Data portability

At the global level, there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}

At the regional level, there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 General Data Protection Regulation (GDPR).

The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=978-92-79-62181-9}}

Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms.

With the advent of the General Data Protection Regulations (GDPR), social media platforms such as Twitter, Instagram, Snapchat, and the Wall Street Journal online subscriber community have widely adopted the ability to export and download user data into a ZIP archive file.{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}} Other platforms such as Google and Facebook were equipped with export options earlier.{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}} Some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}

Other sites such as Quora and Bumble offer no automated request form, requiring the user to request a copy of their data through personal support email.{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data |website=Quora Help Center |date=2019-12-13}}

Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }} This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities.

The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}} Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217|s2cid=9398036 }}{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}} and hence mitigating platform lock-in.

Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 |doi-access=free|hdl=10419/286941|hdl-access=free}}{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/

|access-date=March 14, 2023}} As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline.

Some mobile apps restrict data portability by storing user data in locked directories while lacking export options. Such may include configuration files, digital bookmarks, browsing history and sessions (e.g. list of open tabs{{efn|Not limited to web browsers, but also, for example, text editors.}} and navigation histories), watch and search histories in multimedia streaming apps, custom playlists in multimedia player software, entries in note taking and memorandum software, digital phone books (contact lists), call logs from the telephone app, and conversations through SMS and instant messaging software.

Locked directories are inaccessible to an end-user without extraordinary measures such as so-called rooting (Android) or jailbreaking (iOS).

The former requires the so-called boot loader of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the wipe, making it a vicious cycle if the user's aim were to access their locked data.{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}

Other mobile apps only allow the creation of user data backups using proprietary software provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}

Some device vendors offer cloud storage and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and phone books between locked directories on devices of the same vendor (vendor lock-in), without the ability to export the information into local files directly accessible by the end user.{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}

Restrictions added in more recent versions of operating systems, such as scoped storage, which is claimed to have been implemented with the aim to improve user privacy, compromise both backwards compatibility to established existing software such as file managers and FTP server applications, as well as legitimate uses such as cross-app communication and facilitating large file transfers and backup creation.{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}

Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}.

Some digital video recorders (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability.

Some DVRs have an operating system that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17 |access-date=2020-10-23 |archive-date=2021-04-12 |archive-url=https://web.archive.org/web/20210412055921/https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |url-status=dead }}{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=German Telekom |language=de |date=2019-01-22}}

Cordless landline telephone units, as well as their associated base stations, which have firmwares with phone book and SMS messaging functionality, commonly lack an interface to connect to a computer for backing the data up.

Some software such as the Discourse forum software offers a built-in ability for users to download their posts into an archive file.

Other software may operate locally, but store user data in a proprietary format, thus causing vendor lock-in until successfully reverse-engineered by third party developers.

The right to data portability was laid down in the European Union's General Data Protection Regulation (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state.

{{cquote|Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}}}

Earlier the European Data Protection Supervisor had stated that data portability could "let individuals benefit from the value created by the use of their personal data".{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}

The European-level Article 29 Data Protection Working Party held a consultation on this in English lasting until the end of January 2017.

Their guidelines and FAQ on the right to data portability contain this call for action:

{{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the European Interoperability Framework (EIF).}}

The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}

In April 2017, new guidelines were published on the Article 29 Working Party website.{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.

In late 2019 the Data Governance Act was published by the Commission.{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}

In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}

In 2022 the European Commission published the Data Act.{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}

Although the United Kingdom voted to withdraw from the EU, it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}

In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.{{cite web | first1=Clement | last1=Perarnaud | publisher=Diplo Foundation | title=GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15) | url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date=27 November 2019 | archive-date=29 July 2020 | archive-url=https://web.archive.org/web/20200729035207/https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | url-status=dead }} In the UK—ironically post-Brexit—researchers are monitoring developments.{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}

{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008|hdl= 10023/23477 |hdl-access= free }}{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}

Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}

Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}

An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}} A law was passed that includes data portability; as described here in German {{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019|website=Federal Assembly}}

and here in French.{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019 |website=Federal Assembly}} The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}

A second association has issued its guideline on the topic.{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}

Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}

California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}

Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}

Data portability is included in the Personal Data Protection Bill 2019 about to become law as section 26 in chapter VI.

Data portability is included in the Privacy law#Brazil as its Article 18.{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}

In Australia, a Consumer Data Right has been proposed.{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}

Data portability is included in the new law.{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}

A right to data portability is enshrined in the new data protection law under clause 34.{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}} However, the intentions behind the new law, its enforcement and relation to the government's new Identity management system have already been contested.{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}

It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format".

This touches on at least two distinct technical requirements for effective interoperability:

• the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format.
• the need (hinging on "interoperable") to consider not only an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream.

Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}

The list of these rights has grown.{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}

The data portability right is slightly different from the Right of access to personal data; see GDPR and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with Recital (law). Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought.

In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract.

The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a decision tree. This right, however, was found to be not very useful in an empirical study.{{cite SSRN |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}

The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation

|date= July 22, 2016 |publisher=White & Case}} This includes decisions based on profiling. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }} The issue has been discussed by Bygrave,[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no] and by Hildebrandt,Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com] who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text was finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below).

In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}} the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}} Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}

cited critically by blogger Artur Kiulian.{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}

Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }} Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the London School of Economics (LSE).{{cite web | first1=Frank | last1=Pasquale | title=Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date=February 5, 2016 | access-date=November 30, 2016 | archive-date=December 1, 2016 | archive-url=https://web.archive.org/web/20161201014921/http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | url-status=dead }} In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.{{cite web |title= Series on Algorithmic Accountability |url= http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date= February 5, 2016 |access-date= December 7, 2016 |archive-date= December 20, 2016 |archive-url= https://web.archive.org/web/20161220084911/http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |url-status= dead }}

Another 2016 paper, published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."{{cite SSRN |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}

A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}

A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.{{cite SSRN |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}} A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.{{Cite SSRN |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}} Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}

On both sides of the Atlantic, there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}} and developed a Data Science Ethical Framework.{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}} On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}} Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}} By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |archive-url=https://web.archive.org/web/20161217025544/http://standards.ieee.org/news/2016/ethically_aligned_design.html |url-status=dead |archive-date=December 17, 2016 |date=December 13, 2016 |publisher=IEEE}}

Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}

• [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al.
• Data Transfer Project
• Ethics of artificial intelligence
• General Data Protection Regulation

{{notelist}}

{{Reflist}}

{{data}}

Category:Digital rights

Category:Interoperability