Data To Go: An FTC Workshop on Data Portability

THIS EVENT WAS HELD ONLINE.

The Federal Trade Commission hosted a public workshop on September 22, 2020, to examine the potential benefits and challenges to consumers and competition raised by data portability.

Data portability refers to the ability of consumers to move data – such as, emails, contacts, calendars, financial information, health information, favorites, friends or content posted on social media – from one service to another or to themselves. In addition to providing benefits to consumers, data portability may benefit competition by allowing new entrants to access data they otherwise would not have so that they can grow competing platforms and services. At the same time, there may be challenges to implementing or requiring data portability. For example, data that consumers want to port may include information about others, such as friends’ photos and comments. How should this data be treated? How can the data be transferred securely? Who has responsibility for ensuring that data portability is technically feasible? Does mandatory data access or data sharing affect companies’ incentives to invest in data-driven products and services?

Data portability is a timely topic. Europe’s General Data Protection Regulation and California’s Consumer Privacy Act both include data portability requirements, and companies serving customers in Europe and California have already begun providing consumers with the right to port their data. In addition, the United Kingdom’s Open Banking initiative and US banking laws requiring that financial information be provided to consumers in an electronic format, are encouraging data portability in the financial sector, including the development of APIs to facilitate transfer of data to consumers and among financial institutions. Major technology companies Apple, Facebook, Google, Microsoft, and Twitter have created the Data Transfer Project with the goal of creating an open-source, service-to-service data portability platform. The Department of Health and Human Services’ Office of National Coordinator for Health Information Technology has finalized rules to facilitate portability of health data. And industry and lawmakers have discussed including data portability as a component of any comprehensive federal privacy legislation.

The workshop sought to bring together stakeholders — including industry representatives, economists, consumer advocates, and regulators — for a wide-ranging public discussion on issues raised by data portability. The workshop addressed questions such as the potential benefits to consumers and competition of data portability, the potential risks to consumer privacy and how those risks might be mitigated, the potential impact of mandatory data access or data sharing on companies’ incentives to innovate, how to best ensure the security of personal data that is being transmitted from one business to another, the merits and challenges of interoperability, and who should be responsible for ensuring interoperability.

To assist the agency’s analysis of this topic, the FTC sought comment on a range of issues including:

• How are companies currently implementing data portability? What are the different contexts in which data portability has been implemented?
• What have been the benefits and costs of data portability? What are the benefits and costs of achieving data portability through regulation?
• To what extent has data portability increased or decreased competition?
• Are there research studies, surveys, or other information on the impact of data portability on consumer autonomy and trust?
• Does data portability work better in some contexts than others (e.g., banking, health, social media)? Does it work better for particular types of information over others (e.g., information the consumer provides to the business vs. all information the business has about the consumer, information about the consumer alone vs. information that implicates others such as photos of multiple people, comment threads)?
• Who should be responsible for the security of personal data in transit between businesses? Should there be data security standards for transmitting personal data between businesses? Who should develop these standards?
• How do companies verify the identity of the requesting consumer before transmitting their information to another company?
• How can interoperability among services best be achieved? What are the costs of interoperability? Who should be responsible for achieving interoperability?
• What lessons and best practices can be learned from the implementation of the data portability requirements in the GDPR and CCPA? Has the implementation of these requirements affected competition and, if so, in what ways?