What is data portability?
Data portability is the ability to move data among different application, programs, computing environments or cloud services. In a cloud computing context, data portability is one part of cloud portability, which makes it possible for customers to migrate data and applications between or among cloud service providers (CSPs).
Data portability is becoming more important as an increasing number of organizations store greater quantities of data in the cloud. Of course, the requirement to move and transfer data in a portable format is not limited to cloud computing; it applies to on premises and other forms of information technology (IT) as well.
Why is portability of data important?
Data portability has become commonplace -- although not universal -- among applications designed for use on many vendors' personal computers (PCs) and servers. The same cannot yet be said for CSPs. As more organizations move data and data processing to cloud services, a lack of data portability can cause problems if, for example, customers want to move data from one cloud platform to another or change their service provider.
Different CSPs commonly have proprietary data formats, templates and related parameters that can lock users into specific platforms. Often, these formats are not standardized, making data portability difficult. According to the Institute of Electrical and Electronics Engineers (IEEE), cloud interoperability and data portability are major challenges for enterprise adoption of cloud computing services.
For consumers, data portability lets people easily coordinate the personal data they keep on multiple social networking sites. On social networking sites, such as Facebook, LinkedIn and Twitter, users can share their contacts, posts, photos, videos, sound clips and personal or professional information across the various platforms. In that way, users know their data is current and consistent, without having to modify the content on each service's site. Users can, of course, opt out of this data sharing feature if they want to show different portfolios on different services.
In 2010, Facebook improved its data portability with a feature that lets users download all their network content as a single zipped file for viewing with a browser offline. This feature helps users to keep track of their data without fear that crackers might permanently alter or destroy it. The downloading feature backs up the data so it can be easily replaced in the event of a network failure causing data loss in the cloud. If the network has an outage or some other problem, users can simply upload their backed-up data to replace the damaged network data.
Data portability provides users of social networking services with added convenience when different services allow reciprocal access to first-party data. For example, a user on Facebook may import contacts from Google's Gmail email service. In a perfect world, all social networking services would allow users to freely and easily migrate data among them. Things haven't worked out that way. Instead, services sometimes take a territorial attitude toward user data.
Without data portability, a person's data is accessible only through the platform where it is stored. Such a siloed approach to data can result in vendor lock-in, inaccessible data and even data quality issues.
What data does the data portability right apply to?
There is no standard, universal right to data portability. Where such a right exists, it's defined in regulations such as the General Data Protection Regulation (GDPR) -- the European Union's (EU) data protection and privacy law -- and the California Consumer Privacy Act (CCPA).
Generally, data portability requirements ensure individuals can easily obtain, move, copy, transfer and reuse their personal data across different services and IT environments. It's usually required that data be provided in a commonly used, machine-readable format.
In most regulations, the right of portability applies to personally identifiable information. PII is data that can identify a specific individual. Examples of PII include the following:
- name and address
- Social Security number
- passport number
- email address
- phone number
This list is not comprehensive. Some information that may not be considered PII when it is used on its own may become PII when it is combined with other information. For example, race and date of birth are not necessarily PII when used by themselves but, when used in tandem, may be so.
More on GDPR and CCPA
The implementation of the EU's General Data Protection Regulation and the California Consumer Privacy Act is forcing companies and other organizations to deal with many data management and governance issues. Learn from their experiences as detailed in these articles.
How should data be provided?
Using a common, open format to store and transfer data makes data portability simpler and easier. Open data formats improve readability of and access to data because such formats are commonplace, well documented and easy to understand. With open formats, all parties involved in the data transfer can read and use it.
Examples of interoperable formats include the following:
- XML (Extensible Markup Language). A markup language, like Hypertext Markup Language (HTML), for storing and transporting data.
- CSV (Comma-Separated Values). Plain text files that list rows of data elements, each delineated by a comma. Such files are often used for exchanging data between different applications, such as database systems, spreadsheets and contact management apps.
JSON and XML have the advantage of being self-descriptive; the tags used within the file describe the data. A CSV file will require some type of metadata -- sometimes supplied in the first row of variables -- to describe the contents of the variables in each row.
In 2018, the Data Transfer Project was launched with the goal of simplifying data portability for users wishing to move all types of data among online service providers. The goal of the project is to create open source tools to move data using an application programming interface (API). Members of the Data Transfer Project include Apple, Facebook, Google, Microsoft and Twitter. As an example of this project's work, Facebook developed its data portability tool based on its work as a member of the Data Transfer Project.
GDPR and other data portability regulations
The EU's GDPR specifies the requirements for storing, managing, protecting and transferring the personal data of EU citizens and residents. Any organization that collects personal data on EU citizens, whether or not the organization resides in the EU, must comply with GDPR. Specifically, Article 20 of the GDPR dictates that data subjects have the right to receive their personal data in a structured, commonly used, machine-readable format.
Companies that collect, handle or process data must have a data controller whose job it is to understand the portability and management requirements of personal data and manage the transfer of data in a portable format as outlined by the regulations. This approach ensures EU citizens can receive their personal data in a usable format and have the right to transmit that data to another organization's controller without hindrance from the transferring controller.
In other words, GDPR requires organizations to be able to provide personal data to the subject of that data on demand and in a useful format. It ensures the right of portability, as well as the right to erasure, where data must be deleted in a timely, secure and provable way.
The GDPR data portability rules apply to personal data, such as names and Social Security numbers. It also applies to personal data that organizations might collect as part of their relationship with the individual, such as the following:
- data collected from wearable devices;
- data from internet of things (IoT) devices;
- browsing history; and
- location data.
CCPA aims to ensure privacy rights and consumer protection for California residents. It is similar in intent to GDPR, but it does not contain the same right to data portability as enumerated in Article 20 of GDPR. Nevertheless, CCPA allows consumers to make data requests, which can be delivered by mail or electronically. If delivered electronically, the data must be portable and in a usable format.
At the federal level, a bill, known as the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act was introduced in the U.S. Senate in 2019, but it has yet to be passed into a law. Its intent is to enforce data portability requirements on social media platforms. If enacted, it would require social media sites to provide APIs "to initiate the secure transfer of user data to a user, or to a competing communications provider acting at the direction of a user, in a structured, commonly used, and machine-readable format." While not yet a law, ACCESS bears watching.
Data portability isn't the only issue organizations are dealing with when it comes to new data protection and privacy requirements. Data governance in general is facing major changes as companies adapt to the changing regulatory landscape.
Find out the steps some companies are taking to get ready for the data privacy rules of the future.