Today's the big day! @FTC is hosting their workshop on portability. I'll be live tweeting my thoughts and appropriately warm takes during most of the day, so stick around!
https://twitter.com/ftc/status/1308370975638147072
We (@Facebook) submitted our comments to @FTC on #dataportability last month. I'll be weaving our thoughts from those comments into my takes on today's session
https://twitter.com/bijanm/status/1296818985057628161
Andrew Smith, Director of the Bureau of Consumer Protection kicks off highlighting privacy / personal autonomy impacts of portability and the potential competition benefits, noting it allows for collaboration across @FTC's consumer protection and competition sides #DataToGoFTC
Portability is a perfect example of the increasingly common intersection of privacy and competition issues—perfect for our friends at the @FTC #datatogoftc
@peterswire's table setting remarks introduce some terminology (portability vs. other required transfers vs. interoperability) and proposes a portability impact assessment (PORT-IA), to evaluate risks and benefits of data transfers #datatogoftc
Portability seems to mean different things to different policymakers. How do you reconcile implementations across sectors (health, financial services, tech...), jurisdictions (EU, California, Brazil...), and policy imperatives (privacy, antitrust, cybersecurity)? #datatogoftc
@peterswire’s PORT-IA impact assessment is developed from case studies on a variety of sectors (including autodealers!). Features a set of structured questions to assess the benefits and risk of portability / other required transfers. Could be useful for practitioners (read: me)
When should you want to make data portability happen? @peterswire highlights ex ante regulation (HHS rules) and ex post remedies (e.g. competition). But *voluntary* portability implementations are quite common in the real world, especially given the absence of legal requirements
First panel of the day will focus on portability around the world (well, at least EU, California, and India). Moderated by @FTC’s Guilherme Roschke and featuring @gabrielazanfir, Inge Graef, Karolina Mojzesowic, Rahul Mattan, and Stacy Schesser #datatogoftc
The EU’s experience with portability is probably the one everyone is most familiar with. Karolina cites economic and data liberalization, individual control and autonomy, among the reasons behind it
Which data is covered by GDPR Art. 20 (and other rights) is much debated. We even dedicated a section of our white paper on portability to this topic! Somehow this is the first plug: about.fb.com/news/2019/09/p…
Karolina details Art. 29 Working Party guidance, which says GDPR includes actively provided data (like uploaded photos) and passively provided or observed data (like location and IP address) but not inferred data (some analysis has been done on the other two buckets)
Note that the European Commission disagrees with this broad interpretation of “provided”!
Now we get to hear about everyone’s favorite new privacy law, the CCPA. Stacey Schesser (CA AG) covers the very brief reference to portability and aspects of the AG’s regulations that pertain to the right. Factors include risk of harm, sensitivity of data, burden on businesses
Per Rahul Matthan, India is taking a different tack. The data protection law is still in the works. Instead, India has a portability technical framework (“Data Empowerment and Protection Architecture), designed to enable individuals to use data to their economic or other benefit
DEPA relies on disintermediated digital consent managers to facilitate data portability. These consent managers or account aggregators manage time of access, retention, and deletion for ported data. India’s draft privacy law would provide a legal framework around DEPA
Prof. Inge Graef is sharing her research and observations on the nature and implementation of portability. Calls it a hybrid between various interests. She notes it is beginning to appear outside the GDPR in the EU, particularly in the EU data strategy (a very fun read)
Inge Graef notes the difficulty in balancing interests (those of other people, trade secrets, proprietary data, etc.) in determining scope of data to be ported—the guidance hasn’t been enough. This ambiguity might be used as an excuse by data controllers (ed: they would never!)
