Data Portability

What is Data Portability[1]

Data Portability is the concept that the users or owners of a given dataset should be able to easily move or copy this data between different software applications, platforms, services, and computing environments. The term “data portability” actually encompasses two related, but separate, issues:

  • First, organizations should be able to easily import and export the data they collect and store, converting between different formats and standards if necessary.
  • Second, individuals should have the right to migrate their personal data between different providers or data processors.

In general, the second concept of data portability (which is more philosophical) depends on the first (which is more technical). To provide consumers with their personal data, organizations must be able to efficiently migrate this data between different IT environments in the first place.

The rise of cloud computing services has heightened technical concerns about data portability. In particular, many organizations are worried about potential “vendor lock-in,” where users feel stuck or trapped with a particular IT provider because of the costs of migrating their data to another provider. For example, an IT provider may store data in a proprietary format that makes it difficult to convert to another, more usable format.

Data portability primarily enables individual end users or enterprises to seamlessly move, integrate and interlink data sets within disparate systems. Typically for data portability to work, the data must be in a format that is interoperable between several platforms. Data portability concerns are especially common in cloud computing solutions when data needs to be transferred from an in-house facility to the cloud, from the cloud to an in-house facility, or from the cloud to another location in the cloud. If data portability is addressed prior to creating a cloud setup or any IT solution, data can easily be ported between separate environments and platforms.[2]

“Data Portability” is
1) the ability and capacity to export data collected or stored digitally concerning a data subject AND
2) the ability to receive data concerning the data subject and to allow another controller to receive portable data. The Data Portability requirement entails both
a) a technical design requirement: From a technical perspective, data controllers will need to ensure their systems, connected products, applications, and devices that collect and store information on data subject also have the added functionality of porting and transmitting data. In some cases, this will require controllers to tweak or redesign some systems, products, applications and devices. Furthermore, the new porting functionality must export data in a structured, commonly used, and machine-readable format so that reuse of the data is possible. b) a data subject rights requirement: From a data subject’s right perspective, the right to data portability creates a new right for individuals to exercise more control over their own data. It enables individuals to receive personal data concerning him or her, which he or she has provided to a controller. Thus, data controllers will need to establish and implement processes, in addition to added systems and digital propositions/products functionality, that aid in processing data subject requests whether in manual or in an automated fashion.

After receiving the data the individual must be able to transmit this data to another controller without creating additional burden or hindrance to the previous data controller. The right to port data also entails that where technically feasible, the personal data will be transmitted directly from one controller to another. Please be aware that the right to request a copy in a machine-readable format is only possible if the data concerned was
i) provided by the individual to the controller; ii) processed by automated means, and iii) processed based on consent or fulfillment of a contract.[3]

Data portability recently became a legal requirement in certain places through laws such as the GDPR4 and the California Consumer Privacy Act (“CCPA”)

What is the Right to Data Portability[4]

The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used, and machine-readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

The right to data portability entitles an individual to:

  • receive a copy of their personal data; and/or
  • have their personal data transmitted from one controller to another controller.

Individuals have the right to receive their personal data and store it for further personal use. This allows the individual to manage and reuse their personal data. For example, an individual wants to retrieve their contact list from a webmail application to build a wedding list or to store their data in a personal data store.

The right to data portability only applies when:

  • the lawful basis for processing this information is consent or for the performance of a contract; and
  • when carrying out the processing by automated means (ie excluding paper files).

The right to data portability is one of eight rights enforced by the General Data Protection Regulation (GDPR). As with all data subject rights under the GDPR, when an individual exercises their right to data portability, they do so “without prejudice to any other right”. A data subject can continue to benefit from the data controller’s service after the right to data portability has been exercised, but doing so doesn’t alter the data controller’s rights or obligations. Data portability doesn’t automatically trigger the right to erasure and it doesn’t affect the original retention period of the data. The data subject can exercise their rights as long as the data controller is still processing the data.

