algorithms or trade secrets. 

This arguably won’t be an issue as far as provided data is concerned since such data does not reveal anything about the inner working of the systems used to store and analyze them. On the other hand, intellectual property and trade secrets may present some challenges when it comes to observed data, which can be difficult to disentangle from the categories designed by the controller to process the data inputs. Even in cases where de-contextualization is not feasible, however, the fact the data is transferred onto the user, or a different data controller does not as such imply that the underlying intellectual property will necessarily be violated: the data subject and the second controller surely bear liability for any illegitimate processing of those data. This somewhat cynical understanding appears reflected in the statement by the Article 29 WP Guidelines that “a potential business risk cannot, in and of itself, serve as the basis for a refusal to answer the portability request”. 

Yet, it obviously raises a question of what the threshold of substantiation of risk is, such that they entitle a data controller- right holder to prevent future infringements of IP rights in the context of data portability requests. This is a matter largely left open to future guidelines (by the EU Data Protection Board) and legislation, with Recital 73 of the GDPR offering examples and stressing the need for any restrictions to data portability to be in compliance with the EU Charter of Fundamental Rights and the European Convention of Human Rights.

Data portability is one of the rights that are meant to give individuals control over their data. Its purpose is also to allow the individual to switch to a different service provider without having to provide all their information again. Thus, Article 20 of the GDPR also foresees the right to transmit the data to another controller, automatically “if technically feasible”. This would enable more choice and more competition in digital service markets, similar to what happened when number portability was introduced in the mobile telephony market. However, the Internet industry has not enthusiastically embraced the concept, and the implementation of the data portability right mostly remains limited to exporting the user’s data into a file, while “technical solutions for standardized data exchange remain in their infancy” (CERRE, 2020)³.

In its European conception, the right to data portability has a consumer dimension. Indeed, GDPR prescribes that this right only applies when the data processing is carried out by automated means and based either on data subjects’ consent or the execution of a contract. Considering that consent and contract are the most common bases for processing consumer personal data, we can argue that, at the EU level, portability primarily aims at improving consumer welfare and fostering competition amongst consumer-facing services.

The concrete implementation of data portability, however, is not as straightforward as it may appear, due to some normative limits and the practical complexity of the issue, which relies upon sound interoperability as an essential precondition. The European example is telling in this regard. Article 20 GDPR prescribes that a data subject willing to enjoy data portability will receive personal data “which he or she has provided to a controller, in a structured, commonly used and machine-readable format.” By receiving the data in such an interoperable format, the data subject will be able to enjoy the right to transmit those data to another controller” without hindrance from the controller to which the personal data have been provided.”

However, the abovementioned interoperable format is not defined by GDPR, nor does the regulation identify authority with remit to identify such format. Although an earlier version of the RDP, which was included in article 18.3 of the non-final version of GDPR, attributed the authority to define to the appropriate format European Commission, the final version adopted by the EU Legislator has delegated definition of such format to the market. As emphasised by Paul de Hert and colleagues (2018)⁴, the EU Commission’s role in the first proposal was crucial to achieving interoperability and effective implementation of the RDP as “the European Commission’s role was conceived as a progressive specification of data format, but also for “technical standards, modalities, and procedures for the transmission of personal data”. In other words, it could have helped to conform normative standards to technological developments, and it could have fostered a concrete and effective development of interoperability of all digital services. Unfortunately, in the final version, such reference to the “standardisation” role of the European Commission has been removed.”⁵

The agreement over format will depend on specific sectors of the (digital) economy and quintessentially relies on the evolutions of interoperability debates. However, it is important to mention that two formats are already sufficiently widespread to be considered as good candidates for the role of “commonly used format”, which can provide the interoperability needed to facilitate data portability: 

• XML (Extensible Markup Language), which has been utilised for more than 3 decades, and is an integral part of every web application. Be it a configuration file, mapping document, or a schema definition, XML facilitates data interchange by giving structuring data and facilitating dynamic configurations.
• JSON, which aims at storing data in a map format relatively neat and easy to comprehend. JSON is said to be slowly replacing XML because of several benefits like ease of data modelling or mapping directly to domain objects, offering a relatively predictable and understandable structure. 

