Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20

Abstract Data portability regulation has promised that individuals will be easily able to transfer their personal data between online service providers. Yet, after more than two years of an active privacy regulation regime in the European Union, this promise is far from being fulfilled. Given the lack of a functioning infrastructure for direct data portability between multiple providers, we investigate in our study how easily an individual could currently make use of an indirect data transfer between providers. We define such porting as a two-step transfer: firstly, requesting a data export from one provider, followed secondly by the import of the obtained data to another provider. To answer this question, we examine the data export practices of 182 online services, including the top one hundred visited websites in Germany according to the Alexa ranking, as well as their data import capabilities. Our main results show that high-ranking services, which primarily represent incumbents of key online markets, provide significantly larger data export scope and increased import possibilities than their lower-ranking competitors. Moreover, they establish more thorough authentication of individuals before export. These first empirical results challenge the theoretical literature on data portability, according to which, it would be expected that incumbents only complied with the minimal possible export scope in order to not lose exclusive consumer data to market competitors free-of-charge. We attribute the practices of incumbents observed in our study to the absence of an infrastructure realizing direct data portability.

[1]  Kassem Fawaz,et al.  The Privacy Policy Landscape After the GDPR , 2018, Proc. Priv. Enhancing Technol..

[2]  Norbert Pohlmann,et al.  A Study on Subject Data Access in Online Advertising After the GDPR , 2019, DPM/CBT@ESORICS.

[3]  Gianclaudio Malgieri,et al.  Property and (Intellectual) Ownership of Consumers’ Information: A New Taxonomy for Personal Data , 2016 .

[4]  B. Caillaud,et al.  Chicken & Egg: Competition Among Intermediation Service Providers , 2003 .

[5]  Peng Liu,et al.  An Empirical Study of Web Vulnerability Discovery Ecosystems , 2015, CCS.

[6]  P. Valcke,et al.  Putting the Right to Data Portability into a Competition Law Perspective , 2013 .

[7]  H. D. Vries Data Protection: Laws of the World (losbladig) , 2009 .

[8]  Wing Man Wynne Lam,et al.  Does data portability facilitate entry? , 2020, International Journal of Industrial Organization.

[9]  Peter P. Swire,et al.  Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique , 2013 .

[10]  P. Klemperer Markets with consumer switching costs , 1986 .

[11]  Christopher Tonetti,et al.  Nonrivalry and the Economics of Data , 2019, American Economic Review.

[12]  Christina Gloeckner,et al.  Modern Applied Statistics With S , 2003 .

[13]  Cédric Argenton,et al.  Search Engine Competition with Network Externalities , 2011 .

[14]  Michael Wohlfarth,et al.  Data Portability on the Internet , 2019, Bus. Inf. Syst. Eng..

[15]  Sarah Spiekermann,et al.  Towards a value theory for personal data , 2017, J. Inf. Technol..

[16]  J. Krämer Personal Data Portability In The Platform Economy: Economic Implications And Policy Recommendations , 2020 .

[17]  Inge Graef,et al.  Data Portability and Data Control: Lessons for an Emerging Concept in EU Law , 2018 .

[18]  Ola Henfridsson,et al.  Introduction - Platforms and Infrastructures in the Digital Age , 2018, Inf. Syst. Res..

[19]  Johann Kranz,et al.  Stimulating Economic Growth by Unlocking the Nonrival Potential of Data - Review, Synthesis and Directions for Future Research , 2020 .

[20]  Matt Bishop,et al.  The Art and Science of Computer Security , 2002 .

[21]  R. Liberman,et al.  The token economy. , 2000, The American journal of psychiatry.

[22]  Dear Mr Sotiropoulos ARTICLE 29 Data Protection Working Party , 2013 .

[23]  M. Porter The five competitive forces that shape strategy. , 2008, Harvard business review.

[24]  Jacob Leon Kröger,et al.  How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps , 2020, ARES.

[25]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[26]  Gianclaudio Malgieri,et al.  The right to data portability in the GDPR: Towards user-centric interoperability of digital services , 2017, Comput. Law Secur. Rev..

[27]  Leonie Maria Tanczer,et al.  The exercisability of the right to data portability in the emerging Internet of Things (IoT) environment , 2020 .

[28]  C. Hoofnagle,et al.  Consumer Information Sharing: Where the Sun Still Don't Shine , 2007 .

[29]  J. Krämer,et al.  Data portability, data disclosure and data-induced switching costs: Some unintended consequences of the General Data Protection Regulation , 2019, Economics Letters.

[30]  Johann Kranz,et al.  Consent Notices and the Willingness-to-Sell Observational Data: Evidence from User Reactions in the Field , 2021, ECIS.

[31]  Aleecia M. McDonald,et al.  Access Denied! Contrasting Data Access in the United States and Ireland , 2016, Proc. Priv. Enhancing Technol..

[32]  Wim Lamotte,et al.  Personal Information Leakage by Abusing the GDPR 'Right of Access' , 2019, SOUPS @ USENIX Security Symposium.

[33]  Inge Graef,et al.  Mandating portability and interoperability in online social networks , 2015 .

[34]  Tyler Moore,et al.  Economic Tussles in Federated Identity Management , 2012, WEIS.

[35]  Tristan Henderson,et al.  The right to data portability in practice: exploring the implications of the technologically neutral GDPR , 2019, International Data Privacy Law.

[36]  Shoshana Zuboff,et al.  Big other: surveillance capitalism and the prospects of an information civilization , 2015, J. Inf. Technol..