Data portability regulation has promised that individuals will be easily able to transfer their personal data between online service providers. Yet, after more than two years of an active privacy regulation regime in the European Union, this promise is far from being fulfilled. Given the lack of a functioning infrastructure for direct data portability between multiple providers, we investigate in our study how easily an individual could currently make use of an indirect data transfer between providers. We define such porting as a two-step transfer: firstly, requesting a data export from one provider, followed secondly by the import of the obtained data to another provider. To answer this question, we examine the data export practices of 182 online services, including the top one hundred visited websites in Germany according to the Alexa ranking, as well as their data import capabilities. Our main results show that high-ranking services, which primarily represent incumbents of key online markets, provide significantly larger data export scope and increased import possibilities than their lower-ranking competitors. Moreover, they establish more thorough authentication of individuals before export. These first empirical results challenge the theoretical literature on data portability, according to which, it would be expected that incumbents only complied with the minimal possible export scope in order to not lose exclusive consumer data to market competitors free-of-charge. We attribute the practices of incumbents observed in our study to the absence of an infrastructure realizing direct data portability.
For almost three years, the General Data Protection Regulation (GDPR) has been granting citizens of the European Union the right to obtain personal data from companies and to transfer these data to another company. The so-called Right to Data Portability (RtDP) promises to significantly reduce switching costs for consumers in digital service markets, provided that its potential is effectively translated into reality. Thus, of all the consumer rights in the GDPR, the RtDP has the potential to be the one with the most significant implications for digital markets and privacy. However, our research shows that the RtDP is barely known among consumers and can currently only be implemented in a fragmented manner—especially with regard to the direct transfer of data between online service providers. We discuss several ways to improve the implementation of this right in the present article.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.