Calling for new global standards on data sharing and data portability, Facebook published a white paper highlighting key concerns related to implementing data portability. Readers should note that, in the past, Facebook has used portability tools such as Download Your Information, and has been part of industry coalitions such as Data Transfer Project along with Google, Microsoft, Twitter, and Apple.
The European Union’s General Data Protection Regulation (GDPR) enforced data portability in 2018, where it made data portability a right under which the “the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”.
Note that data portability is also being considered in India and was a part of the draft Data Protection Bill, but didn’t talk about transferring user data from one data fiduciary to another.
Why is data portability important?
Data portability is important because allows users greater control over their data, and attempts to encourage greater competition among companies that aren’t necessarily Big Tech. “Portability is brought up in the context of unlocking competition. One of the barriers to switching services is that pre-existing data is locked into the service you have been using. It fits into a data protection law because it is an expression of your control over your data. Even if you believe my data is your IP, a lot of this data is both generated by me, pertains to me, and therefore this law permits me to take a copy of it,” Amba Kak, former Public Policy Advisor at Mozilla had explained at a MediaNama event.
Key questions raised by Facebook in the paper
In the paper, Facebook highlights the following concerns related to data portability:
- Defining responsibility for data post-transfer: Facebook points out that the question of responsibility when it comes to individuals about whom data is transferred by another party as part of a portability request is particularly vexed. Should there be a consent mechanism in place? Could a better outcome be to limit liability for requesting users to only cases involving truly unreasonable or reckless behavior, such as knowingly transferring their contacts’ data to a party known to have a history of data misuse or poor data protection practices?
- Defining the role of transferring entities in protecting privacy while enabling data portability: Facebook has called on policymakers and regulators to clarify what is expected of the transferring entities.
- If data associated with more than one person should be portable: When data is ported, especially across social media networks, elements such as photos and videos concern more than one person. Is data ownership enough? Should tagged people in a photo have a say in how the photo owner may share the information across service providers? Is porting a user’s social graph (user’s own data as well as data about the map of connection between a user and other users and entities on that service) a good idea?
- If all user-directed data transfers to third parties constitute “data portability”: Facebook mentioned that stakeholders have tried to distinguish between platform-to-app transfers of data as different from transfers made possible by “true” data portability. On the other hand, other commentators have said that Cambridge Analytica happened because of data portability. So the key question is which transfers should be considered as involving “data portability” and what obligations on each party in the transaction, if any, should flow from each model?
- If all data user data with a company should be portable: Facebook says that not all data a service provider has on a user is provided by the user; some of it is generated or inferred by the service provider on the basis of the user’s activity. Is the latter also portable data? [The Indian draft Data Protection Bill believes so.]
- If user data should be retained forever: Facebook points out that not all user data is retained forever, and some of it is deleted. In that case, should service providers build tools to export soon-to-be-deleted data as well? Should a period be defined beyond which service providers don’t have to store user data for portability purposes? Facebook cites operational burden on smaller providers as a reason to impose limitations on a service provider’s obligation make observed data portable.
- If different types of data should have different levels of ease of portability: Given complexity of data ownership around certain kinds of data assets, Facebook asks if certain types data should be more portable than others. For instance, should emails addresses be easier to port than photos? What about emails themselves?
Data sharing and data portability are different: MediaNama’s take
In its white paper, Facebook has raised some valid concerns about data portability, such as whether operational burdens to carry it out would deter smaller players from being successful, and how would consent mechanisms around shared data work. But there are a few aspects that are problematic, or have not been addressed in the report:
1. B2B transfer of information of data portability not covered: Facebook sees data portability only as “an action that individual users of a service choose to take”, not as something that involves “business-to-business transfers of information”. This is a limited view of looking at data portability because data portability can primarily be implemented through interactions between two service providers. To exclude B2B transfers of information from the white paper limits its scope severely. Instead, the white paper should have also talked about standards and interoperability.
2. Facebook Login is data sharing, not data portability: In the white paper, Facebook considers something like Facebook Login as a means of implementing data portability. Facebook Login enables data sharing between the platform and apps. But data sharing and data portability are different concepts. By combining the two, Facebook is trying to evade its responsibility as a platform because in platform-to-app data sharing, the user data and the permissions architecture are still controlled by the platform. Apple’s “Sign-in with Apple” feature best exemplifies how the platforms bears responsibility for such data.
3. What about deleting data: Facebook’s white paper only talks about soon-to-be deleted data should be exported or not, but offers no clarity on whether data that has been ported out will be deleted or not. It also doesn’t talk about how long that data will be retained, post-port.
An industry source, on the condition of anonymity, said, “The largest issue for me is who determines the porting standard? The Data Protection Authority? The industry? iSPIRT? I think having multiple port standards is good for consumers, such as RTGS, NEFT, IMPS and UPI for payments. Some are industry architected [sic], others are top-down by regulator. Whoever makes the standard takes the pie.”