A Right to Data Portability: Privacy and Competition Law Concerns
In his 3 February report to the Minister of Justice, the Privacy Commissioner made a number of recommendations for reform to the Privacy Act 1993. Among them was the introduction of a right to data portability.
Data portability refers to an individual’s ability to easily move their personal information from one agency to another. The right has recently been incorporated into the EU General Data Protection Regulation (GDPR), which entitles individuals to receive the personal data they have provided to an agency in a “structured, commonly used and machine-readable format”. It also entitles individuals to request that the agency transmit that information directly to another agency (which may include a competing business) where technically feasible.
Intuitively, the introduction of such a right would appear to be a positive development for the public. There is clear value for people in being able to retrieve their own information easily, and in an interoperable format. However, during consultation for the GDPR a number of less straightforward issues were raised, traversing both privacy and competition law. This article addresses the most notable of these.
Control of information
Data portability is regarded as a logical continuation of an individual’s existing right to access their personal information (Principle 6, Privacy Act 1993). In his recent report, the Commissioner argued that, without portability, an individual’s ability to meaningfully exercise that right may be rendered illusory (at page 5).
It is not merely a question of convenience. An inability to easily extract information becomes more concerning given that an agency can change the functionality of their service at any time, without consultation. A person who has stored photographs with an online service may be unexpectedly unable to use or view them as they had previously. Without data portability, those photographs may become trapped with the provider or only able to be removed in a format that is incompatible with others, making the files, in effect, useless.
However, agencies may also have legitimate reasons for wanting to retain some control over an individual’s information. That information, compiled and built upon by the agency, holds inherent value. It may be used to more effectively target advertising, to give insight into the aspects of service functionality that users particularly enjoy, or to assist in the development of new products and services according to consumer preference. In transferring the individual’s information, an agency may also be transferring important clues regarding their business, market or products to a competitor.
There is a risk that requiring data portability could increase the likelihood of a security breach, or at least increase the mischief that could result from one.
The potential for harm that could arise from a one-off security breach causing the release of, for example, an individual’s contact details, is infinitely less than that which could arise from a one-off breach causing the release of thousands of photographs, status updates, purchase histories, and “friends” lists.
To alleviate this risk and meet the existing requirement to ensure information is protected by “such security safeguards as it is reasonable in the circumstances to take” (Principle 5, Privacy Act 1993), agencies that are obliged to enable data portability may also be obliged to increase their security measures. The necessity to increase security on the one hand, but increase accessibility on the other, may create complex practical difficulties.
A person who cannot easily transfer their information from one service to another may become “locked in” to their current provider, regardless of whether they would prefer to be elsewhere. Consumer lock-in is usually associated with competition law. When the cost or inconvenience of switching providers is such that a consumer becomes willing to forego the opportunity to try a cheaper or more innovative alternative, the incentive for providers to offer competitive pricing or invest in the improvement of their products or services is reduced.
A lack of data mobility may also be an obstacle for new start-up companies who may be obliged to offer heavily discounted rates in order to compensate consumers for the difficulty or expense of making the switch.
A reduction in consumer lock-in is cited by the Commissioner as a key justification for the introduction of the right to data portability (at page 5). He draws an analogy between data portability and phone number portability, the continued regulation of which was recently described by the Commerce Commission as enabling users to switch providers, therefore removing a barrier to competition ( NZCC 32 at 5).
However, while a lack of data portability may make it more difficult for consumers to switch providers, this does not amount to anti-competitive conduct, for which agencies should be penalised. Some commentators have argued that creating a “per se” lock-in remedy, ignoring factors such as a company’s position within the relevant market or the possible creation of efficiencies, means onerous obligations may be placed on companies without a consumer benefit that is strong enough to justify it.
Depending upon the scope of the obligation to make personal information readily obtainable, the costs to applicable agencies may be substantial. Some may need to rewrite existing programmes to enable such transferability. As above, there are also likely to be added security costs.
Compliance costs may disproportionately affect smaller agencies and start-ups, with larger agencies likely to be better able to comply, and willing to complain if they encounter a smaller agency that is not sufficiently meeting its obligations.
Overall, the intuitive assessment that a right to data portability would benefit the public is likely sound. However, such a right should be drafted into New Zealand law with care.
We propose that, before any amendment is made, the following be considered:
- Whether it would be appropriate for an obligation to enable data portability to extend to all agencies, or whether some should be excluded (for example, those below a certain size).
- Whether agencies should be expressly permitted to charge a reasonable fee to the individual when required to supply their information in this way.
- Which information specifically should be covered. A right that encompasses only unique personal data provided by the individual would be more manageable than a right that could encompass all material which is connected in some way to an identifiable person.
- Which formats should be regarded as sufficiently interoperable. The GDPR requirement that information be provided in a “structured, commonly used and machine-readable format” may prove unwieldy to implement, given none of those terms have been defined.
- Whether an agency should be required to transfer the information directly to a competitor, if requested, or only to the individual the information concerns.
It may be tempting to defer an amendment to our own law until the practical implications of the GDPR can be assessed. However, that does not come into effect until 2018, and in the quickly advancing “big data” world, a delay of this length may create more problems than it solves.
Kristin Wilson is a senior associate and Joanna Trezise is a solicitor at Bell Gully.
Last updated on the 31st March 2017