Wikipedia enwiki https://en.wikipedia.org/wiki/Main_Page MediaWiki 1.43.0-wmf.23 first-letter Media Special Talk User User talk Wikipedia Wikipedia talk File File talk MediaWiki MediaWiki talk Template Template talk Help Help talk Category Category talk Portal Portal talk Draft Draft talk MOS MOS talk TimedText TimedText talk Module Module talk 0 15595995 189125178 2008-02-04T22:23:52Z Djmackenzie 6021451 moved [[Data portability]] to [[DataPortability]]: This article is about the project called DataPortability, located at www.dataportability.org, not any generic concept of the 'portability' of data. 189125178 wikitext text/x-wiki #REDIRECT [[DataPortability]] fik4l4km6hl2rxje5ctkr3737oa01bp 715879443 189125178 2016-04-18T14:13:58Z Seniorexpat 12734809 to create new page about a new right 715879443 wikitext text/x-wiki phoiac9h4m842xq45sp7s6u21eteeq1 715879856 715879443 2016-04-18T14:17:00Z Seniorexpat 12734809 715879856 wikitext text/x-wiki Data portability has become a new right in the [[GDPR]]. In earlier years there was an initiative on [[DataPortability]]. qno7adneumqk0k7jbeozalr2nl53ggg 715883335 715879856 2016-04-18T14:40:14Z Seniorexpat 12734809 715883335 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} Data portability has become a new right in the [[GDPR]]. In earlier years, 2008-2009, there was an initiative with a similar name [[DataPortability]]. sjiqd0weuupl4g7sgwp5s0w9zdr8hwm 715884760 715883335 2016-04-18T14:49:40Z Seniorexpat 12734809 715884760 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} Data portability is a concept to protect users from data silos. It has become a new right in the European Union General Data Protection Regulation passed in April 2016 [[GDPR]]. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref> {{citeweb | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}} </ref> c5bidlpgl6c81tkrez1375t39xjy32w 715888496 715884760 2016-04-18T15:16:09Z Seniorexpat 12734809 715888496 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} Data portability is a concept to protect users from having their data stored in silos that are incompatible with one another, subjecting them to [[Lock-in_(decision-making)]]. It has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref> {{citeweb | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}} </ref> Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State <ref> [[European_Free_Trade_Association#EFTA_and_the_European_Union]] </ref>, there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament. <ref> Recht auf Nutzung der persönlichen Daten. Recht auf Kopie (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> sspp5rgo8iucnaybbi2vb9lvpm6hqq3 715889134 715888496 2016-04-18T15:20:09Z Seniorexpat 12734809 715889134 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} Data portability is a concept to protect users from having their data stored in silos that are incompatible with one another, subjecting them to [[Lock-in_(decision-making)]]. Data portability requires common standards to facilitate the transfer from one data controller to another. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref> {{citeweb | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}} </ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State <ref> [[European_Free_Trade_Association#EFTA_and_the_European_Union]] </ref>, there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament. <ref> "Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> == References == ko6wq1u7dsje9nrs9or9ek5o8uc4t3n 715890778 715889134 2016-04-18T15:32:25Z Seniorexpat 12734809 715890778 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} Data portability is a concept to protect users from having their data stored in silos that are incompatible with one another, subjecting them to [[Lock-in_(decision-making)]]. Data portability requires common standards to facilitate the transfer from one data controller to another. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref> {{citeweb | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}} </ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State <ref> [[European_Free_Trade_Association#EFTA_and_the_European_Union]] </ref>, there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament. <ref> "Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref> {{citeweb | title="Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data"|url=http://www.midata.coop | accessdate=April 15, 2016 }} </ref> == References == lhxljymg5bmr6jxlqufc9uoe9rd214n 715891007 715890778 2016-04-18T15:34:06Z Seniorexpat 12734809 /* European Union */ 715891007 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} Data portability is a concept to protect users from having their data stored in silos that are incompatible with one another, subjecting them to [[Lock-in_(decision-making)]]. Data portability requires common standards to facilitate the transfer from one data controller to another. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref> {{citeweb | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}} </ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State <ref> [[European_Free_Trade_Association#EFTA_and_the_European_Union]] </ref>, there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament. <ref> "Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref> {{citeweb | title="Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data"|url=http://www.midata.coop | accessdate=April 15, 2016 }} </ref> == References == jlthfgvai2t26u9gzv7y0p56ah8qykh 715896429 715891007 2016-04-18T16:15:44Z Seniorexpat 12734809 715896429 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} Data portability is a concept to protect users from having their data stored in silos that are incompatible with one another, subjecting them to [[Lock-in_(decision-making)]]. Data portability requires common [[Technical_standard]]s to facilitate the transfer from one data controller to another, thus promoting [[Interoperability]]. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref> {{citeweb | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}} </ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State <ref> [[European_Free_Trade_Association#EFTA_and_the_European_Union]] </ref>, there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament. <ref> "Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref> {{citeweb | title="Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data"|url=http://www.midata.coop | accessdate=April 15, 2016 }} </ref> == References == j66msagksepnp84zmgmjjgxrsqh1now 715988071 715896429 2016-04-19T04:51:42Z BG19bot 14508071 [[WP:CHECKWIKI]] error fix for #03. Missing Reflist. Do [[Wikipedia:GENFIXES|general fixes]] if a problem exists. - using [[Project:AWB|AWB]] (11971) 715988071 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} '''Data portability''' is a concept to protect users from having their data stored in silos that are incompatible with one another, subjecting them to [[Lock-in (decision-making)]]. Data portability requires common [[Technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[Interoperability]]. