Article 20 of the new General Data Protection Regulations creates a new right for citizens: the right to data portability. Rarely does one small clause in a massive piece of legislation strike at the very heart of the way the economy works, but this does.
Today’s digital economy is constructed on a massive structural fault line. An inevitable by-product of the way it first developed, with organisations collecting data from and about customers to improve their operations, it’s resulted in a grotesquely unbalanced, inefficient and stunted architecture for the collection and use of personal data.
Imbalanced because in today’s set-up the only entities that collect and use personal data are what GDPR calls data controllers, who hold an effectively monopoly on data use. This creates unaccountable concentrations and imbalances of data power and economic advantage.
Inefficient because each organisation is undertaking its own, separate, duplicative data collection and management processes. Try imagining a modern economy where every organisation had to dig a well and purify its own water, generate its own electricity and manufacture its own computers. Creating an enabling infrastructure for such activities unleashes huge efficiencies while creating new possibilities for new activities that take this infrastructure for granted.
Stunted because this way of working flies in the face of one of the core characteristics of all information — that it can be used without being ‘consumed’. When the same piece of data can be used many times for many different things, to hide it away under lock and key, maintained as a proprietorial exclusive ‘asset’, we’re tightly restricting opportunities for value creation left, right and centre.
So we have a status quo where large organisations maintain an effective monopoly on the collection and use of personal data. But now Article 20 blows this wide open by allowing individuals to obtain a copy of that data and use it and share for their own purposes.
Over the last few months we (Mydex CIC) have been involved in a wide range of discussions with many organisations and institutions about what this means and how to realise the full personal, social and economic potential of data portability. We’ve gathered our main thoughts together into this White Paper.
It boils down to three main messages.
- First, freeing personal data from today’s current organisational lock-down opens up the opportunity for an explosion of innovation, especially around Personal Information Management Services (PIMS) which deploy information for and on behalf of individuals independently of their relationship with any particular data controller. Our next blog will look at this opportunity in more detail.
- Second, to deliver these benefits we need a new Safe By Default data sharing infrastructure, of which bona fide Personal Data Stores are a critical component (but not the only component).
- Third (and this is the really urgent point right now) like so many ideas that look good at first sight (e.g. consent), if we implement it the wrong way data portability could go disastrously wrong.
Different ways of implementing data portability
Article 20 allows for different ways of implementing data portability. In particular, it allows data to be ported directly from the original data controller to another data controller if the individual gives permission for this to happen. Or it allows for data to be ported to the individual. The Article 29 Working Party represents data protection authorities from across Europe. Its commentary on data portability explicitly recognises the potential role of personal data stores in this second option, saying “Data subjects may also wish to make use of a personal data store or a trusted third party, to hold and store the personal data and grant permission to data controllers to access and process the personal data as required, so data can be transferred easily from one controller to another.”
These two different options of organisation-to-organisation data sharing (where the data never actually gets to the individual) or to a Personal Data Store have the potential to take data portability in completely opposite directions.
If data portability is implemented via the first organisation-to-organisation option it is likely to result in:
- further loss of control by individuals, as they lose track of who’s got access to their data and why
- dissipation of personal data, as data gets shipped out to many more data controllers
- increased likelihood of new Cambridge Analytica-style scandals as more unscrupulous operators use data portability to gain access to individuals’ data
- increased reputational risk to data controllers (who risk being blamed when unscrupulous operators take advantage)
- barriers to new entrants and potential increased concentrations of data power, because individuals are more likely to give permission for data to be ported to brands they are familiar with
- restricted innovation, because incumbent data controllers are less likely to develop new VRM-style PIMS that help individuals manage relationship with multiple providers. For example, why should Pension Provider A bother developing a new service that helps its customers keep track of their pensions with Providers B, C and D?
- duplicated effort and inefficiencies, because with each new request to port data, the request has to go to both the individual (for permission) and the data controller for actual porting.
- An endless cycle of debate between data controllers as they each promote or defend the data formats, protocols and rules of the road that they have chosen to invest in.
However, If data portability is implemented with a PDS as the central point of integration, it would result in:
- increased control by individuals, for example via consents and managements dashboards which help the individual keep track of every piece of data sharing they have agreed to and set broad policies about their wishes on how data is used
- reduced likelihood of Cambridge Analytica-style scandals as PDSs help individuals assert control over their data
- reduced reputational risk for incumbent data controllers
- creation of a new personal data asset for individuals that continues appreciating in value over time, like a pension, as every new piece of data collection, receipt and sharing adds to the individuals own data repository
- reduced barriers to new entrants as PDSs help individuals sort and sift bona fide service providers from non-bona fide, e.g. by operating on the basis of standardised safe by default data sharing agreements and design patterns
- expanded range of innovation as new VRM-style PIMS services are now much easier to provide
- increased efficiency because now data controllers only have to port their data once. (The only efficiency advantage of the org-to-org approach is the very first piece of data porting which, if it goes direct org-to-org skips the need for the data to be ported to a PDS but which, after that, creates constant duplication of effort). Setting up and delivering to a bona-fide PDS can be easily automated and integrated into any transaction so as to remove any friction for the individual
A fork in the road
Data portability could trigger a fundamental, positive inflection point in the evolution of our data economy if it is implemented in the right way.
But equally it could end up being a non-event as citizens, fearing further loss of control over their data, find the whole process too hasslesome and difficult, and fail to see the point anyway — why bother investing time and effort porting your data if it doesn’t result in exciting new services that significantly improve your life or save time and effort in the future. People only want to things like this once, not again and again.
Or, even worse, it could actually exacerbate all the problems we currently experience with personal data.
Decisions being made now and the next year or two will determined which road we take. Right now, many of our current activities, including our White Paper, are focused on making sure we take the right road. We hope you’ll join us in our efforts to make data portability work for everybody — individuals, society, economy and existing data controllers — by putting the individual at the centre of the process.
