Delara Derakhshani is director of policy and Zander Arnao is a policy intern at the Data Transfer Initiative (DTI).
Today, data portability–the ability to move personal data from one technology service to another–typically occurs when users download their personal data from one service and upload it to another. As the demands of users and requirements of regulators evolve, this approach is giving way to a new paradigm: direct data transfers between digital services. Direct transfers will likely become the preferred mechanism to serve users, raising important questions about how to design digital services to enable sharing while also keeping users’ personal data secure. To better understand the shift to this new paradigm, it is worth examining how data portability has developed to date.
The Rise of Data Downloads
In 2011, Google (a founding partner of our organization the Data Transfer Initiative) released a product called Google Takeout, which allows its users to export personal data. According to the team that built Google Takeout, the “Data Liberation Front,” the goal of the tool was to help users move their data in and out of Google so that they can choose between multiple (even competing) technologies. This mission– empowering users with choice–has remained the bedrock principle of data portability ever since.
Over time, the data download became the standard for enabling data portability. Many companies that process personal data began to follow Google’s lead and designed features that enable users to export their data. In 2016, the European Union (EU) made data downloads mandatory when its landmark data privacy law, the General Data Protection Regulation (GDPR), established multiple rights to data portability for European citizens and residents.
While the GDPR enshrined the ability to download personal data as a right, this right has not seen widespread usage by data subjects. According to an informal study by the International Association of Privacy Professionals, data portability has seen few legal developments in case law, and unlike other rights, its legal exercise has been limited and rare.
An Evolving Social and Technical Landscape
While the ability to download to a device gives users valuable control over their personal data, it falls short of providing a comprehensive solution for data portability. As the technical and social landscape continues to evolve, direct data transfers can supplement data downloads and better serve users in this new landscape.
During the early 2010s, digital services were less sophisticated. In 2011, when Google Takeout was first launched, internet connectivity was far slower; file sizes were typically smaller; and features were more limited in functionality. For instance, it was not until late 2015 that Apple (another of our organization’s founding partners) introduced Live Photos, which included richer data types than were previously available for photos.
In 2016, mobile phones overtook desktops as the primary means to access the internet. Meanwhile, internet connections grew significantly faster, and households began to consume orders of magnitude more data in their usage of digital services.
Soon storage requirements for services grew to outstrip the amount of data that could feasibly be held by consumers’ personal devices, and consumers began using significantly more services, necessitating storage of personal data across many different sites. This changing technical reality rendered it more difficult for users to easily download all of their personal data.
In addition, the social environment began to shift. As digital services have become more central to daily life, users are more sensitive to data processing and demand greater control of their personal data.
Recently, policymakers on both sides of the Atlantic have also become more sensitive to the market power of large companies, and promoting competition in digital markets grew to supplement the earlier goal of empowering consumers.
In this environment, data portability is seen as a tool for competition policy, so lawmakers now routinely include sophisticated requirements for data portability in legislation targeting digital markets:
- In the United States (US), the proposed ACCESS Act would oblige large platforms to open technical interfaces which allow users to permit third parties access to their personal information.
- In the EU, the recently passed Digital Markets Act (DMA) mandates that designated gatekeepers design “tools” (also likely interfaces) to ensure “real-time and continuous” data portability for users and third parties. While it is yet unclear what “real-time and continuous” means in practice, conversations between government and stakeholders will help clarify the details of implementation in the coming years.
Given these technical and social changes, downloading personal data is an increasingly complex and frustrating process for consumers, and there will be a greater role for third parties in both the technical and regulatory contexts. As such, the future of data portability will hinge on direct transfers of personal data between different digital services. It is therefore worth considering what this future may look like.
Ensuring Successful Data Transfers
In addition to downloads, the GDPR’s portability framework also contemplated requiring companies to support direct transfers of personal data. Back in 2018, several companies came together and established the Data Transfer Project (DTP) to facilitate direct transfers of data. Today, our organization shepherds the DTP, which maintains an open-source software repository that helps users move their personal data between digital services.
The core of our software is common “data models” which allow companies to bridge differences in how their services are designed. For instance, the DTP includes a common data model for photos. This data model includes standard specifications for features that are usually present with photos.
Technically, photos consist of both files and associated metadata such as a geolocation and date of capture. While companies may call these pieces of information by different names internally, they can use the data model’s specifications for photos to translate between their services’ different designs through the use of adapters specific to each company.
If, say, a group of video-sharing companies seek to enable transfers of videos, they can use the common data model as a shared language instead of setting up bespoke mechanisms of transferring data between every individual pair of services.
Based on this engineering experience, the Data Transfer Initiative can offer some insight into how direct data transfers will work. At this point, it is clear that the nuances of technical interfaces (called Application Programming Interfaces, or APIs) will be central to facilitating data transfers.
An API is “a set of well-defined ways to interact with a [computer] system to take some action, to get some response from the system, or often both.” APIs are essentially the common languages that allow one digital service to read data out (data exports) to another system that reads data in (data imports).
The nuances of how APIs are designed, therefore, significantly affect what and how data can be transferred. Considering this question of API design will be key as industry and government come together to make data portability happen in digital markets.
Building Robust Infrastructure for Data Transfers
Currently, the API landscape is very inconsistent. Some companies lack APIs that are publicly accessible while those that do often fail to support or maintain their APIs sufficiently to permit transferring large amounts of data. Even when companies offer publicly accessible APIs, they may force developers to agree with Terms and Conditions that restrict this use case.
For data transfers to become widespread, APIs will have to become more aligned and designed for data transfers. The API landscape, in short, must become more consistent and open.
In addition, there must also be standard mechanisms for ensuring the security of data in transit. When a developer initiates data transfers via APIs, they can either “push” requests from their own API or “pull” them from another service’s.
While both pushing and pulling data enable transfers, the technical implementations of the two are quite different. Though companies may be comfortable using their own API to initiate data transfers (data exports), they may be skittish about authorizing the same from an unfamiliar service (data imports).
If not implemented properly, the openness necessary for data imports may introduce security vulnerabilities that could hinder the willingness of services to invest in building APIs suited for data transfers.
Effective data transfers will require robust infrastructure for building API standards and systems to guarantee data security. Unfortunately, there are significant transaction costs when disparate companies work individually to develop this infrastructure. A more efficient solution might be for standards and security systems to be developed centrally through a collaborative body such as the Data Transfer Initiative.
Moving forward, policymakers and interested stakeholders should actively consider how neutral third parties can help overcome existing barriers and build solutions that benefit the entire data portability ecosystem. Data Transfer Initiative looks forward to these and other conversations to ensure that the future of data portability is a success.