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} oft6fx8y3oyyevt15325oqy36v7mw97 715995079 715988071 2016-04-19T06:10:13Z Yobot 7328338 /* References */[[WP:CHECKWIKI]] error fixes, added [[CAT:UNCAT|uncategorised]] tag using [[Project:AWB|AWB]] (12004) 715995079 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} '''Data portability''' is a concept to protect users from having their data stored in silos that are incompatible with one another, subjecting them to [[Lock-in (decision-making)]]. Data portability requires common [[Technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[Interoperability]]. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} {{Uncategorized|date=April 2016}} su1m4eixe1igvg78oshvf5klz4ienxv 716166657 715995079 2016-04-20T09:02:12Z Seniorexpat 12734809 to add category 716166657 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} '''Data portability''' is a concept to protect users from having their data stored in silos that are incompatible with one another, subjecting them to [[Lock-in (decision-making)]]. Data portability requires common [[Technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[Interoperability]]. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} [[Category:Cross-domain_interoperability]] n3icobtccrth0g7rxq0168ljri2cfxp 716166793 716166657 2016-04-20T09:03:26Z Seniorexpat 12734809 716166793 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} '''Data portability''' is a concept to protect users from having their data stored in silos that are incompatible with one another, subjecting them to [[Lock-in (decision-making)]]. Data portability requires common [[Technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[Interoperability]]. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} [[Category:Cross-domain_interoperability]] j50aaj1fcp0yhngqj4y1cnohx66al2c 716167141 716166793 2016-04-20T09:07:43Z Seniorexpat 12734809 716167141 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} '''Data portability''' is a concept to protect users from having their data stored in silos that are incompatible with one another, subjecting them to [[Lock-in (decision-making)]]. Data portability requires common [[Technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[Interoperability]]. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] 1dgc08tb5hddqq74qskux9af0o8ye7j 716169985 716167141 2016-04-20T09:40:47Z Seniorexpat 12734809 to add more background 716169985 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[Closed_platform]]s, thus subjecting them to [[Lock-in (decision-making)]]. Data portability requires common [[Technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[Interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[Personally_identifiable_information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered consumer protection, the following related activities have emerged in the EU and Switzerland. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] f8ex8uorrcjme43qwuw4q30r80jclyt 716170162 716169985 2016-04-20T09:43:08Z Seniorexpat 12734809 716170162 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[Closed_platform]]s, thus subjecting them to [[Lock-in (decision-making)]]. Data portability requires common [[Technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[Interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[Personally_identifiable_information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[Consumer_protection]], the following related activities have emerged in the EU and Switzerland. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] nrprsdi63tkkbyz6hmkzq83jblnm97p 716170308 716170162 2016-04-20T09:44:59Z Seniorexpat 12734809 716170308 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[Closed_platform]]s, thus subjecting them to [[Lock-in (decision-making)]]. Data portability requires common [[Technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[Interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[Personally_identifiable_information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[Consumer_protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] rvzbiekuy04hc0s2bsgzw3r8u8kqh6y 717897551 716170308 2016-04-30T11:17:57Z Seniorexpat 12734809 to add EDPS 717897551 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[Closed_platform]]s, thus subjecting them to [[Lock-in (decision-making)]]. Data portability requires common [[Technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[Interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[Personally_identifiable_information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[Consumer_protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European_Data_Protection_Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data". <ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] sq6r8gqi5jttk467oulyz0swgfshdn7 731631229 717897551 2016-07-26T15:23:53Z Seniorexpat 12734809 to add official source 731631229 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[Closed_platform]]s, thus subjecting them to [[Lock-in (decision-making)]]. Data portability requires common [[Technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[Interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[Personally_identifiable_information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[Consumer_protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The Right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref> <ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European_Data_Protection_Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data". <ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] nigk4y3tady5q2v4pyia17rfjo2w7ax 744190709 731631229 2016-10-13T17:52:11Z Everdred 40044 There were some badly-formatted links to other articles 744190709 wikitext text/x-wiki {{about|Data portability (in general)|DataPortability (the project)|DataPortability}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[Closed platform|closed platforms]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[Technical standard|technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[Interoperability|interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[Personally identifiable information|personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[Consumer protection|consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The Right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref> <ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data". <ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] 3h15jha7j8m1skob5jkwg2g24kt3ld3 744191944 744190709 2016-10-13T18:00:22Z Everdred 40044 Removing disambiguation link at the top, as the link points to an article that still doesn't exist, and the project homepage seems stagnant. Once an article exists, adding the disambiguation link would make sense. 