Ever been fed up with your cell phone provider? Maybe you had a good deal the first few months, then suddenly your rates shoot up or your service gets spotty. Perhaps you’ve ended a call with customer service saying, “Well, I’ve had enough. I’m switching providers.”
Thanks to phone number portability laws, leaving a provider isn't an empty threat. People can switch service providers without fearing the loss of the phone number their family and friends (and spammers!) use to reach them.
What if this same portability feature applied to... your data?
User rights under data portability laws
If you live in California, the European Union, and potentially other jurisdictions like Australia, you can bring your data - whether that be contact lists, photos, documents, playlists -- with you when you switch providers. Privacy laws including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have already codified data portability into law, while several governments have started to introduce similar legislation.
Bring your data with you
But, what does data portability exactly mean?
What is data portability?
Data portability, under privacy laws like GDPR and CCPA, allows individuals to access, copy, or transfer data a company maintains about the user. Data portability laws allow a user to transfer their data to another provider using a machine-readable, commonly used, interoperable format.
For example, say you aren’t happy with your current online music streaming provider. Using data portability rights, you can easily copy all your playlists over to another music streaming provider. Or, if you’re a movie buff, you can bring data about your movie streaming preferences and your favorite shows with you to another video streaming provider.
What do the actual laws say, specifically, about data portability?
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.”
The CCPA affords similar data portability rights under Section 1798.100(d), which states, “A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.”
Currently, there are similar pending data portability legislation in Australia. The Australian Competition and Consumer Commission (ACCC) and Consumer Data Right (CDR) legislation aims to shift the ownership of customer data from companies to customers, allowing customers the ability to share their own data with other companies. The Australian government intends to apply these new consumer data rights to the banking sector, followed by the energy sector, and possibly others.
There is proposed legislation in the United States at the federal level as well. Senators Mark Warner, Richard Blumenthal, and Josh Hawley introduced the Augmenting Compatibility and Competition by Enabling Service Switching Act (ACCESS Act) in October 2019. Regarding data portability, the bill states, “Large communications platform providers—i.e., providers operating communications platforms with over 100 million monthly active users in the U.S.—must operate transparent, third-party accessible interfaces that allow users to safely transfer their data (directly to the user or to a competing communications provider acting at the direction of a user)...competing providers that receive ported data must properly secure ported data.”
In a press release, Senator Josh Hawley said, “Your data is your property. Period. Consumers should have the flexibility to choose new online platforms without artificial barriers to entry. This bill creates long-overdue requirements that will boost competition and give consumers the power to move their data from one service to another.”
What does data portability mean for businesses?
Data portability introduces major impacts on businesses.
Firstly, data portability laws can be used as an antitrust measure, so prepare for stiffer competition in respective markets. In particular, competition from startups might get fiercer. Startups, which historically had limited access to consumer data, will now have a leg up when consumers port their data to another provider.
Secondly, businesses must optimize their data transfer process to be timely, complete, and machine-readable when they receive a data subject access request (DSAR) from a consumer. To accomplish this, businesses must know where consumer data lives on their systems. To accomplish this, businesses must know where consumer data lives on their systems and be able to retrieve it when necessary.
Where is your data?
A critical component of a complete privacy program is knowing where your data is. Businesses can conduct a data mapping assessment to understand how data flows throughout their organization--from intake forms to where the data is stored. Data mapping software can assist in this endeavor. Once you know where the data is, it is important to classify it so you can retrieve it when necessary. Data classification software tags the discovered data to make it easy to search, find, retrieve, and track. Data discovery software can then be deployed to collect and aggregate data from a variety of sources and prepare it in formats that both people and machines can easily use.
One solution designed to handle this entire process—from data mapping to processing data subject access requests—is a data privacy platform. Considering the legal requirements regarding the time a company has to respond to a DSAR, consider using a data privacy platform or DSAR software to help automate these processes. (For CCPA, the timeline to reply to a DSAR is 45 days. For GDPR, it is 30 days.)
What file formats can you use to port data
When businesses process a DSAR, what machine-readable format should they use? File format interoperability can pose many problems. Recognizing the limitations file formats have on data research, the National Institute of Standards and Technology (NIST) and more that 800 industry, academic, and government experts started assessing this issue in 2013; together, they just released their Big Data Interoperability Framework (NBDIF) this October. NIST’s NBDIF is a guide that allows data to be interoperable and portable across platforms.
RELATED:NIST’s Privacy Framework helps businesses and organizations understand, evaluate, and mitigate their privacy risks. Read more here→
The good news for businesses processing DSARs is that neither GDPR nor CCPA currently include specific file formats for data portability. So, right now, companies have the opportunity to select which format is best for them. However, it’s still important for companies to consider which formats are standard to their industry. If there is no standard, consider open formats like CSV, XML, and JSON.
How to actually transfer the data
Businesses must find a way to securely transmit this sensitive consumer data.
The California Attorney General released proposed regulations in October 2019 offering guidance on how to securely transfer data.
“If a business maintains a password-protected account with the consumer, it may comply with a request to know by using a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information if the portal fully discloses the personal information that the consumer is entitled to under the CCPA and these regulations, uses reasonable data security controls, and complies with the verification requirements set forth in Article 4.”
The industry at large recognizes it may be difficult to transfer data from one service provider to another. A program called the Data Transfer Project (DTP) is an open-source initiative that allows data portability between multiple online platforms. Google founded the Data Transfer Project in 2018; other members of the project include Facebook, Microsoft, Twitter, and Apple.
What data do you need to include in a data portability request?
What data needs to be included in a data portability request? Truth be told, it’s not well defined yet. Data that users wish to port include user-generated or user-provided data such as their address books, friend directories, or social graphs. It could include passive information about users such as inferred preferences. But, what about data created collaboratively with others? Should that be included when processing a DSAR?
Problematic areas related to processing data portability requests
Processing data portability requests can open up a can of tangled worms. For example, if a user worked collaboratively with another person to create some data, should a user port that data? What if a user’s data includes someone else’s data, too? Should that be portable? Do you need to get consent from the collaborators?
In response to these unknowns, Facebook published a whitepaper wherein the company questions the best ways to protect a user’s privacy while enabling portability. For example, what if a person or entity requests data on your behalf? Should companies comply with such requests? What if someone files a fraudulent DSAR? Are companies equipped to properly validate users before they provide them with their sensitive consumer data? After people’s data is transferred, who is responsible if the data is misused or hacked?
The unknowns related to these laws and this process will likely be resolved as they arise. In the coming months expect consumers to become educated on their data access rights regarding data portability, especially since users can monetize their data. Businesses can prepare by having a data portability plan in place along with the policies and tools to enact those plans.
*Disclaimer: I am not a lawyer and am not offering legal advice. If you have legal questions, consult a licensed attorney. I also don't give fashion advice, relationship advice, or movie recommendations. Trust me, this is for the best.
Merry Marwig is a market research analyst at G2 focused on the privacy and data security software markets. Using G2’s dynamic research based on unbiased user reviews, Merry helps companies best understand what privacy and security products and services are available to protect their core businesses, their data, their people, and ultimately their customers, brand, and reputation. Merry's coverage areas include: data privacy platforms, data subject access requests (DSAR), identity verification, identity and access management, multi-factor authentication, risk-based authentication, confidentiality software, data security, email security, and more.