The Federal Trade Commission Tuesday will assess its role in overseeing how companies including
The FTC is holding a workshop that includes speakers from government, academia,
“The FTC is feeling its way through what this should look like,” said Megan Brown, a tech-focused partner at law firm Wiley Rein LLP.
EU citizens have the right to data portability under the bloc’s General Data Protection Regulation. That prompted some companies to revamp their data export tools, though it remains to be seen how European nations will enforce portability rights.
The California Consumer Privacy Act, which state regulators began enforcing in July, allows for portability. The statute, however, lacks details as to how the data transfers should work.
Tech companies are responding to the EU and California laws by creating a structure to enable the transfers. Facebook lets users move photos and videos to Dropbox or Koofr, after earlier enabling transfers to Google Photos.
Google has its own portability tool called Takeout that lets users download a copy of their data, averaging more than two million exports per month, according to a company blog post Monday. Users can also transfer Google photos directly to Flickr and
Building connections between these and other platforms appeals to users who want to seamlessly move data. The companies are also responding to activists and governments, who view so-called data portability as a way to encourage competition by loosening the hold large tech companies have on user data.
“There’s consternation about big tech platforms having too much control over our lives,” said Justin Brookman, a former FTC official who now directs consumer privacy and technology policy for the nonprofit Consumer Reports. “The idea of introducing competition by making it easier to leave a platform and go to competing services has some appeal to it.”
Aside from its role as a competition authority, the commission may be able to use its consumer protection powers to ensure privacy of data in the transfer process. One potential avenue is Section 5 of the FTC Act, which bars unfair and deceptive practices. The agency uses this section to enforce corporate promises to safeguard consumer data.
Companies without a reliable way to authenticate users’ identity could leave their data vulnerable to cyber attackers in search of sensitive information.
“Privacy and security is a really important obstacle to overcome to make sure any frameworks for data portability are effective,” said Hodan Omaar, a policy analyst at the Center for Data Innovation.
The center, in its comments to the FTC, said the commission should target any requirements for data portability on industries like health care or financial services, where there’s a clear consumer benefit.
Tech companies are developing standards for letting data flow between services. Facebook and Google have teamed up with
The initiative is “one of many pieces needed for data portability,” Bennett Cyphers, a staff technologist at the nonprofit Electronic Frontier Foundation, said. Governments, however, still need to regulate the transfers, he said.
There’s been “little guidance” so far from policymakers and regulators about what’s expected from platforms making the transfers, Facebook said in comments to the FTC ahead of the workshop. More clarity is needed so that users can trust their data will be handled responsibly, the company told the agency. Congress should enact legislation, the company said.
A bipartisan bill proposed in the Senate last October, known as the Access Act, would require large tech platforms to make user data portable and their services interoperable. Facebook hasn’t formally endorsed the bill (S. 2658) from Democrats Mark Warner (Va.) and Richard Blumenthal (Conn,.) and Republican Josh Hawley (Mo.), though the company called it “a good first step.”
Even without federal portability rules, California’s consumer privacy protections could make the practice more mainstream. Most companies are applying the state’s approach to all their customers, not just those in California, according to a recent survey from Truyo.
California’s consumer privacy regulations mention portability but don’t specify how data should be sent to users—only that it should be done over a secure self-service portal.
“The devil is in the details,” said Kristin Madigan, a former FTC attorney who’s now a partner at Crowell & Moring LLP.
The FTC’s workshop will also explore data portability regimes in the health and financial sectors, with one panel speaker from the U.S. Department of Health and Human Services. Earlier this year, the department finalized rules that give patients the ability to obtain their health records and use them in third-party apps. The Consumer Financial Protection Bureau is also working on new rules for consumers to authorize third-party access to their financial records under the Dodd-Frank Wall Street Reform and Consumer Protection Act.
“The FTC should coordinate its efforts with other regulators to ensure that consumers remain at the center of financial data sharing and reap the benefits of data portability,” according to a pre-workshop comment from Plaid Inc. The company has built data-sharing networks across more than 11,000 banks and 2,900 fintech firms.
Otherwise, companies could gain access to a competitor’s information through the “back door” of data portability, Walmart told the FTC.
Social media sites face another challenge in determining whether a user should be able to take data on their friends to another service.
“It’s a very complicated issue,” Madigan said. “You can see why the FTC wants to devote an entire day to this.”