Consumers' desires to streamline their online activities, including sharing their multimedia to various platforms, are at an all-time high. The oft-discussed method of data portability brings that simplification, but the challenges of doing it properly and safely remain difficult.

Data privacy and security are chief among the risks associated with the concept of portability. Both concerns were among the topics covered by panels at the U.S. Federal Trade Commission's virtual data portability workshop. A variety of stakeholders took part in discussions examining portability's potential risks to consumer privacy, the best methods to secure personal data that is being transmitted from one business to another, and appropriate risk mitigation tactics.

Provisions within existing privacy regulation

The workshop's first panel discussion focused on the current data portability initiatives in the EU and U.S. Each initiative actually finds itself embedded into existing privacy legislation, the EU General Data Protection and California Consumer Privacy Act, which are requiring data portability to be available to data subjects in some fashion.  

European Commission Deputy Head of Unit for Data Protection Karolina Mojzesowicz said while the GDPR introduced a data portability right, it's "related but not equal to right of access." The provision sets out to further empower consumers and enable choice based on a company's privacy practices, but it only does so on the basis of consent or contract.

"The important difference that needs to be (shown) is between data knowingly provided and data observed, and data that's inferred or derived," Mojzesowicz said. "Data inferred or created by the controller will be the profile kept or analysis made on the behavior of a data subject while using a certain service. This data cannot be ported."

The CCPA outlines its data portability requirement at the beginning of the law, which California Supervising Deputy Attorney General Stacey Schesser, CIPP/US, said "lays out the framework for access rights" within the legislation. She couldn't speak to the particular motivations for data portability's presence in the California law, but Schesser noted portability "was at the forefront of our minds" as the California attorney general's office drafted CCPA regulations.

"One specific area in which portability impacted the rules was in the requirement that businesses not disclose any of the personal data set forth in (the CCPA), meaning Social Security number or account information related to finances," Schesser said. "These information points could place a business in a sort of Catch-22, where they're required to provide the information, but it also could trigger some breach obligations if the data goes into the wrong person's hands. The regulations state you can't disclose those data points, but inform them that's what you collect in a general category sense."

Identifying and remedying portability risks

There are common threads as far as risks across sectors, but some sectors have more glaring issues than others. In one afternoon panel, World Privacy Forum Founder and Executive Director Pam Dixon honed in on portability within the U.S. health care sector, where transfers have may involve significant coverage gaps when leaving the Health Insurance Portability and Accountability Act umbrella and entering a different regulatory framework.

"Those health care protections do not attach to the data, but the provider and its practices only," Dixon said, adding the number of individuals who understand this transfer risk are "far and few between."

Alston & Bird Senior Counsel Peter Swire, CIPP/US, mentioned the need to address issues with consumer consent and visibility for onward transfers of data but also alluded to more general consent concerns that may arise.

"We're seeing more privacy issues about other people," Swire said. "If I have a picture I want to transfer of 10-year-old kid from another family, do I have to get the parents' permission before I transfer?"

While the risks themselves vary based on industry, the privacy issues associated with portability are the same as anywhere else, according to Electronic Frontier Foundation Staff Technologist Bennett Cyphers.

"Users don't have enough control or knowledge about what's happening with their data already," Cyphers said in the workshop's final discussion. "Data portability might bring attention to or exacerbate existing privacy issues with the internet today, but I don't think we'll see it create any new issues."

Cyphers and Public Knowledge Policy Counsel Sara Collins both agreed the solution to easily facilitate portability without privacy risks in the U.S. is a comprehensive federal privacy law.

"We need something that makes sure consumers aren't exploited for their data. This makes the internet ecosystem better, but also makes it easier to port," Collins said, noting the ease stems from a set of minimum standards for "how data must be treated by all parties involved in a portability scheme."

However, as the U.S. continues its wait for federal privacy legislation, Mastercard Senior Vice President and Assistant General Counsel Erika Brown Lee, CIPP/E, CIPP/US, views user trust and transparency as the keys for portability to flourish in the face of privacy concerns.

"Putting aside issues of security separately, but really focusing on the control perspective," Lee said. "You want to be able to port your data and exercise control over it, which means trusting you'll be able to get that data from a company or business. But you can't do that without information ... it has to be with informed consent."

Portability impact assessments?

There's little to no middle ground in terms of data portability satisfying desires for open data access and privacy simultaneously. The consensus is that a choice has to be made. However, Swire sees an opportunity to potentially have the best of both worlds.

While outlining the dilemma and general concept of portability in the workshop's opening presentation, Swire addressed his recent proposal for the creation of a portability impact assessment that addresses privacy, cybersecurity and competition. Swire likened the proposed assessments to data privacy impact assessments in the U.S and data protection impact assessments in the EU.

"First, we try to draft structured questions for what the impact assessment would ask to try to have a systematic assessment," Swire said. "The structured questions change quite a bit as we learn from all the case studies, and we can then validate these structured questions based on these studies across the different geographies, sectors and different types of data."

The case studies Swire mentioned focused on instances of potential portability in financial, health care and government sectors across the EU and U.S.

The portability assessment would first need to assess the challenge or opportunity that leads to a possible data port, which includes data mapping and examining legal requirements. The assessment would also explore more specific privacy and security risks, including those associated with identified data, deidentified data and third-party data. 

Swire said the assessment might be an avenue to "come to a mature view" on balancing the benefits and risks of portability, noting the required collaboration between privacy, cybersecurity, competition and other professionals that the assessment would call for.

"The portability impact assessment provides a method that is essentially agnostic about a proposal," Swire said, adding an assessment could help tailor privacy rules more appropriately on a case-by-case basis. "For this complex and increasingly important topic, the PORT-IA can assist policymakers, companies and stakeholders in making better-informed decisions."

Photo by Markus Winkler on Unsplash