Data portability


Data portability is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. closed platforms, thus subjecting them to vendor lock-in and making the creation of data backups or moving accounts between services difficult.
Data portability requires common technical standards to facilitate the transfer from one data controller to another, such as the ability to export user data into a user-accessible local file, thus promoting interoperability, as well as facilitate searchability with sophisticated tools such as grep.
Data portability applies to personal data. It involves access to personal data without implying data ownership per se.

Development

At the global level, there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.
At the regional level, there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 General Data Protection Regulation.
The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.
Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms.

Online platforms

With the advent of the General Data Protection Regulations, social media platforms such as Twitter, Instagram, Snapchat, and the Wall Street Journal online subscriber community have widely adopted the ability to export and download user data into a ZIP archive file. Other platforms such as Google and Facebook were equipped with export options earlier. Some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.
Other sites such as Quora and Bumble offer no automated request form, requiring the user to request a copy of their data through personal support email.

Ratings and reviews

Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another. This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities.
The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform. Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem, and hence mitigating platform lock-in.
Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust. As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline.

In consumer electronics

Mobile devices

Some mobile apps restrict data portability by storing user data in locked directories while lacking export options. Such may include configuration files, digital bookmarks, browsing history and sessions, watch and search histories in multimedia streaming apps, custom playlists in multimedia player software, entries in note taking and memorandum software, digital phone books, call logs from the telephone app, and conversations through SMS and instant messaging software.
Locked directories are inaccessible to an end-user without extraordinary measures such as so-called rooting or jailbreaking.
The former requires the so-called boot loader of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the wipe, making it a vicious cycle if the user's aim were to access their locked data.
Other mobile apps only allow the creation of user data backups using proprietary software provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.
Some device vendors offer cloud storage and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and phone books between locked directories on devices of the same vendor, without the ability to export the information into local files directly accessible by the end user.
Restrictions added in more recent versions of operating systems, such as scoped storage, which is claimed to have been implemented with the aim to improve user privacy, compromise both backwards compatibility to established existing software such as file managers and FTP server applications, as well as legitimate uses such as cross-app communication and facilitating large file transfers and backup creation.
Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in.

Digital video recorders

Some digital video recorders which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability.
Some DVRs have an operating system that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.

Other appliances

units, as well as their associated base stations, which have firmwares with phone book and SMS messaging functionality, commonly lack an interface to connect to a computer for backing the data up.

In software

Some software such as the Discourse forum software offers a built-in ability for users to download their posts into an archive file.
Other software may operate locally, but store user data in a proprietary format, thus causing vendor lock-in until successfully reverse-engineered by third party developers.

By jurisdiction

European Union

The right to data portability was laid down in the European Union's General Data Protection Regulation passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state.
Earlier the European Data Protection Supervisor had stated that data portability could "let individuals benefit from the value created by the use of their personal data".
The European-level Article 29 Data Protection Working Party held a consultation on this in English lasting until the end of January 2017.
Their guidelines and FAQ on the right to data portability contain this call for action:
The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.
In April 2017, new guidelines were published on the Article 29 Working Party website.
In late 2019 the Data Governance Act was published by the Commission.
In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.
In 2022 the European Commission published the Data Act.
Although the United Kingdom voted to withdraw from the EU, it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".
In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. In the UK—ironically post-Brexit—researchers are monitoring developments.
Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.

Switzerland

Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018.
An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. A law was passed that includes data portability; as described here in German
and here in French. The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.
A second association has issued its guideline on the topic.
Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.