GDPR brings Data Portability to U.S.

May
26

WIth the recent EU changes with the GDPR, the new data law can give access to data portability in options such as music streaming, fitness apps, social sites, and more.

The new GDPR law that has gone into effect as of May 25 promises to make life easier for U.S. consumers. How? Well it allows consumers to move data - everything from pictures to credit information - from one online provider to another. This new law covers a variety of privacy topics, such as requiring companies to collect less data and requires them to be transparent as to how they use the data.

According to consumer advocates, the GDPR rules enabling data portability could be a big deal for internet users—loosening the grip that digital services have on consumer data.

“Data portability is an essential right in the modern age. Giving people the ability to move data between services helps to ensure meaningful competition—otherwise, consumers are stuck with whoever has their data,” says Justin Brookman, director of privacy and technology policy for Consumers Union, the policy and mobilization division of Consumer Reports.

That's why data portability is one of the measures set out in the Digital Standard, an open-source effort launched by Consumer Reports and several partners in 2017 to establish guidelines for privacy and other digital consumer rights.

Technology and legal experts say that consumers could start to see benefits quickly. “It’s going to have a tangible impact every day on you and me,” says Mathew Keshav Lewis, senior vice president and global head of regulatory practice for Axiom, an international law firm that’s helping hundreds of corporate clients prepare for GDPR. (The company is not connected to the data broker Axciom.)

Its like porting your phone number

While GDPR is strictly an EU law, privacy experts expect it to affect U.S. consumers because many international companies will find it cheapest and easiest to adopt a single set of global privacy standards.

If you’ve noticed a lot of companies sending you updated privacy policies in the past few weeks, that’s why.

“Most of the large global tech platforms are planning to roll out GDPR solutions for all users around the globe,” says John Verdi, vice president of policy for the Future of Privacy Forum. “They’re not walling off EU persons and giving them a different experience.”

What will the rules around data portability do? As more companies adjust to become compliant, digital services throughout the web will allow you to move your settings and files similar to the way you can switch your phone number from one carrier to another, or swap email accounts. GDPR aims to bring that kind of freedom to all kinds of consumer experiences.

It has already had an effect. Streaming music service Spotify just announced that to comply with GDPR it was creating a tool that lets consumers move their playlists to other services, such as Apple Music. To do that now, you need to download a paid third-party app, and apps like that don't exist for every kind of transaction.

The law doesn't just require companies to give you access to your data; it also says they have to make it easy to use on other platforms. Facebook provides an example. The company has long enabled you to download all your old posts and photos, but until last month it came in the form of a data dump formatted in HTML.

“It was optimized for your personal use,” Kevin Bankston, director of the Open Technology Institute, a Washington D.C. based advocacy group. “It was not optimized to be portable to another service.”

To comply with GDPR, Facebook made it possible to export all your data in JSON, a data format commonly used in web applications. The company did the same thing with Instagram, the photo-sharing service it owns. 

Of course, Facebook doesn’t have any real competitors in the social media space ready to receive all your social media data—at least not yet—but if other services do arise, it should be easier to upload your information. In the near term, the change could make it more convenient to move your photos to other image-hosting companies.

Chris Niggel, director of security and compliance for Okta, a Silicon Valley identity security firm, says exercise enthusiasts could benefit, too. Pre-GDPR, switching from one brand of fitness tracker to another has meant losing years of fitness data. The new rules require device makers to enable consumers to move that data to a new device—or to share it easily with a personal trainer or a doctor.  Fitbit, one of the biggest players in the market, confirms that users in the United States will get the same GDPR-mandated data portability as those in the EU.

The new law “opens up flexibility and choice,” Niggel says. “The barrier to exit for consumers is no longer too high.”

Competition and Choice

Experts on GDPR say that data portability could also bring bigger benefits down the road, as companies adapt to the new world of consumer choice.

Right now, the biggest companies retain market share partly by holding their customers’ data hostage, Brookman says. And once that advantage is gone they have a bigger incentive to compete on features, price, and service.

Additionally, start-ups are likely to find innovative ways to use the newly portable data to cater to consumer needs, according to Okta’s Niggel. As an example, a new company might find a way to combine data from your smart thermostat, a solar panel, and your electric utility to help optimize your energy usage. Instead of negotiating murky deals to acquire the data for that business, he says, the entrepreneur could appeal to consumers directly.

“It should unleash a lot of business creativity,“ says Lewis, the Axiom senior vice president.

There’s no better example of the power of data portability to promote new consumer services than Facebook. In its infancy, the fledgling social media platform actively encouraged users to find friends by importing their Microsoft Outlook contact lists—and Microsoft made that easy. “That’s why Facebook was able to grow insanely fast between 2010 and 2015,” Bankston says.

Can it be enforced?

It could be a bit early to declare GDPR as a victory for U.S. consumers. Data portability is not required by U.S. law,  consumers here will have to wait for decisions by European courts and regulators to play out. And there could be pushback from tech firms. As consumer advocates point out, the most well-established companies with the biggest collections of consumer data have the strongest reasons to thwart data portability.

The struggles for many companies continue in regards to data portability, it may be a hard change. But we are here to help! See how IDLink can help you comply with the GDPR.  www.idlink.eu

Read the complete article by Allen St. John from consumer reports here.

Sebastian Allerelli
Partner at Safe Online