Reporting out on the Data Transfer Summit: A Day of Portability for a Future of Empowerment

Chris Riley, Executive Director of Policy for the Data Transfer Initiative (DTI), shares key insights from the organization's February Data Transfer Summit.

The Data Transfer Initiative (DTI) is a young organization working on an old problem: expanding data portability to empower people. Recently, DTI held a day-long event in Washington, DC: Data Transfer Summit: Empowerment Through Portability. The agenda included presentations of original policy research, discussion panels with industry and civil society leaders, keynotes by Senator Edward J. Markey and Travis Hall of NTIA, and a lightning talk by Sukhi Gulati-Gilbert from Consumer Reports. If you missed it, you can find the videos on our YouTube channel in this playlist.

DTI is a US-registered 501(c)(4) nonprofit social welfare organization; our mission statement is to “Empower people by building a vibrant ecosystem for simple and secure data transfers.” We are not a trade association and we operate independently, but we do benefit from close collaboration with our industry partners, Apple, Google, and Meta, who contribute to the open-source Data Transfer Project code base and to our other projects and strategies.

In this piece, I will share some reflections on the event starting with the context in which it was situated, then give takeaways and themes from the day, and conclude with thoughts on where we go from here.

Context: Some things change, some things stay the same.

A lot has changed on data portability since the splashy early days of the Google Data Liberation Front. It’s now a widespread norm for companies to offer a user-facing “download your data” tool, as much as having a privacy policy. Some companies, notably including DTI’s partners, are going further and investing in direct data transfer tools to take on the end-to-end task of transferring the data between system formats. And the European Union has adopted and is now enforcing a major law, the Digital Markets Act, which expands on its prior General Data Protection Regulation requirements for data portability to require so-called “designated gatekeepers” to work directly with third parties to facilitate personal data transfer. The six companies thus far designated – Alphabet, Amazon, Apple, Bytedance, Meta, and Microsoft – have released their initial compliance reports. We’ve previously written about the DMA and what the future holds for portability in Tech Policy Press.

Data portability has always enjoyed broad support as a concept. It is grounded in data protection and competition values, and serves both through its emphasis on empowering people. As awareness and understanding of portability grow, so too does its support. Yet the complex details of implementing portability are not widely understood. In preparation for the Summit, we prepared a Call for Papers identifying novel research questions related to portability. We identified seven policy papers to support as part of the event (you can read drafts from the agenda page here), which we are in the process of compiling and finalizing as a report.

At the same time, the current supply of data portability possibilities exceeds the nature of present demand, as I wrote in one of my 2024 portability predictions, which were displayed as table cards at the event. There are certainly some businesses chomping at the bit to allow users to transfer in personal data from other services. But the market today is only scratching the surface of the immense opportunities perceived by scholars and advocates to await as a result of greater portability offerings. Whether the gap comes from tools, awareness, access challenges, or other issues is hard to say at the moment.

Event takeaways: Much alignment, much yet to be done.

Considering the current turning point for data portability in both regulatory and market contexts, we felt now was the right time for a public gathering focused on it, and we were not disappointed by the enthusiastic response in terms of both speakers and attendees. Below, I gather takeaways from the event under four high-level themes: reinforcement, complexity, the role of law, and the impact of markets.

1. Reinforcement

Central to the thesis of the event was that portability is valuable on both data protection and competition dimensions, and that DTI as an institution is effectively positioned to bring people together to make progress. This thesis proved correct. The tech policy community in DC. is supportive of DTI and our focus on data portability, even though (or perhaps because?) there are no immediate legislative prospects to match what the EU has done with the DMA.

But Congress is paying attention. The American Privacy Rights Act, recently introduced by Senator Maria Cantwell (D-WA) and Rep. Cathy McMorris Rodgers (R-WA), includes a section on data portability that would require data exports in “a portable, structured, interoperable, and machine-readable format,” and the Senate’s portability and interoperability-focused ACCESS Act was reintroduced in 2023 and remains alive in the current session. Senator Markey (D-MA) joined our event as the opening keynote, where he highlighted the historical anecdote of number portability in telecom services as well as the importance of preserving an open internet, both of which he has championed throughout his career. In his remarks, Senator Markey emphasized the importance of data portability and interoperability and expressed enthusiasm for DTI’s efforts in this space. “I’m glad that data portability and interoperability are a part of this conversation because … these two ideas have the power to infuse competition into centralized markets,” he said.

Similarly, while the White House hasn’t made portability a priority when it comes to tech policy, it is clearly on the radar. Travis Hall, acting head of the Office of Policy Analysis and Development at NTIA, the agency designated to serve as principal advisor to the President on information policy, made remarks during a fireside chat. Hall channeled his years of experience with data flows and policy in dialogue with DTI’s Director of Policy Delara Derakhshani. In addition to the value of data portability, the two discussed how the US government collaborates with stakeholders in civil society and the private sector, and with regulators in other jurisdictions, notably the European Union. Even though Congress isn’t close to passing a law on these topics, the US isn’t irrelevant in any sense. American influence is felt both for the near term, in how engagements and advocacy in the US can shape data practices both home and abroad, and certainly for the long term, as the civil society panel in particular discussed in some detail.

2. Complexity

The landscape ahead for data portability is complex. On the technical side, the current mix of implementation pathways includes a range of interfaces for service providers to connect and transfer personal data. The role of Application Programming Interfaces (APIs) is well known at this point – which isn’t to say it’s well understood, and certainly the APIs are both quite varied and also still evolving.