Prof. Graef also flags that portability can have positive or adverse impacts on competition. She proposes asymmetric regulation (perhaps in ex ante competition rules or the EU DSA) to ensure the competition benefits are positive. Applied to qualifying large firms
According to Prof. Graef, portability may not be enough to address all competition issues in a market. May not overcome network effects or happen at sufficient scale or remedy market tipping
Prof. Graef: portability needs to be steered in practice to balance competing interests and stimulate competition
@gabrielazanfir representing @futureofprivacy! Noting 3 challenges: 1) difficulty with verifying/authenticating requesting individuals and recipients; 2) the social nature of personal data (we care about this!); 3) further uses of data by recipient organizations—are there limits?
@gabrielazanfir flags that portability regimes can conflict and make things harder for companies and individuals. The differing underlying interests of PSD2 / Open Banking and GDPR’s right to portability can undermine trust and introduce confusion.
The two-year retrospective on GDPR suggests the right to portability hasn’t been implemented to its full potential, but there haven’t been many consumer complaints. Maybe the issue is that existing guidance is insufficient to really implement robust mechanisms, just sayin’
A good place to note that @Facebook is a big fan of portability for its consumer / innovation benefits. But we’re acutely aware of the practical challenges. We’d like to see more usable regulation/guidance in the space (even in the EU) to really make it worthwhile for people
Is the future of portability real-time porting of data (approaching interop.)? Karolina suggests likely in the EU. Real-time portability at scale is promising from an innovation perspective but makes it imperative that privacy concerns @gabrielazanfir raised are addressed by DPAs
Time for a break! I also have a couple meetings coming up, so my takes will be slightly less fast (but no less furious). Maybe give Facebook’s excellent data portability tools a try about.fb.com/news/2019/12/d…
And I’m back! For another break. As I missed the last panel, I’m going to riff a little on the characteristics of the financial and health sectors and what that might mean for portability
Financial portability (best exemplified by the UK’s Open Banking) has a couple of interesting characteristics. It’s a standards-based regulatory model for a heavily regulated industry that really deals in *commodity* kinds of personal data
Financial data is sensitive, but fairly homogenous and commonly understood across entities (it’s money + transactions), the API requirements comparatively easy to standardize, and the expected recipient entities somewhat easy to identify and certify
Health sector data is also extremely sensitive, but very heterogenous with a variety of use cases for each data type. Whether people (and businesses) actually want to port it may not be as straightforward, given the more significant privacy risks and implementation costs.
Finally the panel *I’ve* been waiting for! Excited to hear about how practitioners (@Google’s Ali Lange), academics (@gabenicholas + @peterswire), and policy experts (@PamDixon_ + @hodanomaar) are reconciling the risks and benefits identified so far
Great to hear Ali talk about the Data Transfer Project! More details available here: datatransferproject.dev. We encourage companies and innovators to give it a try!
@GabeNicholas describes data portability as a big experiment for regulating competition in tech. What conditions do we set out and what are we testing and optimizing for in this experiment? Privacy, consumer, competitor, and innovator variables come into play
@PamDixon_ focuses on the data autonomy aspects and privacy risks of data portability. She is interested in the identity ecosystems (or silos) around people who want to port their data.
Standardization or harmonization of digital identity is definitely a data portability problem (for individual and entity verification and authentication) but not just a data portability problem. The internet has been trying to solve this since before I was born!
And we have our first “sorry, you’re on mute” for a participant today. My money was for that to happen much earlier!
@peterswire is back! Research suggests more considerations: 1) Port seems to be most applied in cases where user lock-in is an issue 2) Should portability reflect how consumers behave? Do they multi-home in the services they use? 3) Are privacy concerns legit or pretextual?
@hodanomaar makes a great point about the differing incentives between consumers and companies. Where the incentives for making data transferable are very different, portability obligations can help the market around data more efficient
Data doesn’t have any inherent value. It’s nonrival and largely replicable. The context in which its used is important, and that’s relevant to which data and where a person or entity might choose to port it (or not)!
