Data portability

European Union

The right to data portability was laid down in the European Union's General Data Protection Regulation GDPR passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." Earlier the European Data Protection Supervisor had stated that data portability could "let individuals benefit from the value created by the use of their personal data".

The European-level Article 29 Data Protection Working Party has opened a consultation on this in English lasting until the end of January 2017.

Their Guidelines and FAQ on the right to Data Portability contain this call for action:

"WP29 strongly encourages cooperation between industry stakeholders and tradeassociations to work together on a common set of interoperable standards andformats to deliver the requirements of the right to data portability. Thischallenge has also been addressed by the European Interoperability Framework (EIF)." page 14

The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.

Switzerland

Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016. The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.

Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission. Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union.

Requirements for effective data interoperability

It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability:

the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable"

the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream.

Rights of data subjects under the European Union's new GDPR

The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. Here there is room only for a few rights related to data portability such as those of access and to explanation.

Comparison to the right of access in the EU GDPR

The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought.

In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract.

Comparison to the right of explanation

The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a decision tree. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman. This includes decisions based on profiling. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. The issue has been discussed by Bygrave, and by Hildebrandt, who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program cited critically by blogger Artur Kiulian

Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the London School of Economics (LSE). In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.

Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."

A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13-14.

A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR and proposes a limited ‘right to be informed’.

On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, and developed a Data Science Ethical Framework. On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd. Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion. By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".