The morning scholars panel included both a real-world look at the complexities of portability in practice, and a taxonomy approach to understanding portability. It also included a paper on portable trust, grounding portability in its privacy connections while taking a serious look at its inherent empowerment value yet also privacy, security, and integrity risks. The afternoon scholars panel looked further afield, with papers on portability’s connections to the metaverse and to artificial intelligence, and one on an implementation of continuous and real-time portability via webhooks. We’re working to combine these papers into a full volume and will provide more analysis of the collective works along with this future release.

The morning discussion on the business case for data portability revealed overlapping and new angles of complexity. The speakers discussed the potential for privacy and security harm and some of the practical steps they take to mitigate it, such as delays in transfers and multiple pathways of user notifications to reduce the chance of fraud through an unauthorized actor gaining access to sensitive personal data. They made clear that portability was worth it though, not just as a legal obligation, but as a path to build user trust and confidence with people.

The speakers also noted that it’s expected of businesses to offer visibility into data and portability pathways. For instance, Melinda Claybaugh, privacy policy director at Meta and a former counsel at the Federal Trade Commission, noted that “as consumers, we all know that we’ve come to expect that we will be able to access and delete and share and port our data to different services.” Google director of privacy, safety and security Kate Charlet said user choice ultimately pushes the entire sector to deliver better experiences. “I think as an ecosystem writ large, when users have choice and they can act on that choice, it is better for everybody, both the business and the users, because it means that they’re using the best products they’re able to, to move and use the best products,” said Charlet.

There are today, and perhaps always will be, some disagreements over specific portability implementations – some that critics say do not do enough to protect users from the possibility of fraud or trust breachers, others that are claimed to set too high a bar for clearance and thus undermine market contestability. Fortunately, the event discussions recognized the false binary of “trust or openness”; portability can deliver both, but the details do matter.

3. The role of law

Without doubt, law is contributing to shaping the future of data portability, notably the Digital Markets Act. It seems likely that other laws or government actions in the future will also have an impact. The civil society panel in the afternoon featured a lively and entertaining conversation with the heads of three of DC’s foremost tech and policy organizations: Chris Lewis of Public Knowledge, Alexandra Givens of the Center for Democracy and Technology (CDT), and Zach Graves of the Foundation for American Innovation (FAI), moderated by Molly Roberts, an editorial writer at The Washington Post. While largely aligned on the merits of portability, the speakers found disconnect over how to make tech regulations a reality. Public Knowledge has long advocated for the United States to create a new digital regulator; in contrast, while FAI has called for the Federal Trade Commission (FTC) and Department of Justice to receive more funding to be effective regulators for tech, Graves made clear his disagreement with the notion of a new agency. CDT, for its part, seemed quite ready to support the FTC or a new agency, whatever would get the job done.

The notion of a new, standalone federal regulator is much broader than just data portability of course. But it resonates with the approach taken by the European Commission. The DMA (and the Digital Services Act as well) has effectively changed the role of the Commission, adding on top of that body’s legislative obligations new duties as an active enforcer of the law. This differs significantly from past tech regulation implementation, in particular as compared to the GDPR which gives enforcement authority to member states rather than centralized in the EU. While it’s early, the increased collaboration between stakeholders and the Commission associated with DMA implementation sends some good signals of the positive value of this approach.

While passing new laws is unlikely on the federal level in the US, there remains the possibility of state action, or that active antitrust litigation could result in remedies with consequences for portability. The question of the enforcer looms large still, though, particularly in such remedies.

4. The impact of markets

With so much work around portability happening in government centers, it’s easy to over rotate on the impact of law and regulation. But it’s not the only lever influencing the future of portability – market forces including user expectations and new innovators will help shape the specific details of portability interfaces and practices. Law is inherently underspecified in a highly technical subject matter like portability, or at the very least, encoding specific details in a regulation is a recipe for fragility and rapid outdating.

Against that backdrop, Consumer Reports product manager Sukhi Gulati-Gilbert gave a lightning talk on Permission Slip, a mobile app that is intended to help users manage their personal data. Tools like Permission Slip or ErnieApp in the EU offer user-friendly ways to exercise statutory privacy rights related to personal data.

DTI’s Chief Technology Officer Lisa Dusseault and I spoke at the closing of the day. We talked about the many changes for work on data portability and interoperability, including increased activity at standards bodies as well as direct collaborations between and among companies. We also discussed the obstacles that can impede fast movement with portability, including trust and ever-present “NxN” (“N by N”) problems of developing and testing tools to transfer data among different sources and destinations.

What’s next: More research, more awareness, more investment, and more tools.

Collectively, the stakeholders engaged in portability have made progress in building a shared understanding of how to deliver portability tools that can serve end users. The Summit showcased this progress and furthered it at the same time through the event’s discussions. But there’s much more to be done; this single day was a beginning not an end.

At DTI on the policy front, we’ll continue investing in understanding the field through research and writing, beginning with publishing the collected works presented at the Summit. We anticipate publishing policy briefs throughout the year, alongside updates on our newsletter and blog. On technology, expect more from us in support of Data Transfer Project powered tools, more effort to build out the trust model work we’ve begun, more investment in the Portability Map, other work to close the supply/demand curve gap for portability, and more work on shared principles and approaches through data schemas and standards.

We aim to contribute wherever data portability is on the discussion table, such as running a workshop at CPDP in Brussels in May where Delara Derakhshani will represent us. And I expect you’ll see us in a number of similar fora over the course of the year, on both sides of the Atlantic and elsewhere around the world.

The data portability problem space is bigger than just DTI, of course. But our mission is to build a healthy ecosystem, so we will stay focused on that, and on identifying what it needs to continue to grow, targeting our investments accordingly.