On September 22nd, the Federal Trade Commission (FTC) hosted an event, “Data To Go: An FTC Workshop on Data Portability,” to examine the potential benefits and challenges to consumers and competition raised by data portability. Data portability means giving consumers the ability to receive a copy of their data for their own use or and move the data to another entity or service.

The workshop did not focus on any specific policy proposals or legislation, but the FTC expressed a desire to begin discussions as issues associated with data portability continue to evolve.  The FTC noted that in addition to providing benefits to consumers, data portability may benefit competition by allowing new entrants to access data they otherwise would not have so that they can grow competing platforms and services.  At the same time, the FTC recognizes that there may be challenges to implementing or requiring data portability.

During the workshop, FTC staff discussed several examples of existing data portability laws and regulations, such as the right to data portability under Article 20 of the European Union’s General Data Protection Regulation (GDPR) and the right for consumers to make requests for portable data under the California Consumer Privacy Act (CCPA). The FTC noted that other countries have taken different approaches, like India and the United Kingdom’s data portability regulations that are narrowly tailored to address only the health and financial services sectors.

The panelists of the workshop highlighted a variety of issues and considerations for data portability. From an information security perspective, the panelists discussed how businesses would need to ensure they could verify the identity of the consumer before completing a transfer of data to prevent unauthorized actors from stealing people’s data. From a privacy perspective, the panelists discussed how users should be fully informed about the data they are receiving, to whom they can transfer their data, and how a new entity or service may use the information they are given by the consumer.

Additionally, from an operational perspective, the panelists remarked that the data provided to consumers would need to be interoperable between different systems.  In one example discussed by the panelists, if consumers receive their data and are not able to give their information to another entity or use their data with other systems then the ability to port the data loses its effectiveness. The panelists called for businesses or the government to implement some form of standardization so that the data would remain useful to consumers. Some panelists called for a federal privacy and security law that would set protection standards for businesses in regards to data portability.

The FTC is not the only government agency exploring the concept of data portability. The Consumer Financial Protection Bureau (CFPB) recently announced a potential rulemaking under the Dodd-Frank Act Section 1033, which authorizes the CFPB to create rules enhancing consumers’ access to their financial data. The CFPB is asking for comments on similar issues as those discussed during the FTC working surrounding data portability, such as privacy, security, effective consumer control over data access, and accountability for errors and any unauthorized access.