This post is about the data portability requirement found in the General Data Protection Regulation (the GDPR). But first, a number of disclaimers: One, I only recently learned about the GDPR, so I am new to the subject. Two, I have never worked as a lawyer, and have no expertise in privacy law.
Nonetheless, I am writing this post. The more I read about data portability in the GDPR, the more it sounds like the experience I had in Texas trying to access people’s smart meter electricity usage data. That experience was a nightmare, and hopefully will prove insightful to people working on data portability in Europe.
The GDPR is an EU Regulation that attempts to unify data protection for individuals across the EU. The GDPR introduces new obligations on parties that collect data about individuals within the EU, and also introduces new rights for individuals. This post discusses the right of data portability contained in Article 20:
The idea behind data portability is that an individual owns his or her data, and should be able to reuse that data across different services. The right has two aspects. First, it is a right to receive personal data held by an organization and store it for further personal use. Second, it is a right to transmit the data from one organization to another. The Data Protection Working Party recommends the following in relation to compliance:
So in effect, the EU is requiring entities that hold data about individuals within the EU to provide features that allow the individual to download the data directly and to transfer the data to another party.
The right of data portability only applies to personal data that the individual has provided. In other words, for me to obtain data from a company, the data must both be about me and provided by me. While there is ambiguity in both aspects of this test, the latter (“provided by me”) is especially tricky.
The Data Protection Working Group has given examples to explain what types of data are included within the scope of this right (i.e. what types of data are “provided by me”). First is data that I knowingly and actively provided, such as my username, email address, mailing address, age, etc. Second is data that is obtained by observing my activity, such as smart meter data, activity logs, website usage history, and search history. What is not included, however, is data that is created by the company about me, such as a user profile that is created by analyzing my smart meter data. The Working Party refers to these three categories of data as actively provided data, observed data, and inferred data. The first two categories are included within the scope of this right, whereas the final category is not.
Many believe that data portability will have a huge operational impact on companies that benefit primarily from their exclusive right (by law or practice) to certain data. Data portability attempts to empower customers by ending the “lock in” effect of one company holding your data to the exclusion of others. On its face, that seems plausible.
However, I’m not convinced any of this is going to work especially well. To see why, consider the example of Texas smart meter data. The Texas legislature passed a law stating that customers own their meter data, and that customers have the right to assign access to that data to others:
In furtherance of that right, it was also agreed that the utility companies, who hold the data, must make the data available to other companies upon request in a manner that is convenient and secure:
This sounds virtually identical to data portability in the GDPR, albeit with a more limited scope. So how did this play out in Texas?
In order to comply with the legal requirements placed upon them, the utility companies formed a joint venture. The joint venture created a platform called Smart Meter Texas, which in theory allowed people to access their usage data and share access with registered third parties.
As of mid-2017, the utility companies are paying about $10 million per year for the platform, and no one really uses it. The startup that I cofounded, Awesome Power Inc., has about 4,000 “third party agreements” on Smart Meter Texas (agreements that allow us to access another person’s smart meter data), and is responsible for the majority of third party agreements ever created. Fewer than 100,000 people have ever accessed their data on Smart Meter Texas, most of whom did so only once then never returned. Despite the data being owned by the customer, and despite the right to conveniently share that data with other parties, this right has been more or less meaningless.
Data access in Texas hasn’t amounted to much partly because the user experience on Smart Meter Texas is truly horrible. I won’t bore you with the details, but suffice it to say that it is so bad that we recently convinced the Public Utility Commission of Texas to open a case to redo the entire system. However, while many of the UX problems are self-inflicted and totally unjustifiable, some aspects of what makes the process burdensome are more understandable. This is the case when it comes to balancing data access with data privacy.
The utility companies have an obligation to ensure the privacy and security of the data: they can’t just give a person’s data to anyone. As a result, if I want to share my personal electricity usage data with Awesome Power Inc., I have to provide the utility company with my customer ID, my meter number, and the name of my current electricity provider. That’s not exactly easy: providers change names regularly so it is hard to keep track, customer IDs are 18-digits long, and meter numbers only appear on the physical meter (so a customer has to go find his or her meter, wherever that is located). About 1/4th of the people who register an account on Awesome Power Texas accidentally provide us with incorrect information.
There’s more to it than that, but I think I’ve made my point about Texas. Data access, while legislated for in ways almost identical to the GDPR, hasn’t amounted to much.
I think a natural tendency, especially on the part of lawyers, is to read the above story about data access in Texas as a story about an enforcement failure. The law says that data access must be convenient, so the utility companies are simply not in compliance with the law! While that may be true, and I’d certainly appreciate it if regulators took a stronger stance against the utility companies, I think that hides the realities of how this really works.
The truth is that we can’t merely legislate for something like “convenient” data access because it is a huge challenge to get into the details and determine whether the system for accessing data is convenient given the circumstances. The Texas example discussed above is relevant because it demonstrates the difficulty involved; the regulator is concerned only with a handful of companies (the utility companies in Texas) and a single type of data (smart meter data), but as of yet has been unable to make this right effective. If implementing this right in such a limited context is so challenging, one can only imagine the difficulty involved in making this right effective under the GDPR.
My view is that data portability will prove to be an under-utilized right in the vast majority of cases. It is a step in the right direction, but I’m not counting on it having much of an impact. In the short to medium-term future, it will be more of an administrative hassle than anything. If you’re building your business around accessing data that companies will now be required to provide to you (on a customer’s request), prepare for lot of pain.
I’ll end it there. I am not an expert on the GDPR, and I’d be happy to hear from people who know more about this topic than I do. However, I hope my experience with legally mandated data access is instructive in understanding the possible issues that we might see with data portability in the GDPR.