Delara Derakhshani is Director of Policy at the Data Transfer Initiative (DTI), a non-profit with the mission to empower individuals by enabling effective data transfers. Chris Riley is Executive Director of the Data Transfer Initiative and a Distinguished Research Fellow at the University of Pennsylvania’s Annenberg Public Policy Center.

The European Union’s landmark tech competition law, the Digital Markets Act (DMA), is in force. Its goal is to ensure fair and open digital markets, which it accomplishes by imposing obligations on certain large platforms (or “gatekeepers”) which must proactively implement the DMA’s requirements. The European Commission recently designated six gatekeepers–Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft–which have until March 2024 to comply with the DMA’s provisions for their relevant services, including a new data portability obligation.

Article 6(9) of the DMA introduces a new data portability obligation:

The gatekeeper shall provide end users and third parties authorised by an end user, at their request and free of charge, with effective portability of data provided by the end user or generated through the activity of the end user in the context of the use of the relevant core platform service, including by providing, free of charge, tools to facilitate the effective exercise of such data portability, and including by the provision of continuous and real-time access to such data.

In the broader context of the DMA, the spirit of this obligation is clear: to create an equitable internet ecosystem where gatekeepers cannot impose unfair conditions on others or abuse their dominant positions–resulting in lower barriers to entry, greater consumer choice, and equal access to digital opportunities.

These are admirable principles, but transforming these words into reality will be complex. There are many unanswered questions that will require further exploration before the vision of the DMA can be realized. And yet, the EU must enforce its law, and soon.

The DMA and Future Laws Will Transform the Data Portability Landscape

The DMA introduces new requirements for designated gatekeepers to provide businesses and end users with tools that facilitate “continuous” and “real-time” data portability, which raises legal and technical questions about implementation and the intended scope of the laws. It proposes the inclusion of third parties, without specifying the roles they might have, or engaging with the benefits and risks that can arise, or mitigations for such risks that do not undermine the benefits.

Currently, there is a limited body of data portability policy analysis and research to draw on at this crucial implementation stage of regulation. At the same time, regulators around the globe are demonstrating a renewed interest in data portability–and many are expected to follow the EU’s lead in the DMA, just as the EU’s General Data Protection Regulation (GDPR) inspired similar laws in many jurisdictions. The legal landscape for data portability is changing and growing.

In 2023 alone, South Korea, Japan, and Switzerland have introduced or expanded on data portability obligations. In the U.S., California is implementing its privacy law’s portability provisions, New York is considering relevant legislation, and the ACCESS Act remains in play in Congress. Furthermore, in the near future, some state legislators are expected to include more robust data portability obligations as part of their comprehensive privacy laws. Implementation of the DMA will almost certainly factor into these trajectories.

The substantive complexity of modern data portability and the rapid movement of legislation are dancing on a fragile foundation of limited research and understanding. More work to unpack portability’s difficult questions is needed, urgently and immediately.

Proposed Research Areas for Initial Consideration

Though by no means exhaustive, below we identify a core set of initial questions that will help maximize the benefits of data portability requirements and minimize any potential harmful or unintended consequences.

Our proposed research questions fall into three buckets:

(1) measuring the impact and effects of data portability for users, companies, and competition;

(2) the roles and responsibilities of, and with respect to, third parties; and

(3) privacy and security considerations.

Measuring impact and effects

The value of data portability remains underappreciated across the board. Part of the reason for this may be that there simply isn’t enough research on the effects and impact of data portability, including, notably, as it relates to multihoming (where researchers are free to try out and use multiple services at once) vis-à-vis situations in which a user decides to terminate an initial relationship to begin a new one.

• What makes data portability successful: How can regulators measure the success of data portability requirements? Is evidence of users “leaving” an incumbent service an accurate metric based on user behavior/preference or are there shortcomings by this measure? What kinds of instruments might be useful in assessing their effects on markets and service switching? Are there data portability benefits that flow to users but that may be difficult to observe?
• Identifying impactful use cases: Done well, data portability empowers users with respect to their data, not only by realizing greater consumer choice but also unlocking new value from new use cases and combinations of data. Which use cases will prove most impactful, and how can businesses take advantage of new opportunities that emerge from users’ ported data? In what markets will more effective data portability catalyze innovation? Can data portability empower vulnerable populations with new opportunities, services, and tools–for example, for accessibility?
• Data portability in emerging contexts: How does data portability intersect with emerging standards for the metaverse? What role does portability play in today’s discussions of artificial intelligence and centralization? How will data transfers work across different services and spatial computing platforms? Are the benefits and risks in these emerging contexts analogous to those in traditional online platforms?

Third parties

New data portability regulations place a great emphasis on third parties. While the European Union has existing guidance (via Guidelines 07/20) regarding the role of third parties in the GDPR, there is no such document for the DMA or other laws regarding the interactions among data hosts, users, recipients of data, and potential intermediaries. (And even the GDPR third party guidance took more than three years after the law’s effective date.) In practice a big use of “third parties” in the data portability context will be the recipients of data transferred directly from host to destination, rather than requiring the user to download and upload their data. (Additional intermediaries, who neither originate nor receive data, may also be relevant in some cases.) Some data destinations could be harmful to the user, and actions taken by a data host to facilitate transfers to such destinations would be deeply problematic.

• Legitimacy for direct data transfer recipients: Who determines the legitimacy of a proposed recipient of data through direct transfer mechanisms? How much of this decision properly lies with the data host versus the user? What are the respective obligations of various players in the space in protecting against data misuse? Can intermediaries, including the Data Transfer Initiative, play a useful role in this process?
• Vetting mechanisms: In practice, data hosts typically use available developer vetting mechanisms to support a prospective direct data transfer recipient, the mechanisms generally required as part of the process of getting API keys. Can such mechanisms allow for legitimate screening to prevent user harm at the would-be recipient? And how can such an exception to portability obligations be cabined such that it does not undermine the practical benefits of data portability?
• Adapting the data: Direct data transfers may or may not require the data to be modified or processed before it can be used outside the originating host service. On which party’s shoulders falls the responsibility of implementing relevant data adapters?

Privacy and security

Privacy and security are foundational principles for data portability, yet can raise complex questions about trade-offs and how best to empower users while protecting them and their data.

• Best practices: What are best practices for ensuring privacy and security, especially for more sensitive personal data? What systems of governance are best suited for articulating best practices? How do security and privacy risks differ for one-time data transfer and continuous and real-time portability?
• Mechanisms for obtaining consent: What does meaningful consent look like for data portability? How can consent mechanisms be designed to empower users while avoiding “consent fatigue?” Does consent fatigue create barriers for data portability? Are there unique considerations and challenges under the DMA? Are there effective alternatives to consent (such as dashboards or settings) that would help effectuate users’ will? How might consent barriers to portability be mitigated while respecting the intent of users?

- - -

Data portability is a powerful idea. It can be a significant part of the foundation of a strong, healthy internet future, one that puts markets to work on behalf of consumers, and empowers internet users to choose their own journeys, and not feel stuck. But we have a lot of work to do to get there.

Stakeholders and scholars must work together to build a strong portability future. At the Data Transfer Initiative, we hope to catalyze a community of thought at the heart of this burgeoning portability ecosystem. We will support some work ourselves, including through a conference in early 2024 to present some novel research.

This problem space is far more than we can address directly, however. We encourage scholars and thought leaders to further explore these topics in public and with stakeholders across academia, civil society, private sector, and government. And we’re here to help however we can along the way.