The concept of “data portability” is being discussed throughout the world as nations begin to seriously address data privacy and security. The idea is that consumer data would exist in some sort of standardized, modular, machine readable format that could be easily tracked and moved across different systems. More importantly, the data subject would always have access to it and the ability to see what is being stored.
Conceptually, it’s somewhat similar to a credit report or a medical record. However, a data portability framework wouldn’t necessarily consist of one monstrous master data file containing a person’s entire online life. Instead, it’s more like a standardized file format that enables smooth data flows to support services the end user is engaged with.
For example, an interested customer might be able to send their fitness tracker data to a health insurance company as an incentive to get a better quote. Or they could more easily import their purchased media and playlists from one streaming service to another. Consumers have all of these different concrete data files that they can see, possess and control the movement of.
The concept has come to the forefront in Singapore with the recent announcement by the Minister for Communications and Information S Iswaran at the Mobile World Congress, that a data portability requirement is being considered as an addition to the Personal Data Protection Act. The Personal Data Protection Commission (PDPC), with some assistance from the Competition and Consumer Commission of Singapore, has introduced a discussion paper as the first step in shaping this idea. The PDPC believes that this will not only improve options and outcomes for consumers, but will also improve transparency in data collection.
The PDPC proposal
The PDPC’s discussion paper is quite detailed, and draws on frameworks and practical examples that have already been implemented or are being discussed in other nations. Most notably the EU General Data Protection Regulation (GDPR)’s data portability provisions, but also those of five other countries and the state of California.
This initial paper focuses almost entirely on the benefits of data portability. For organizations, these are numerous but also fairly self-evident: increased volume of personal data transmitted, reduced costs of data acquisition and account turnover, and improvements in efficiency and innovations stemming from the combination of diverse data sets to name the most significant.
The final third of the paper does touch on the potential negative outcomes of data portability, however, and there are a fair number of those to be considered in finding a balance between robust data protection and business interests.
Possible data portability downsides
One issue the paper raises is that it is technically feasible for larger companies to create an essential “data monopoly” through price discrimination. It’s a natural expectation that the companies offering the best overall price or value are going to be raking in the lion’s share of customer data, which could lead to companies with substantial market share attempting to corner the market through discounts. However, the paper notes that section 47 of the Competition Act addresses predatory pricing schemes of this nature. It also points to studies conducted in Japan, Germany and France that suggest that this sort of data should be subject to competition law.
Varying business compliance costs are also a legitimate interest. Generally, the smaller and newer the business the more of a disproportionate burden the costs of implementation and request responses are going to be. The paper suggests a de minimis threshold for data volume and cap on the frequency of requests as a potential answer, and also leaves the door open for the charging of a “reasonable” fee for data processing.
The setting of a standard format is also likely to be a contentious issue. There is no clear standard at use elsewhere in the world waiting to be readily adopted. This is another area where a delicate balance between competing business and customer needs must be found. The format will have to be easily and commonly accessible to the average (not necessarily tech-literate) person, but will also have to be secure when moving data to another controller. There will also need to be some means of identity authentication involved when businesses receive the personal data directly from customers. The open source Data Transfer Project, which is backed by some of tech’s biggest names such as Microsoft and Facebook, is mentioned as a potential launch point. However, this project is still in its early stages and ironing out some significant issues.
There are some added public interest factors to consider that the PDPC paper doesn’t touch on, most of which are at the data subject end of the equation. One of the big ones is going to be the need for end users to secure their own data. You can point out that companies are hacked all the time and their security certainly tends to be less than perfect, and you would be absolutely right. But, on average, are the average person’s security hygiene and practices better than those of the businesses that currently hold their data?
If it is not handled well, a data portability culture could wind up being a gold mine for identity thieves and cyber criminals as they raid the relatively poorly secured individual devices of end users for their personal files. The Internet of Things, and the fact that many of these devices are still manufactured without the ability to secure them properly even if you’re motivated and knowledgeable, could be a major exacerbating factor in such a scenario.
There is also a significant risk of bad faith actors tricking or coercing the end user to transmit those data files to them. This could even be done indirectly, in a manner similar to the Cambridge Analytica Facebook exploit that exposed friend network data if any member of that network used their malicious app.
And even if all involved parties are handling their security responsibilities adequately, the proliferation of this concentrated data among more companies will lead to a simple statistical increased likelihood of data and identity theft. The more places these concentrated data modules are held, the more likely that the odd phishing email or rogue employee exposes them.
This initial paper just gets the ball rolling on a national standard; many specifics have yet to be ironed out, the most significant of which is exactly what types of data would be subject to such a requirement. Singapore may be able to look to the GDPR’s Article 20 for further guidance in striking a balance between consumer protection and business innovation, as the European regulation nears a year in action with its data portability requirements in effect.