Are you aware of your legal right to data portability?

Data portability might not be the best-known right outlined in European Union’s General Data Protection Regulation. However, it offers potentials that a project at University College London is currently exploring.   

In the emerging Internet of Things (IoT) environment, it is not only important to have access to one’s data but also the ability to transfer it across different devices and platforms. This so-called “data portability” right, outlined in the most recent General Data Protection Regulation (“GDPR”; 2016/679), is subject to an ongoing MPA student project at UCL STEaPP. The group of four include Sarah Turner, July Galindo Quintero, Simon Turner and Jessica Lis who specialise in digital technologies and policy issues as part of their degree. The cohort is supervised by Dr. Leonie Tanczer, Lecturer in International Security and Emerging Technologies, and work closely with the Open Rights Group and the PETRAS IoT Hub.  

Data portability, under GDPR’s Article 20, is defined as the right to transfer personal data from one service provider (usually the controller) to another. This right, along with the entirety of the GDPR, is intended to increase the control users have over their data and to ensure the accountability of the controller in regard to their usage and handling of personal data. While the legal text is rather vague, the foundational idea behind data portability is that a controller must provide a user with their personal data in a structured and readable format in order to transmit that data to another controller without hindrance (GDPR; 2016/679).   

It is important to understand that Article 20 does not apply to all personal data. The right to data portability only relates to data directly provided by the user. Thus, “observed data” which the user may indirectly provide when using a service such as one’s location information or browsing history are excluded from this portability right.  

Why should we care about data portability? 

Data portability is generally considered as an important tool in fostering competition within industry. The ability to transfer data from one provider to another is assumed to give consumers more agency and freedom of choice. This element of flexibility, could ultimately discourage corporate monopolies by giving smaller industry actors an opportunity to compete. In this regard, Article 20 could become a critical right in protecting both consumer interests as well as encouraging business competition. In the nascent but growing IoT space this could consequently benefit start-ups to enter the market. 

Conversely, data portability could also create user lock-ins by centralising services and platforms that build upon similar technical standards. 

What will the “data portability” project aim to achieve?  

In light of these different pathways that Article 20 generates, the MPA student project will closely study and map the intersection points between data portability and the IoT. As increasingly more IoT devices are deployed in the home and public spaces, a well-functioning interoperable data portability framework will become critical to the viability of a flourishing IoT ecosystem. The team is specifically interested in the applicability of the right to data portability in relation to household and wearable IoT products. They plan to:  

  1. conduct interviews with users, IoT producers, and policy makers; 
  2. conduct an investigation of UK-based IoT manufacturer’s websites and publicly available privacy documentation; and  
  3. undertake data portability requests across different commercial IoT systems.  

In carrying out these examination, Sarah, July, Jessica, and Simon will help to: 

  1. determine the perception of the value of the right to data portability to users, IoT SMEs and larger IoT producers in the UK; 
  2. assess the user-friendliness of data portability processes within UK’s household and wearable IoT product market; 
  3. provide an understanding of steps that need to be taken to maximise the benefits of data portability amongst users, policy as well as industry actors. 

The Open Rights Group and PETRAS offer the right partnership to support this cutting-edge work, with this MPA project adding to the thematic IoT expertise of the new National Centre of Excellence.   

Please feel free to get in touch with the team and their supervisor if you would like to participate in this timely study.