This CERRE study provides recommendations on how to make personal data portability more effective. This will truly empower consumers to use the services they want and share their data with whoever they wish, stimulating innovation in Europe. With the entry into force of the GDPR, European citizens gained new rights, notably with data portability. But two years later, there is still little sign of people exercising this right, and of companies offering an easy and convenient service for data portability.
While the European Commission is finalising its evaluation of the GDPR and closes its consultation on the European data strategy, the authors, professors Jan Krämer, Pierre Senellart and Alexandre de Streel*, warn that the current legal framework requires clarifications to better empower European citizens in a data-driven society.
In this study, they identify barriers to data portability, including the lack of possibilities to import data as well as the lack of common standards and tools to access data as easy as the click of a button. The ability to provide users with a centralised dashboard for monitoring and controlling the flow of their data is also critically missing.
“Today, consumers do not widely use data portability for reasons that can and should be overcome. Making data portability more effective is better for competition, for innovation and to empower users,” stress the authors. “There should be no second-guessing on whether to make data portability more effective, the time to act is now.”
The current EU framework encourages data portability, but there are legal gaps that the EU should fill. The authors insist on the need for detailed guidance on how data portability can be facilitated and on which data is subject to data portability without violating privacy rights. They advocate that data provided by users when using a service, such as search history (i.e. “observed data”) should clearly be included under the scope of data portability.
The authors consider it essential that the obligation to offer standardised Application Programming Interfaces (APIs) be much more widespread to enable consumers to continuously port their data.
“We believe that standardised APIs that enable continuous data portability is a prerequisite for encouraging more organisations to import personal data, and for encouraging more consumers to initiate such transfers,” explain the authors. Projects, such as the Data Transfer Project, have highlighted that continuous data portability is technically feasible.
The authors argue that Personal Management Information Systems (PIMSs), which facilitate the complex consent management and offer users a centralised dashboard for monitoring and controlling the flow of their data, will have a crucial role to play for the wider adoption of data portability.
“It must be as easy as clicking a button for consumers to continuously share data they created with one provider to another provider. This may also require educating and informing users on their rights through information campaigns alongside clear policy measures,” explain the authors.
Nevertheless, they stress that PIMSs are not likely to find a sustainable business model, and thus, policy makers should support the emergence of open-source projects by setting common standards for data transfers, consent management, and identity management.