DATA PORTABILITY: A GUIDE AND A ROADMAP.

• Author: Hondagneu-Messner, Sasha

Abstract 241 I. Introduction 241 II. Data Portability Generally 246 A. Background 246 B. Data Portability in the GDPR and the CCPA 251 III Practical Risks with Data Portability 254 A. Which Data Should be Included? 254 B. Whose Data Should be Included? 256 C. Who Can Choose to Port Data? 263 IV. Privacy and Security Risks with Data Portability 265 A. Lack of Guidance Regarding Security of Portability 265 B. Potential Solutions 267 i. PORT-IA: 273Portability Impact Assessments 267 ii. Solutions Borrowed from the Financial Industry 269 iii. Solutions Borrowed from Self-Regulatory Regimes 271 Conclusion 273 ABSTRACT

Data portability is one of the most unprecedented and innovative aspects of Europe's GDPR and California's CCPA. Widespread adoption of data portability is not slowing down. Privacy bills in Congress submitted by both Democrats and Republicans include data portability as a right. Several proposed state and international privacy laws also call for the right to data portability.

This article examines the right to data portability and the inherent tension between its anti-competitive and privacy/cybersecurity features. While data portability can help foster innovation and competition, it also poses several risks of data getting into the wrong hands.

First, this article will examine the background of data portability. This will explore smaller-scale sectoral examples of data portability and the history of comprehensive data portability. Second, this article will review practical risks of data portability, including which data should be included, whose data should be included, and who can choose to port data. Finally, this article will discuss security risks of data portability. This article will suggest various solutions to mitigate security risks, including portability impact assessments (first proposed by Peter Swire), solutions from the financial industry, and self-regulatory regimes.

1. INTRODUCTION

   I made the switch from Myspace to Facebook in 2007. I did so because most of my friends had switched platforms and stopped using Myspace--what was the point of social media if my friends were not on it? Since then, I and billions of others have shared some of our most intimate life details on Facebook. Moreover, while competitors have risen since 2007, such as Instagram (which is now owned by Facebook), Twitter, and Snapchat, one of the reasons I have remained on Facebook is because all of my friends are on it. Over time, Facebook has gained a competitive advantage in the market. (2) Eightynine percent of Facebook's revenue in 2017 came from targeted digital advertisements based on user data. (3) Facebook knows the difference between my acquaintances and close friends, my political affiliation, and so much more. (4)

   It would be difficult for any competitor of Facebook to overtake them for many reasons. Importantly, the competitor would be starting from scratch as far as personal data and social connections are concerned. This would include both "first text" and "second text," terms initially coined by Shoshanna Zuboff. (5) "First text" includes data such as user searches, purchases, or photos uploaded. (6) "Second text" includes the platform's derived information from the first text, such as statistical assessments. (7) The "second text" provides a huge advantage to Facebook, and any other platform assessing their users statistically.

   Any competitor to Facebook faces two crucial problems: (1) how to generate comparable revenue, especially based on personal data, when in my example, Facebook has twelve years of my data; and (2) how to let individuals quickly connect with all of their friends that they are already connected with on Facebook. Data portability attempts to solve both of these anti-competitive practices. (8)

   Data portability is a new right, codified in both European and Californian data protection laws. (9) Data portability allows "a user [to]

   take their data from a service and transfer or "port" it elsewhere." (10) If managed and regulated correctly, data portability could create a more open and competitive environment.'' While data portability has never been implemented on a comprehensive scale prior to 2018, there are smaller sectoral examples of data portability in telephones, healthcare, and financial laws. (12)

   The right to data portability only seems to be increasing in its scope. Most U.S. states that have proposed privacy laws have included the right to data portability. (13) Recent proposed privacy legislation at the federal level have all included the right to data portability, regardless of party affiliation. (14)