Importantly, portability debates are not limited to Europe and the right to data portability has been enshrined also in other data protection frameworks, that followed GDPR, such as the Brazilian General Data Protection Law, better known as “LGPD”, in its Portuguese acronym. LGPD enshrines data portability in article 18.V, granting every data subject the right to “the portability of data to another service or product provider upon express request, in accordance with the ANPD regulations”. Conspicuously, portability of personal data does not include data that have been anonymised by the controller. 

According to LGPD, the Brazilian Data Protection Authority, better known as “ANPD”, plays a fundamental role to enable data portability. Indeed, article 40 of LGPD prescribes that “the supervisory authority may establish interoperability standards for purposes of portability, free access to data and security, and on the retention time of the registrations, especially in view of the need and transparency.”

However, it is important to note that the ANPD “may” define such format but is not obliged to do so. Critically, according to its regulatory agenda, released in January 2021, the establishment of such formats is not even mentioned in the list of regulatory initiatives to be undertaken in the first two years of activities of ANPD.⁶

Lastly, it is also important to temper an excessively rosy picture, regarding data portability, stressing that, bedsides numerous advantages, it can also entail risks, notably regarding cybersecurity, but also the potential to jeopardise third-party rights, intellectual property rights, and trade secrets, to name a few. One of the most significant risks associated with the new data portability right is identity theft. The GDPR recognises that a controller cannot comply with a data portability request if it cannot identify the data subject and that it may request additional information to confirm the identity of the data subject. The Article 29 Working Party view, now integrated by the European Data Protection Board, is that data controllers should implement authentication procedures to confirm the identity of the data subject and mitigate risks (Article 29 WP, 2017)⁷. 

As regards the risks that portability measure may have on third party rights, Graef, Husovec and Purtova (2018)⁸ have noted that the inappropriate implementation of the RDP may lead to questions about the protection of intellectual property rights, particularly if the data to be shared or APIs to be offered involve trade secrets or other protected information (Graef, Husovec, Purtova, 2018).

References 

European Council. (2016). Regulation 2016/679 of the European Parliament and of the Council (EC) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679. 

Malgieri, G. (2016). Trade Secrets v. Personal Data: a possible solution for balancing rights. International Data Privacy Law, 6(2), 102-116.

Working Party. (2016). Guidelines on the right to data portability. Available at:  https://ec.europa.eu/newsroom/document.cfm?doc_id=44099.

1. Buehler, S., and Haucap, J. (2004). Mobile Number Portability. In: Journal of Industry, Competition, and Trade. 4, 223-228. Available at: https://www.itu.int/ITU-D/finance/work-cost-tariffs/events/tariff-seminars/lithuania-04/haucap%20.pdf.
2. Viard, V.B. (2004). Do Switching Costs Make Markets More or Less Competitive? The Case of 800-Number Portability, Stanford Graduate School of Business Research Paper Series Paper No. 1773(R1). HTU http://ssrn.com/abstract=371921UTH.
3. Krämer, J., et al. (2020). Making data portability more effective for the digital economy: Economic implications and regulatory challenges. Centre on Regulation in Europe (CERRE).
4. De Hert, P., Papakonstantinou, V., Malgieri G., Beslay, L., Sanchez. I. (2018). The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Computer Law & Security Review. 193–203.
5. De Hert, P., Papakonstantinou, V., Malgieri G., Beslay, L., Sanchez. I. (2018). The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Computer Law & Security Review. 193–203.
6. Brasil. ANPD. (28/01/2021). No Dia da Proteção de Dados, ANPD publica agenda regulatória bianual da autoridade para 2021-2022. Available at: https://www.gov.br/anpd/pt-br/assuntos/noticias/no-dia-da-protecao-de-dados-anpd-publica-agenda-regulatoria-bianual-da-autoridade-para-2021-2022.
7. Article 29 WP, Guidelines on the right to data portability, 16/ EN, WP 2042, rev01, as last revised and adopted on 5 April 2017.
8. Graef, I., Husovec, M., Purtova, N. (2018). Data portability and data control: lessons for an emerging concept in EU law. German Law Journal, 19(6), 1359-1398. Available at: https://ssrn.com/abstract=3071875 orhttp://dx.doi.org/10.2139/ssrn.3071875.