What is the impact of data portability—the ability of consumers to obtain data from one service and move it to another—on consumers and competition? To answer this question, the U.S. Federal Trade Commission (FTC) hosted four panels at a public workshop last month that discussed data portability laws from around the world, sector-specific data portability regimes, the benefits and costs of these initiatives, and the key concerns raised by these rules. Across the panels, which had stakeholders from different sectors and nations, five key lessons about data portability emerged.
1. Data portability is not a panacea for addressing anti-competitive behavior.
Whether data portability will foster competition depends on how well data retains value as consumers transfer it from one service to another. For instance, in markets with network effects, where the value of a service increases as more people use it, data portability tools may reduce vendor lock-in but still have no significant impact on competition because users do not want to leave a service in which they get value from being where everyone else is. Even in markets without network effects, fostering competition in data-driven sectors requires a significant number of individuals to invoke data portability for companies to accumulate enough information that they can usefully analyze and create innovative services from. But in practice, few users invoke data portability under existing regimes. For example, under the GDPR few individuals have exercised their right to data portability, as the deputy head of data protection at the EU Commission notes in the FTC’s first panel of the day. Policymakers should be aware of the limitations of data portability in promoting competition, particularly when it comes to free online services with high consumer satisfaction.
2. A sectoral approach to data portability allows regulators to better employ data exchange standards.
Technical standards ensure companies can effectively exchange data. But these standards vary widely across sectors. Sector-specific data portability rules , such as those the EU’s proposed amendments to electricity rules require, are better than economy-wide data portability rules, such as the ones GDPR imposes, because they can be more narrowly tailored. More precise rules avoid imposing broad data portability requirements which are likely to be unnecessary, expensive, unwieldy, and less impactful. For instance, Article 23 of the proposed electricity rules mandates that utility providers make “metering and consumption data as well as data required for consumer switching” available. These rules apply only to the energy industry and only to specific consumer information. In contrast, the GDPR requires data across all sectors to be in a “structured, commonly used and machine-readable format” creating a regulatory burden even in sectors and for data where there is unlikely to be a benefit.
3. Overly specific security guidelines for portability can hurt security in the long run.
Security is a moving target. There is no single right set of security practices for all firms, and security needs change over time. As policymakers address the new security risks data portability raises for consumers, particularly those that arise from authenticating user requests, policymakers should be cognizant that mandating overly specific security requirements, such as those that detail the types of encryption or authentication methods companies should use, can freeze in place out-of-date security practices that increase security risks rather than reducing them. Instead, policymakers should focus on ensuring that a company that mishandles user data is liable for any harm it may cause. For example, the California Public Utilities Commission has adopted privacy rules that gives customers the right to share their utility data with anyone but immunizes companies from liability if the receiving company subsequently has a security breach. This model has been successful because each entity is responsible for their own behavior, meaning companies are incentivized to invest in the infrastructure they need to secure user data and also means the government does not have to get involved in creating one-size-fits-all security measures that will likely be too great for the risk in some markets and too little for the risk in others.
4. Data portability is a technically difficult problem to solve.
Data portability is difficult to implement in practice because companies have to make the transfer of easily decodable and meaningful data technically feasible. In practice this means companies have to develop tools for data exchange and code that makes data interpretable for the receiving company. For example, if a consumer uses electricity from a utility provider and requests that their data be shared with a third party, such as Amazon’s voice assistant tool Alexa, the utility provider needs to share the consumer’s data in a way that enables Alexa to not only read the data but identify things such as which numbers refer to cost and which numbers refer to years. By working with the private sector to create targeted data portability requirements, policymakers can help ensure data portability is successfully implemented in practice. In addition, data portability may be more problematic in some applications, such as social networking services because of the many different types of data that may be involved.
5. Policymakers should resolve conflicting entitlements to data.
The GDPR provides little guidance on how to balance different entities’ legal entitlements to the same data, such as when consumers want to share data that includes data about other people or when they want to share personal data that involves a company’s intellectual property. Consider, for example, a supermarket that invests money and resources into persuading its customers to use its loyalty card by offering them special deals for using the card, training its staff to actively ask for the card while customers are paying, and promoting the card in its advertisements. Under the EU database protection law that seeks to promote competition and innovation, the supermarket might have exclusive rights to its database of consumption data because of the substantial investment it made in compiling and managing the data. But under the GDPR’s right to data portability which seeks to give consumers access to their data, customers also have a right to request the consumption data supermarkets collect about them. In cases where a customer wants their consumption data but a supermarket does not want to share it to protect customer loyalty, the GDPR is unclear on whose right to the data takes precedence, leaving room for data controllers like supermarkets to strike this balance themselves. Another example is when a consumer wants to move their photos from one service to another but the photos contain images of other people. Where legal entitlements to data overlap, policymakers should resolve how different stakeholders should interpret and implement their respective requirements.
The answer to what impact data portability has, and will have, on consumers and competition is a complex and varied one. Policymakers should tread carefully and weigh the perceived benefits of any data portability rules against the financial and security costs these rules may bring, in order to avoid imposing requirements that discourage firms from collecting and managing data. Data portability is a valuable tool, but if not done right, these rules may do more harm than good.
Image credits: Federal Trade Commission.