‘My Data, My Rules’ – The Right to Data Portability

Nandan Nilekani has recently made news cautioning against ‘data colonization’ by heavyweights such as Facebook and Google. He laments that data, which is otherwise a non-rival, unlimited resource, is not being shared freely, and is being put into silos. Not only does this limit its potential uses, users end up with very little control over their own data. He argues for ‘data democracy’ through a data protection law and particularly, one that gives users greater privacy, control and choice. In specific terms, Nilekani appears to be referring to the ‘right to data portability’, a recently recognized concept in the data protection lexicon.

In the course of using online services, individuals typically provide an assortment of personal data to service providers. The right to data portability allows a user to receive their data back in a format that is conducive to reuse with another service. The purpose of data portability is to promote interoperability between systems and to give greater choice and control to the user with respect to their data held by other entities. The aim is also to create a level playing field for newly established service providers that wish to take on incumbents, but are unable to do so because of the significant barriers posed by lock-in and network effects. For instance, Apple Music users could switch to a rival service without having to lose playlists, play counts, or history; or Amazon users could port purchasing history to a service that provides better recommendations; or eBay sellers to a more preferable platform without losing their reputation and ratings. Users could also port to services with more privacy friendly policies, thereby enabling an environment where services must also compete on such metrics.

The European Union’s General Data Protection Regulation (GDPR) is the first legal recognition of the right to data portability. Art. 20(1) defines the right as follows:

“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided”

Pursuant to this right, Art. 20(2) further confers the right to directly transmit personal data from one controller to another, wherever technically feasible.

The first aspect of the right to data portability allows data subjects to receive their personal data for private use. Crucially, the data must be a in a format necessarily conducive to reuse. For instance, providing copies of emails in pdf format would not be sufficient. The second aspect is the ability to transfer data directly to another controller, without hindrance.

There are certain prerequisites for the applicability of this right:

a) it applies only to personal data that the data subject ‘provided’ to the controller. This would include data explicitly provided (such as age, or address, etc., through online forms), as well as data generated and collected by the controller on account of the usage of the service. Data derived or inferred by the controller would not be within the scope of this right.

b) the processing must be pursuant to consent or a contract. Personal data processed for a task to be performed in public interest, or in the exercise of official authority is excluded.

c) the processing must be through automated means. Data in paper files would therefore not be portable.

d) the right must not adversely affect the rights and freedoms of others.

The GDPR does not come into force till May 2018, so there remain ambiguities regarding how the right to data portability may come to be implemented. For instance, there is debate about whether ‘observed data’, such as heartbeat tracking by wearables, would be portable. Even so, the right to data portability appears to be a step towards mitigating the influence data giants currently wield.

Data Portability is premised on the principle of informational self-determination, which forms the substance of the European Data Protection framework.  This concept was famously articulated in what is known as the Census decision of the German Federal Constitutional Court in 1983. The Court ruled it to be a necessary condition for the free development of one’s personality, and also an essential element of a democratic society.  The petitioners in India’s Aadhaar-PAN case also  explicitly argued that informational self-determination was a facet of Art. 21 of the Indian Constitution.

Data portability may also be considered an evolution from previously recognized rights such as the right to access and the right to erasure of personal data, both of which are present in the current Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. TRAI’s recent consultation paper on Privacy, Security and Ownership of Data in the Telecom Sector also refers to data portability as a way to empower users. The right to data portability may be an essential aspect of a robust and modern data protection framework, and India is evidently not averse to taking cues from the EU in this regard. As we (finally) begin to formulate our own data protection law, it may serve us well to evaluate which concepts may be suitably imported.

 

Advertisements

Google de-platforms Taliban Android app: Speech and Competition implications?

Written by Siddharth Manohar

About a few weeks ago, Google pulled an app from its online application marketplace the Google Play Store, which was developed by the Taliban for propagating violently extremist views and spreading hateful content. Google has stated that its reason for doing this is that the app violated its policy for Google Play Store.

Google maintains a comprehensive policy statement for any app developer who wishes to upload an app for public consumption on the Play Store. The policy, apart from setting up a policy for the Play Store as a marketplace, also places certain substantive conditions on developers using the platform to reach users.

Amongst other restrictions, one head reads ‘Hate Speech’. It says:

We don’t allow the promotion of hatred toward groups of people based on their race or ethnic origin, religion, disability, gender, age, veteran status, or sexual orientation/gender identity.

Google found the Taliban app to violate this stipulation in the Play Store policy, as confirmed by a Google spokesperson, who said that the policies are “designed to provide a great experience for users and developers. That’s why we remove apps from Google Play that violate those policies.” The app was first detected by an online intelligence group which claims to monitor extremist content on social media. It was developed to increase access to the Taliban’s online presence by presenting content in the Pashto language, which is widely spoken in the Afghan region.

The application itself of course still being available for download on a number of other regular websites, the content of its material led to its removal from a marketplace. This is an interesting application of the restriction of hateful speech, because the underlying principle in Google’s policy itself pays heed to the understanding that development and sale of apps forms a kind of free speech.

A potentially interesting debate in this area is the extent to which decisions on the contours of permissible speech can be decided by a private entity on its public platform. The age-old debate about the permissible restrictions on speech can find expression in this particular “marketplace of ideas” of Google Play Store. On one hand, there is the concern of protecting users from harmful and hateful content, speech that targets and vilifies individuals based on some factor of their identity, be it race, gender, caste, colour, or sexual orientation. On the other hand, there will also ever be the concern that the monitoring of speech by the overseeing authority becomes excessive and censors certain kinds of opinions and perspectives from entering the mainstream.

This particular situation provides an easy example in the form of an application developed by an expressly terrorist organisation. It would however still be useful to keep an eye out in the future for the kind of applications that are brought under the ambit of such policies, and the principles justifying these policies.

The question of what, if any, kind of control can be exercised over this kind of editorial power of Google over its marketplace is also a relevant one. Google can no doubt justify its editorial powers in relatively simple terms – it has explicit ownership of the entire platform and can the basis on which to allow developers onto it. However, the Play Store forms an overwhelmingly large percentage of how users access any application on a daily basis. Therefore, Google’s policies on the Play Store have a significant impact on how and whether applications are accessed by users in the context of the entire marketplace of applications and users. The policy implications of this are that the principles of Google’s Play Store policies need to be placed under the scrutiny of how it impacts the entire app development ecosystem. This is evidenced by the fact that the European Commission about a year ago pulled up Google for competition concerns regarding its Android operating system, and has also recently communicated its list of objections to Google. The variety of speech and competition concerns applicable to this context make it one to watch closely for developments of any kind for further analysis.

comin2getUlol

Image Source: ‘mammela’, Pixabay.