A massive European Union regulation going into effect next May could deliver an unexpected benefit on the other side of the Atlantic: letting you take your data from social networks that today don’t let you download what you uploaded — then move it to another network.
This “data portability” mandate is one of many key provisions in the EU’s upcoming General Data Protection Regulation, the product of a privacy-policy effort that began in 2012. And it’s also the one most likely to benefit you, even if you never cross the pond.
Data portability is good but often absent
Privacy rules traditionally stop a company from giving your data to others. But Article 20 of theGDPR’s roughly 54,000-word text says nothing about that. Instead, it requires that a company you’ve uploaded your data to give it back to you “in a structured, commonly used and machine-readable format” — that is, one that you could then move to a competing service. Other provisions require the original company to delete your old data on request.
In other words, data portability promotes privacy by removing an obstacle keeping you from taking your content and business elsewhere. It makes your contributions to a social network your property, not their hostage.
But this customer-friendly feature has seen uneven adoption since Google (GOOG, GOOGL) began adding data-portability options a decade ago and made “data liberation” (the ability to completely erase your information from a service) a formal goal in 2009.
A year later Facebook (FB) added its own download-your-data feature, though Instagram, which is owned by Facebook, lacks a comparable export function. Twitter (TWTR), meanwhile, added an option to export an archive of your tweets in 2012.
Verizon-owned Oath’s (VZ) Flickr photo-sharing site lets you download archives of albums but not of all them at once, while the Tumblr blogging service has no export option. (Verizon is Yahoo Finance’s parent company.)
Data portability and its absence have barely figured into Washington’s policy discussions, although the Obama White House did implement data-download standards at some government sites.
Enter the EU
The GDPR’s data-portability rules, however, apply to any company dealing with the data of EU residents, not just firms based in the EU. And violations of those rules can result in fines of €20 million or 4% of a company’s worldwide annual revenue, whichever is higher.
“This new portability requirement will start to level the competitive playing field amongst social media networks,” predicted Angela Saverice-Rohan, privacy leader for the Americas at Ernst & Young, LLP. “It will presumably force enhanced services for consumers and privacy policies/data usage practices that reflect what users really want, lest they exercise their newfound ability to walk away with all of their data.”
Representatives for Facebook and Oath said the firms would comply with the GDPR but didn’t say if they’d bring new data-portability mechanisms to U.S. users.
Jules Polonetsky, CEO of Future of Privacy Forum, said U.S.-based firms lacking data-portability features will provide them in the States as well as the U.K. to avoid having different products on each side of the Atlantic.
“In the past most major consumer tech companies have rolled out features globally, despite differences in US and EU law,” he wrote in an email. “Early indications are that many will continue to do so.”
Other GDPR features
The GDPR imposes dozens of other requirements on companies, but only some are likely to shape user experiences in the States.
“Expect much more granular privacy notices and changes to the end-user experience” to make sure users know what they agree to,” EY’s Saverice-Rohan said, noting that these extra wrinkles “may be seen as a bit of a hassle.”
Jason Kint, CEO of Digital Content Next, wrote in an AdAge post that these rules could make the long-neglected “Do Not Track” feature in some browsers relevant. What’s more, as some companies opt for global consistency with EU standards, users should begin to demand a higher level of choice and control, Kint added.
But expect the GDPR’s “right to erasure” — the ability to get a site to delete its data about you — to get the same lack of official support in the U.S. as the “right to be forgotten” doctrinerequiring search engines to stop linking to information that EU residents find embarrassing or irrelevant.
The same goes for provisions letting Europeans challenge decisions affecting them that resulted from an algorithm — in fewer words, don’t expect to make a U.S. case out ofFacebook burying your witty status update. And Americans should expect no benefit from GDPR mandates for prompt disclosure of data breaches, something still largely absent from federal law here.
Conversely, the Future of Privacy Forum’s Polonetsky noted that the GDPR may lead to Europeans missing out on some services if companies decide it will be too hard to get and confirm a consumer’s consent to use them.
The big unknown is whether a generally higher privacy standard in Europe will change the debate here. Because right now, there isn’t much of one. Congress has shown little appetite for writing new privacy laws — although Republicans did rush to quash pending Federal Communications Commission broadband-privacy rules. Will they reconsider that action when they see Europe going in a different direction? I’m going to guess not.