@GabeNicholas highlights interesting research about whether data from @Facebook’s DYI tool is useful for competitive purposes, versus direct portability (say via DTP)
The scope/structure of data included in portability tools can *and should* vary based on the purpose or use cases imagined for the tool. Some tools can be oriented towards archival purposes for people, while others might be more innovation-oriented. See our FTC comments for more!
Finally, @PamDixon_ + @peterswire discuss the onward transfer and misrepresentation challenges of porting data. If a person sends data to an entity that exists outside an extant privacy regime or uses data outside expectations, it’s difficult for people to vindicate their rights
@GabeNicholas suggests that portability regimes focused on competition not just focus on user lock-in. Network effects are worth addressing through concepts like collective or group portability mechanisms. I’d flag significant privacy / implementation challenges to building this
@GabeNicholas flags that mechanisms to address high switching costs can be bad for competition. Switching costs can help small firms build their own networks. If port is imposed on all firms, the gravity of the larger firm’s network could lead to switching *away from small firms*
@GabeNicholas suggests asymmetric portability obligations to address and make sure “data is flowing in the direction we want”—which likely would be incompatible with a fundamental rights model of portability (as currently exists in the EU!
@peterswire + @GabeNicholas (and I) violently agree on telecom number portability not being a great example to learn from in the data portability context
I have lots of thoughts on @peterswire’s suggestion to use FRAND to address potentially pretextual claims around privacy risk—it’s worth examining in portability regulation
Lots of baseball analogies in the last panel, which I will happily continue. We're heading into the final innings, with just one more panel, on solving material challenges to portability. Make sure to use the restroom, buy some overpriced beer, and get back in your seats!
@julianranger talking about how intermediaries like @digime and other data facilitators fit into the personal data and portability ecosystems
@SNolanCollins noting that the absence of federal privacy legislation stands in the way of portability on the ground. Pass a clear law with clear accountability requirements and one potential impediment (pretextual or not) is dealt with
And our second “oh you’re muted” of the day! Drink!
@SNolanCollins and @julianranger differ a bit on whether informed consent and notice/control-based regimes are fair or reasonable means of enhancing individual privacy today
As the panelists cover the security risks of portability, I want to highlight a clear example of how privacy and security can be in tension here...
@annamerlan (@VICE reporter extraordinaire) requested her personal data from Clearview AI, a much maligned facial recognition company. vice.com/en_us/article/…
@annamerlan had to give them a photo ID for authentication purposes and for Clearview to run a search for her personal data for disclosure under CCIA (primarily images of her face)—which they had not previously linked to her identity
Because Clearview had to learn more about @annamerlan’s identity than they previously knew to verify the legitimacy of her request + match her provided identity to their images, securely exercising rt. to portability might’ve undermined her privacy interests vis-a-vis Clearview
Returning to what the panelists are talking about, @julianranger suggests in the data facilitator context, *individuals* ought to be responsible for their data when they request it from an entity but before directing its transfer to another. As a consumer, this might be chilling!
@EFF’s Bennett Cyphers describing screen scraping / credential sharing, a security risk that can be mitigated by portability or potentially act as a backstop in its absence
If you offer a dedicated portability API for users to obtain their data, they don’t have to share their credentials with a third party who might abuse them or use shady means to obtain data for users
But if a portability regime doesn’t exist, then screen scraping can be an option of last resort for people + intermediaries (per @julianranger). Think about @mint and the financial services sector.
Bennett notes that screen scraping can lead to legal liability, notably under the CFAA
Looks like we’re closing with standards and interoperability. Our comments to the FTC have a pretty fat footnote on interop., which I’ll share here. Standardization and interop. are attractive, but there can be a chilling effect on innovation in standardized/interoperable markets 
@FTC’s Ian Connor (Director of the Bureau of Competition) delivering the closing remarks. Fitting!
And the data portability workshop is over. Please feel free to reach out with any questions and/or to adopt my opinions as your own! #DataToGoFTC
@threadreaderapp unroll pls
• • •
Missing some Tweet in this thread? You can try to
force a refresh
