Stakeholders Weigh In as the FTC Tackles Data Portability at Upcoming Workshop
On September 22, the Federal Trade Commission (FTC or Commission) will host a workshop focused on data portability. As the Commission has broadly described it: “Data portability refers to the ability of consumers to move data – such as, emails, contacts, calendars, financial information, health information, favorites, friends or content posted on social media – from one service to another or to themselves.”
When the FTC announced the Data To Go workshop this Spring, it sought comment on a wide range of topics including privacy, security, and competition issues. Various stakeholders—across multiple sectors, and representing industry, government, academia, and consumer groups—have now filed comments in advance of the workshop. The comments, along with an agenda that will feature panels on reconciling the benefits and risks of data portability and dealing with material challenges and solutions, point to a robust and multi-faceted discussion that will shape how the FTC approaches data portability going forward.
Various Stakeholders Detailed Data Portability Complexities.
Several key themes emerged from comments filed in advance of the FTC’s Data To Go workshop.
First, commenters noted that, while it is being debated from a policy perspective, some level of data portability is already prevalent in practice. Large technology platforms noted that voluntary data portability efforts and tools have been established. The U.S. Chamber wrote that, “[p]ortability is [p]revalent, [c]onsumer [o]riented & [l]argely [m]arket [d]riven,” explaining that “portability as a goal is often already achieved.” Additionally, stakeholders from specific sectors weighed in, describing the data portability offerings in the financial services, utilities, and health care sectors. For example, a financial services sector commenter noted that “data portability has become central to the functioning of a broad range of products and services” in that sector. A non-profit dedicated to advancing data portability in the energy sector described the portability landscape with respect to utilities, and representatives from the healthcare sector detailed data portability efforts in that space.
Second, stakeholders discussed the benefits and challenges associated with data portability. The highlighted benefits were varied, including increased consumer control and choice related to personal data. In terms of challenges, commenters noted that security concerns must be addressed. The Arizona Attorney General noted the need to protect data from unauthorized access and discussed potential solutions, including industry-developed platforms for safe data transmission, as well as data security standards. Notably, the IEEE Standards Association—“a globally recognized standards-setting body within IEEE”—called for “open, global data security standards for transmitting personal data between businesses to help enable the transmission of data in a structured, commonly used machine readable format, and for secure methods to transmit personal data.” Such proposals may portend future more granular regulation of portability rights and obligations.
Third, commenters pointed to lessons learned from the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). In this respect, the U.S. Chamber flagged “an array of operational issues” companies have faced. The Entertainment Software Association discussed its members’ experiences with requirements under those laws, concluding that “any such requirements must be flexible to account for the wide variety of contexts, including video games, in which consumers may exercise these rights . . . and be tailored to what is technologically feasible,” among other things. And the American Bar Association Antitrust Law Section identified “several challenges to complying [with] GDPR and CCPA, including technical challenges . . . and compliance costs and burdens,” which are “particularly difficult for smaller and medium-sized companies.”
Fourth, commenters discussed the competition issues surrounding data portability. Several commenters touted benefits to innovation and competition that would be associated with portability, particularly in specific sectors like financial services. Others argued that broad portability requirements may have anti-competitive effects, or that it was too early to know how broad portability rights would impact competition. The American Bar Association Antitrust Law Section, for example, provided its view that “[e]mpirical studies of the effect of data portability on competition are limited and relate primarily to the possible effect on innovation, an important component of competition. More research is needed before any policy recommendations are made.”
Fifth and finally, commenters encouraged the FTC to work with agencies across the government—as well as with innovative efforts driven by the private sector—to tackle this complex policy issue. The FTC has highlighted various related efforts underway, from financial services and healthcare policy initiatives to the multi-party Data Transfer Project to enable some levels of data portability. The comments encouraged the FTC to expand these efforts. Indeed, in the financial services sector, a commenter wrote that “[t]he FTC is well positioned to align its objectives with those of other federal financial regulators who seek to enhance consumer outcomes by ensuring consumers have full access to their financial data, and feel secure by working with trusted companies to move their data as they wish.” Others promoted “innovative approaches like . . . data mobility sandboxes,” which can “bring together a variety of stakeholders in agile partnerships and help to quickly push the boundaries of existing policy and product thinking on data portability under the supervision of expert regulatory and non-governmental observers.”
What Will Be the FTC’s Role?
The FTC sits at the center of the federal privacy debate, though on the issue of data portability, the agency’s role is still to be determined. While it prepares its own report on the privacy and security hearings it held last year, the Commission has called for Congress to pass federal privacy legislation. Absent Congressional activity on comprehensive federal privacy legislation, which has been marked by fits and starts, the agency possesses limited ability to mandate any sort of data portability. But its recommendations can carry outsized weight in evolving policy debates.
In previous remarks, Chairman Simons and Commissioner Phillips have made clear that Congress—not the FTC—should be making the “difficult value judgments and tradeoffs” in developing a federal approach to privacy. But if Congress does not act, would the FTC go further? Other Commissioners have indicated a desire to shift away from the traditional “notice and choice” framework and to focus on more substantive rules about data use. Whether data portability issues will be on the agenda remains to be seen, but stakeholders should consider this workshop as a potential first step to further FTC activity in this area.