At a Glance

  • The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
  • It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
  • Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
  • The right only applies to information an individual has provided to a controller.
  • Some organizations in the UK already offer data portability through midata and similar initiatives which allow individuals to view, access, and use their personal consumption and transaction data in a way that is portable and safe.

The Importance of Data Portability[5]

Data portability has become commonplace - although not universal - among applications designed for use on many vendors' personal computers (PCs) and servers. The same cannot yet be said for Cloud Service Providers (CSPs). As more organizations move data and data processing to cloud services, a lack of data portability can cause problems if, for example, customers want to move data from one cloud platform to another or change their service provider.

Reasons Data Should be Portable

  • Different CSPs commonly have proprietary data formats, templates, and related parameters that can lock users into specific platforms. Often, these formats are not standardized, making data portability difficult. According to the Institute of Electrical and Electronics Engineers (IEEE), cloud interoperability and data portability are major challenges for enterprise adoption of cloud computing services.
  • For consumers, data portability lets people easily coordinate the personal data they keep on multiple social networking sites. On social networking sites, such as Facebook, LinkedIn, and Twitter, users can share their contacts, posts, photos, videos, sound clips and personal or professional information across the various platforms. In that way, users know their data is current and consistent, without having to modify the content on each service's site. Users can, of course, opt out of this data-sharing feature if they want to show different portfolios on different services.
  • In 2010, Facebook improved its data portability with a feature that lets users download all their network content as a single zipped file for viewing with a browser offline. This feature helps users to keep track of their data without fear that crackers might permanently alter or destroy it. The downloading feature backs up the data so it can be easily replaced in the event of a network failure causing data loss in the cloud. If the network has an outage or some other problem, users can simply upload their backed-up data to replace the damaged network data.
  • Data portability provides users of social networking services with added convenience when different services allow reciprocal access to first-party data. For example, a user on Facebook may import contacts from Google's Gmail email service. In a perfect world, all social networking services would allow users to freely and easily migrate data among themselves. Things haven't worked out that way. Instead, services sometimes take a territorial attitude toward user data.
  • Without data portability, a person's data is accessible only through the platform where it is stored. Such a siloed approach to data can result in vendor lock-in, inaccessible data, and even data quality issues.

Dynamics of Data Portability[6]

Data portability interacts, and sometimes even conflicts, with other digital rights priorities, including privacy and security, transparency, interoperability, and competition. Here are some of the considerations EFF keeps in mind when looking at the dynamics of data portability.