   Data portability is not without its flaws, and there is an inherent tension between its anti-competitive and cybersecurity/privacy effects. (15) During a time at which governments around the world require companies to increase their privacy standards for personal data, there is something ironic about also mandating that these companies make personal data readily available to download and port elsewhere quickly. (16) A single case of identity theft could lead to the theft of an individual's entire online identity. (17) This theft could include

   every message sent on social media, an entire friend/follower list, financial information, and much more. (18)

   Strong regulations should be put in place to protect the use of data portability and mitigate any negative externalities. (19) Current laws and regulations regarding data portability are vague regarding what should constitute ported data and fail to address methods that should be taken to protect personal data. Two risks associated with data portability are: (1) practical concerns that those utilizing data portability will either over or under include data, and (2) security issues with the unauthorized access of data.

   Part II will explain the concept of data portability, generally. This will include a background of data portability and the codification of data portability in the General Data Protection Regulation ("GDPR") (20) and the California Consumer Privacy Act ("CCPA"). (21)

   Part III will review practical concerns of data portability. First, this section will consider which data to include in the ported data, something that remains unclear. (22) Should ported data include metadata, (23) or should it include algorithms and proprietary information used by companies to process data? (24) The GDPR has some guidance on this topic that can be used for the CCPA's implementation.^ Second, this section will review whose data to include in ported data. Often, our privacy is determined by other's choices. (26) Data portability, should at a minimum, include information

   about social networks. (27) Consent and transparency over methods of data portability are an essential starting point. (28)

   Part IV will review security risks concerning data portability. First, regulators can follow guidance from Peter Swire, a leading privacy scholar, and his proposal for data portability impact assessments. (29) Second, regulators can look to regulations already imposed upon financial institutions for guidance. (30) Just as banks place limits and restrictions on how one can empty a bank account, certain limitations should be set to confirm an individual's identity and protect ported data. (31) Third, regulators can look towards selfregulatory regimes that are already in place to protect privacy. (32) One potential avenue here is the Data Transfer Project ("DTP"), a collaborative of Apple, Facebook, Google, Microsoft, and Twitter that aims at creating "an open-source, service-to-service data portability platform so that all individuals across the web could easily move their data between online service providers whenever they want." (33) These sorts of efforts can mitigate the concerns and risks regarding the security of data portability.

2. DATA PORTABILITY GENERALLY

   1. BACKGROUND

      Data portability was first codified in the GDPR, signed into law in 2016, and shortly after that in the CCPA in 2018. (34) However, the idea of data portability is not new. (35) Data portability is much like local number portability, regulations that allow a user to keep their phone number when they change their service with telecommunications companies. (36) In the United States, number portability has been mandatory by law since the Telecommunications Act of 1996. (37) Europe followed this lead and instituted a right to number portability in 2002. (38)

      Other sectoral laws have provided for data portability. In finance, Section 1033 of Dodd-Frank Act of 2010 provides that consumers shall have access to their financial records "in an electronic form usable by consumers." (39) In healthcare, the U.S. Department of Health and Human services has issued rules providing access to patient records in order to "increase innovation and competition; reduce burden and advance interoperability; and promote patient access." (40)

      Data portability was recognized (although not by name) by the Federal Trade Commission ("FTC") as early as 2000 in a matter against ReverseAuction.com. (41) ReverseAuction.com was a competitor of eBay that used unfair and deceptive actions to collect information on eBay users, such as their email addresses and feedback ratings. (42) Although the FTC had many complaints about ReverseAuction.com's actions, there "was also recognition of the way in which eBay's control over user reputations--the accumulated results of many transactions--blocked competition in online auctions." (43) Data portability could thwart this barrier to entry by allowing individuals to transfer their accumulated reviews and reputation from platform to platform. (44) The FTC has not stated that disallowing the porting of an individual's online reputation is unfair or anticompetitive. However, FTC commissioners have supported the notion of data portability as a means of "increasing] privacy protections without crowning corporate royalty." (45) The FTC has not

      provided additional...