The next topic in the blog series on the new proposed EU data legislation looks at the area of ‘Data Portability’. Firstly let me clarify what that phrase means. The DataPortability Working Group defines it as “the option to share or move your personal data between trusted applications and vendors” – it’s really about the ability for people to be able to control their identity, media and other forms of personal data. You want to leave Facebook and use Google + but what about all those photos, the places that you checked in, data portability means there should be an easy way to move all this data.
As we increasingly put more of our lives online, we are putting that data at risk. After all who knows if those companies will be around in 5, 20 or 50 years and so it is possible that chunks of your online self could disappear, or the converse when those photos of your 21st birthday remain in a system you haven’t used in 15 years, which is where data portability’s legislative cousin ‘right to be forgotten’ comes into play.
I have a fundamental belief in privacy and transparency around personal data use and will always support the rights of the consumer to control their own data. It is your data, your persona, the challenge is to balance those noble principles with legislation that does not create a legal and regulatory environment that stifles the next Facebook or Flickr, by introducing solutions to problems that market ingenuity would be better placed to develop.
With my commercial practitioner’s hat on, there seems to be two main areas where I believe that the draft Data Protectuion Regulation needs to be more carefully understood.
The first of is the cost to business. A case study in the DMA’s Response to Ministry of Justice Call for Evidence on the EU Data Protection Regulation, (link here) , shows that for a data services provider to the retail sector the costs to implement data portability and right to be forgotten could be up to £100,000 for one off system development. In an already fragile economic climate is this additional burden really needed or helpful?
The second area is in the draft Regulation’s desire to try and set technical standards that would underpin the interoperability of systems. FEDMA (Federation of European Direct and Interactive Marketing Associations) believes that Article 12 (b) of the existing European Data Protection Directive (95/46/EC)) already covers this area in a technology neutral manner. Again, do we need more rigid legislation? After all it may be a surprise to some that since 2010 you can take all your data from Facebook using the ‘download your information’ function under account settings.Is it not in the commercial interests of other social network service providers to be able to make it as easy as possible for people to join their service and take in the data downloaded from Facebook? And to do that in innovative ways legislation would never be able to dictate?
The consumers’ right to control their personal data is already enshrined in the existing Data Protection Directive so the question to me is do we need to augment this with a more prescriptive approach? This Regulation could shape our industry for the next decade and so this is your opportunity to get across your perspective and be a part of the debate. I would encourage you all to comment here or reach out to an Email Marketing Council member or the DMA Legal Team, firstname.lastname@example.org..