  • Privacy and Security: Any conversation about data portability in practice should keep privacy and security considerations front and center. First off, security is a critical concern. Ported data can contain extremely sensitive information about you, and companies need to be clear about the potential risks before users move their data to another service. Users shouldn’t be encouraged to share information with untrustworthy third parties. And data must always be protected with strong security in transit and at its new location. Second, it’s not always clear what data a user should have the right to port. There are a lot of questions to grapple with here: When does "data portability" presume the inclusion of one's social graph, including friends' contact information? What are all the ways that can go wrong for those friends’ privacy and security? How do we unravel the data you provide about yourself, the data your friends provide about you, and all the various posts, photos, and comments you may interact with? And then, how can we ensure data portability respects all of those users’ right to have control over their information? While there are no easy answers, the concept of consent is a starting point. For example, a service could ask friends for their specific, informed consent to share contact information when you initiate a download of all your data. Companies should also explore technical solutions that might allow users to export lists of friends in an obfuscated, privacy-protective form.
  • Transparency: Portability works hand-in-hand with transparency. If some of your data is easy to download and use (portable) but the rest is secret (not transparent), then you are left with an incomplete picture of your relationship with a service. Conversely, if you are able to find out all the information a company has about you (transparent) but have no way to take it and interact with it (not portable), you are denied opportunities to further understand and analyze it. Companies first should be transparent about the profile data that they collect or generate about you for marketing or advertising purposes, including data from third parties and inferences the company itself makes about you. Comprehensive portability should include this information, too; these data should be just as easy for you to access and use as the information you share voluntarily. Both portability and transparency return power to users. For example, a comprehensive download of the data Facebook stores about a user’s browsing habits and advertising preferences might help her reverse-engineer Facebook’s processes for making inferences about users for targeted advertising. Or, in another example, the ability to take complete metadata about one’s music preferences and listening patterns from Spotify to another streaming service might make for a better user experience; Spotify might have figured out over time that you can’t stand a certain genre of music, and your next streaming service can immediately accommodate that too.
  • Interoperability: Data portability can also work alongside “interoperability.” Interoperability refers to the extent to which one platform’s infrastructure can work with others. In software parlance, interoperability is usually achieved through Application Programming Interfaces (APIs)—interfaces that allow other developers to interact with an existing software service. This can allow “follow-on innovators” to not only interact with and analyze but also build on existing platforms in ways that benefit users. For example, PadMapper started by organizing data about rental housing pulled from Craigslist posts and presenting it in a useful way; Trillian allowed users to use multiple IM services through the same client and added features like encryption on top of AIM, Skype, and email. On a larger scale, digital interoperability enables decentralized, federated services like email, modern telephony networks, and the World Wide Web.
  • Competition: Depending on the context and platform, data portability is vital but not sufficient for encouraging competition. In many markets, it’s hard for competition to exist without portability, so we must get this part right. But on its own, data portability cannot magically improve competition; the ability to take your data to another service is not helpful if there are no viable competitors. Similarly, data portability cannot fend off increasing centralization as big players buy up or squash smaller competitors. Initiatives like the Data Transfer Project among Facebook, Microsoft, Twitter, and Google could ultimately be important, but won’t meaningfully help competition unless they allow users to move their data beyond a small cabal of incumbent services. Right now they don’t. Combined with other substantive changes, data portability can support users’ right to “vote with their feet” by leaving a platform or service that isn’t working for them and taking their data and connections to one that does. Making these options real for people can encourage companies to work to keep their users, rather than hold them hostage.

Data Portability and the Cloud[7]

Data portability is crucial in the cloud. Before the cloud, most of your personal data was on your hard drive: the only thing that had to care about was using a standard format for storing data, or importing/exporting them. But with the cloud, the data storage layer is not under your control any longer. You not only need to import/export this data in a seamless way, but you have to move data through the cloud. Of course, this standardization principle applies to all kinds of data, but in the case of personal data, those data movements must be driven by the data subject, rather than the data controller...

Think tanks and industry trailblazers have long collaborated to bring about benefits of standardization. One great use case is TCP/IP—the protocol upon which the internet agreed to grow. By standardizing data portability, new products can be developed around a universal method for plugging and unplugging user data.

But to reach the Eden of secure data portability, developers and organizations must first meet the storage and security problems the cloud presents. These include but aren’t limited to:

  • Security — Portable data presents challenges to organizations on two fronts. First, the incoming data must be thoroughly inspected and validated as safe before it is ingested into a network. Second, businesses must ensure safe delivery of outgoing data packages to counterpart networks. Each stage of these transaction points present compliance exposure, so security is paramount to efficient portability.
  • Communication with destination applications — Compliance regulations can make for strange bedfellows. Rather than their normal practices of secretly innovating their products to gain advantage in the marketplace, competitors must now devote a portion of their resources to working together to ensure their applications can talk at least enough for data portability. In many organizations this will require at least a partial philosophical shift.
  • Balancing portability against innovation — While changing standards make increased communication between competitors necessary, ever-changing applications, especially in a continuous delivery model, will constantly change or enhance the way they handle data. This will create additional data handling fields that won’t match up across the spectrum of service providers, and standards will be needed for separating companies’ intellectual property from the customer right to portability.

As organizations look to a future that will exist almost entirely in the cloud, international standards for data portability must be at the forefront of development planning. Failing to plan to provide customers with the right to portability is guaranteeing a cumbersome, potentially expensive problem in the near future.

See Also