FTC to Examine Data Portability Pros and Cons
The Federal Trade Commission (FTC) announced it will host a September 22 workshop on a major issue in privacy debates among policy makers, economists, and other thought leaders: data portability. Some argue that consumers need to be able to broadly move data such as social media content among holders and platforms, while others (including myself) have noted security and other unintended consequences from mandating broad access and portability rights in general privacy laws. For example, in Privacy Regulation and Unintended Consequences for Security, I called on policymakers considering broad privacy laws to “ensure that access, correction, transfer, or deletion rights account for serious security concerns, such as cybersecurity information sharing, the use of AI security tools, and the risk of centralized or portable data sets.”
Now, the FTC has determined it is time to look at data portability more closely, both from a privacy and a competition perspective. One factor driving the FTC’s interest in this issue now is emerging state and global laws that may force portability of an extremely wide range of data. The FTC has been paying attention to the complaints of some organizations about emerging regulatory obligations and has identified that it wants to know more, asking specifically about “lessons and best practices . . . learned from the implementation of the data portability requirements in the GDPR and [California Consumer Privacy Act (CCPA)].” The issues identified and asked about by the FTC relate to a number of compliance issues with the CCPA, such as verifying the identity of non-account holders and dealing with consumer requests for information associated only with IP addresses.
Our team has been wrestling with these and other issues and was dismayed the California AG did not offer more clarity in recent regulations. The FTC recognizes the fast-moving landscape, which includes the Data Transfer Project, which as the goal of “creating an open-source, service-to-service data portability platform.” As the FTC recognizes, in the financial services sector, consumer financial data sharing is an existing and widely used practice, and indeed industry participants have long worked on addressing security and other issues while allowing consumers to use a range of financial services. The FTC also notes that the Department of Health and Human Services has been looking at how to facilitate portability of health data, something Wiley has been talking about for years, including with Roger Severino, Director of the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR). And of course, data portability is being considered as a component of possible comprehensive federal privacy legislation.
The FTC is seeking public comments in advance of the workshop, which are due August 21. It wants to hear about big picture issues like “potential benefits to consumers and competition of data portability,” but also about “the potential risks to consumer privacy and how those risks might be mitigated, the potential impact of mandatory data access or data sharing on companies’ incentives to innovate, [and] how to best ensure the security of personal data that is being transmitted,” among other questions. Specifically, the FTC asks:
-
How are companies currently implementing data portability? What are the different contexts in which data portability has been implemented?
-
What have been the benefits and costs of data portability? What are the benefits and costs of achieving data portability through regulation?
-
To what extent has data portability increased or decreased competition?
-
Are there research studies, surveys, or other information on the impact of data portability on consumer autonomy and trust?
-
Does data portability work better in some contexts than others (e.g., banking, health, social media)? Does it work better for particular types of information over others (e.g., information the consumer provides to the business vs. all information the business has about the consumer, information about the consumer alone vs. information that implicates others such as photos of multiple people, comment threads)?
-
Who should be responsible for the security of personal data in transit between businesses? Should there be data security standards for transmitting personal data between businesses? Who should develop these standards?
-
How do companies verify the identity of the requesting consumer before transmitting their information to another company?
-
How can interoperability among services best be achieved? What are the costs of interoperability? Who should be responsible for achieving interoperability?
-
What lessons and best practices can be learned from the implementation of the data portability requirements in the GDPR and CCPA? Has the implementation of these requirements affected competition and, if so, in what ways?
Numerous interests will want to share their views with the FTC, particularly if the FTC can help shape future legislative discussions and debates in state legislatures and at the federal level. The FTC will be expecting real world examples and data. Our team has worked with the FTC on numerous similar efforts and the most effective participation is detailed and proactive. Some of the detailed questions they ask may implicate proprietary information or sensitive planning considerations. Some companies may be better positioned to provide information through their trade associations or a coalition. There is a critical role for nuanced discussion of the complex issues around broad data portability proposals that should be addressed.
As with many FTC workshops, the agency may not be poised to take immediate action, but efforts like this often generate reports and guidance that have a long shelf life and are used by policymakers to formulate decisions in the future. And, if there is a change in FTC leadership as a result of upcoming elections, the record that the FTC builds in this proceeding could be used in unexpected regulatory ways.