Data portability could make life easier for many internet users. A right to data portability is enshrined in the GDPR, the General Data Protection Regulation, which came into force in 2018.
In the project “Awareness, Motivation and Implementation of Data Portability – Strengthening Radical and Disruptive Innovations through Improved Data Portability”, Professor Jens Großklags (Chair of Cyber Trust, TUM), Professor Johann Kranz (Chair of Internet Business and Internet Services, LMU) and Professor Susanne Mayr (Chair of Psychology with a focus on Human-Machine Interaction, University of Passau) are investigating awareness and possibilities for implementing the right to data portability. They are also developing solutions on how the concept can strengthen competition in the internet economy and data-driven innovations.
In initial surveys, you found that the right to data portability is hardly known. What is the reason for this?
Susanne Mayr: Data portability is more of a downstream right because it is only relevant if a user wants to change an online platform. So you can understand why it has not been perceived as prominently as the other rights of the GDPR. In addition, with data portability you also have to take the initiative to use it. This prevents many from making use of this right.
Is it also due to a kind of scepticism about technology, that is, because people are afraid of being overwhelmed by it?
Susanne Mayr: Absolutely. That also comes into play. But we also record so-called technology competence convictions: How capable do I think I am in dealing with technology? Do I believe, for example, that I can transfer my data from one online platform to another? Or could I do something wrong and end up being to blame if data is lost? We also want to find out to what extent this self-assessment is connected with other factors, for example with the knowledge of one’s own possibilities: For example, does someone who generally feels more competent in dealing with technology also seek out this knowledge more strongly, i.e. is he or she better informed about the options for action with regard to data protection and data portability?
Are there already findings on whether Germans tend to consider themselves more tech-savvy?
Susanne Mayr: The data on knowledge about data portability that we have so far is based on a sample in which we could assume a rather greater familiarity with data protection-relevant topics: a young student clientele with a rather high affinity for online. Even in this sample, knowledge about user rights in general and data portability in particular was rather low. Our expectation is that knowledge about data protection and awareness of one’s own rights on the internet would be even lower in a sample representative of the German population. We have just completed the survey of such a sample, the data analysis is currently taking place, and the first results will be available soon.
Jens Großklags: Data portability consists of two independent processes: extracting the data on the first platform and then importing it again on the second platform. Of course, this could also happen in one process.
The vision of the GDPR is that data portability should be relatively easy and user-friendly. But we have not found any evidence of this.Prof. Dr. Jens Großklags To the profile
Our results so far indicate that companies interpret this right very narrowly: They make the data available and enable data export. But we have hardly found any attractive offers to import data.
In a study, you used Facebook as an example to examine how the law is being implemented. What came out of it?
Jens Großklags: Most companies that earn their money with the data of their users, which includes Facebook, do not necessarily make it easy to find the various data protection options. This is especially true for those options that help you leave the platform and export your data for it. Once you have found them on Facebook, it is not more complicated compared to other platforms. But it does take a certain degree of initiative to exercise one’s right to data portability. The participants in our study would not have come up with the idea of looking for this menu on their own. No one is pointed to it directly by the platform.
Is that so surprising? What would the platforms gain from openly communicating the right?
Jens Großklags: The first intuitive thought that the GDPR would harm companies like Facebook has not necessarily come true. There are studies according to which rather large companies could benefit from these rights that users have through the GDPR, because they simply have many more possibilities to build such mechanisms in a satisfactory way. Of course, users will leave the platform, but these big companies also have more means to attract new ones again.
This right is already an attempt to break up the winner-takes-it-all markets and to enable new competitors, start-ups, to compete with the established data giants on the basis of data portability. But this effect has not happened so far.Prof. Dr. Johann Kranz To the profile
Johann Kranz: The idea that one would switch from one network to another with one’s data under the current legal situation is unfortunately also somewhat deceptive. The GDPR only stipulates the transfer of personal data that the user has entered himself. This means that all data that has been observed by a platform, be it movement data or interactions of the user, does not fall under it. And certainly not data that allows insights into analyses and forecasts of the operators. These are protected because they are subject to intellectual property protection. Users could also not simply take their social contact information with them according to the current legal interpretation, because it is not personal data.
So would the law have to be formulated more comprehensively?
Jens Großklags: The rules on consumer protection generally lag behind the online world. They still refer to a world in which consumers can vote with their feet and switch from one company to the next relatively easily. This is much more difficult with data-related services, because a much deeper embedding of the person on the platform is carried out. Of course, it is still commendable that data portability has found its place in the GDPR. But no plan has come along with the law on how to transfer consumer protection from the traditional world to the online world.
Johann Kranz: Unfortunately, the only moment when Internet users notice the GDPR is when the consent banner pops up on websites to ask for consent for various cookies. In my opinion, the majority of users do not see the GDPR as an instrument to take back a piece of privacy. That’s why we want to use our studies to investigate the extent to which such regulatory interventions might annoy users and how they could be better designed.
Many users are tired of the issue of data protection.Prof. Dr. Susanne Mayr To the profile
Susanne Mayr: I have a certain concern that the GDPR has a rather negative image among many users. They feel annoyed by all the consent forms and have the feeling that they don’t understand them anyway. We know this from other contexts as well, because we collect a lot of data ourselves as part of our studies. The information on data protection that participants in our studies receive and have to agree to is usually not even read. Psychological research has appropriately described the phenomenon of “privacy fatigue”: Many users are tired of the topic of data protection, they feel a kind of exhaustion when the topic comes up frequently and some even react to the topic with cynicism.
How could this be solved differently?
Jens Großklags: There are no easy solutions here. But if users do not know their right, it is useless. And the same is the case if companies do not provide attractive opportunities to use it.
Johann Kranz: In the project, we first want to develop a basic understanding of how the right to data portability is perceived and implemented, in order to be able to make recommendations for action based on this.
There are various technical options and alternatives to data portability – be it approaches such as so-called personal data stores, where users themselves are responsible for managing their data and the services can access the data, or mandatory interoperability between services. Perhaps this would be a more effective solution than the approach of data portability, which becomes more difficult the deeper you go into the details, because the data structures of the platforms are very different.
Jens Großklags: The goal of our project is not to create a homogeneous online world. Our ambition is to change from the sad current state to a world in which users can exercise more control over their own data.
Prof. Dr. Jens Großklags
Chair of Cyber Trust at the Department of Informatics, Technical University of Munich
Prof. Dr. Johann Kranz
Director of the Professorship of Digital Services and Sustainability, Ludwig-Maximilians-Universität in Munich
Prof. Dr. Susanne Mayr
Professor, Chair of Psychology and Human-Machine Interaction | University of Passau