When Austrian legal scholar Max Schrems sent a request to Facebook for the data held on him by the company, what he got in return was more than 1,200 pages’ worth of data. As of May, he has the right to take this tome and move to another social medial platform. This at least is the idea behind the new right to data portability, which is enshrined in Article 20 of the new General Data Protection Regulation (GDPR). The EU Commission hopes that the new regulation will lead to increased competition and improved user control over their data – and that ultimately everyone will benefit from it in some way or another.
But it's not quite so easy, as Michael Wohlfarth found out. Wohlfarth, a doctoral student at the University's Chair of Internet and Telecommunications Business under the auspices of Professor Jan Krämer, has carefully analysed the new regulation and found not one but a number of flies in the ointment – including from a user perspective.
This is where he sees problems:
It is not stipulated which data specifically are the subject of this regulation.
In Art. 4 (1) GDPR it says: '"personal data" means any information relating to an identified or identifiable natural person ("data subject")'. Examples of such data are: your name, address, date of birth, phone number, account data. But what about search queries such as 'dentist, Passau'? Michael Wohlfarth said: 'Such individual queries can be related to a person and consequently must be exportable as such.' But it remains to be seen if this criterion can be applied to such 'observed data'. These are data that the service obtains from the activities and preferences of users. However, third-party data, such as recommendations from others on LinkedIn or posts from other users on one's Facebook wall, are expressly exempted from the regulation. This is problematic because these too are personal data of sorts.
It is unclear how this is implemented on a technical level.
The GDPR only has this to say on the technical aspect of data portability: The data must be processed electronically and provided to the user 'in a structured, commonly used and machine-readable format' and should be 'transmitted directly [...] where technically feasible.' (Art 20 (1) and (2) GDPR). The regulation does not go into any further detail, instead leaving it to the online industry to agree on a mutual format. This could have been done since 2016. But very little has in fact happened, as Wohlfarth observed. 'We will have to wait and see what effect this law will be have in practice.' The GDPR provides for numerous penalties for delays in implementing the regulation. Wohlfarth: 'Those who do not implement the new rules risk being fined up to four percent of their annual revenue'. For Facebook, that would equate to approximately 1.6 billion US Dollars. However, whether that will be sufficient to motivate online platforms to implement the law swiftly remains to be seen.
Data portability sets an incentive for new competitors to gather even more data.
Let's assume for a moment that the right to data portability is very easy to implement: All data are comprehensively transferred, the process runs in the background without requiring any user interaction and without incurring any costs for the companies involved. Users could then switch platforms without giving it another thought. No data entry is required and there is no worry whether the new algorithm picks up on the users' preferences. The new platform simply draws all the information it needs from the data at the old monopolist company.
In an ideal world, that would work. However, even that case has its drawbacks, as a model calculation shows: The new platform, as a competitor, has an incentive to gather more data, which goes against users' interests. The monopolist, on the other hand, will collect less data, as it has to consider that the new competitor will obtain any additional data. As Mr Wohlfarth's analysis shows, this could lead to a rise in the overall data volume, albeit with an increase in overall welfare. This is so because bigger profits for new platforms and a greater incentive for market entry could outweigh the detrimental effects for users.
Overall, Mr Wohlfarth concludes that the GDPR is justified, particularly since it can be shown that the detrimental effects can be softened. The right to data portability should not encompass all data equally. And this is also taken account of, as the new law excludes the data of third parties.
So, has the EU Commission done everything right? 'It depends,' said Wohlfarth. 'It would be even better if the regulation were more specific when it comes to implementation. The trouble is this:
If the costs are too high, everyone loses.
Assuming the right to data portability incurs large costs for the companies: 'In that case everyone loses', said Wohlfarth. Why? Because then there is no incentive for market entry. The high costs are a barrier to entry and we are still stuck with a monopolist, who also loses money because of the cost involved in implementing the regulation. Users then don't have many competitors to choose from and are forced to stay on their old platform.
Network effects beat data portability.
Now, even if the costs remain manageable, there is another hurdle that cannot be overcome with the right to data portability alone, at least as far as the tech giants are concerned: network effects. These describe the phenomenon that made platforms such as Facebook big: as the number of users grows, so does the value of the service to users. 'Network effects cannot be ported with a right to data portability', said Wohlfarth.
Despite all this, the researcher believes that the right to data portability is still a step in the right direction: 'If the government wishes to create incentives for new services to enter the market, then data portability should be enforced strictly, leaving only very few exemptions', Wohlfarth wrote in his study.
Michael Wohlfarth published and presented his findings at the 38th International Conference on Information Systems in South Korea in 2017. His paper on 'Data Portability on the Internet: An Economic Analysis' won the 'Best Student Paper Award' at the 28th European Conference of the International Telecommunications Society (ITS), which took place in Passau in 2017.