744191944 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[Closed platform|closed platforms]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[Technical standard|technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[Interoperability|interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[Personally identifiable information|personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[Consumer protection|consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The Right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref> <ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data". <ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] rj03xwv48gajcc1m7f72mq5e3ij6jnc 744204004 744191944 2016-10-13T19:20:12Z EdemarSantos 29323593 744204004 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[Closed platform|closed platforms]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[Technical standard|technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[Interoperability|interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[Personally identifiable information|personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[Consumer protection|consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The Right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref> <ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data". <ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] qmpa8mnyi3euzmm8trgueylm3kq8ozv 744292752 744204004 2016-10-14T09:48:49Z Yobot 7328338 [[WP:CHECKWIKI]] error fixes using [[Project:AWB|AWB]] (12095) 744292752 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]ss, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The Right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] abmsjeffdq56qvll1vvaq653uvd11vv 751883677 744292752 2016-11-28T09:09:50Z 193.36.32.232 751883677 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The Right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] mhnyasfo62uq65q64yigo4l97v5d05m 751886260 751883677 2016-11-28T09:29:59Z Seniorexpat 12734809 /* Switzerland */ 751886260 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The Right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] 99wyzc7laxrff25n99lkmqrnjpoz22a 751886979 751886260 2016-11-28T09:36:02Z 193.36.32.232 Added "requirements for effective data interoperability", "comparison to right of access" 751886979 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The Right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different to the right of access. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == References == {{Reflist}} [[Category:Interoperability]] brkdoq54zuvokau3nipabvb2f2dtzcv 751887218 751886979 2016-11-28T09:37:51Z Seniorexpat 12734809 /* European Union */ to add link to French discussion 751887218 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The Right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different to the right of access. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == References == {{Reflist}} [[Category:Interoperability]] 2izfv9pp7dmz1a2i8ev5jlvedtjsnag 751890017 751887218 2016-11-28T10:05:12Z Seniorexpat 12734809 to add right of explanation 751890017 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == Data portability has become a new right in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The Right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the new "right to explanation". <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> == References == {{Reflist}} [[Category:Interoperability]] g7is5i056rsv5bkfl5xt0asrwf9xpa3 752148687 751890017 2016-11-29T19:35:14Z Seniorexpat 12734809 /* European Union */ to add link to Pasquale's book 752148687 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == Data portability was included in the EU Data Protection Directive of 1995, but not much enforcement followed. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> More recently the right to data portability was confirmed in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the new "right to explanation". <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> == References == {{Reflist}} [[Category:Interoperability]] eu4e5w0ns727bxwt7vk2c8bz46vqaxl 752149250 752148687 2016-11-29T19:38:40Z Seniorexpat 12734809 /* European Union */ 752149250 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the new "right to explanation". <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> == References == {{Reflist}} [[Category:Interoperability]] 768k7xmk0tr1pyy1o11zgtiyn2y3e1t 752150618 752149250 2016-11-29T19:46:36Z Seniorexpat 12734809 /* Comparison to the right of explanation */ t o add link to Pasquale's book 752150618 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation". Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> A paper published in 2016 outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) | date= February 5, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] 4408guwz5bf13dttgea9prm8kooztwm 752277240 752150618 2016-11-30T11:51:50Z Seniorexpat 12734809 /* Comparison to the right of explanation */ to add link to Katarinou et al 752277240 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation". Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> A paper published in 2016 by Goodman / Flaxman outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ [blog entry] | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] 5lh4qpq6fyo6rdwkidzvx7crgs8j0uo 752343027 752277240 2016-11-30T19:06:41Z Mireillemoret 29786365 752343027 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation". Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. I has been discussed, however, by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and - with an eye to the upcoming General Data Protection Regulations, by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" AmsterdamDigital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be the most important right in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> A paper published in 2016 by Goodman / Flaxman outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ [blog entry] | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] 8ro82ra6qtzyb1ulqhpood79ozei8ql 752343269 752343027 2016-11-30T19:08:22Z Mireillemoret 29786365 752343269 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation". Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. It has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" AmsterdamDigital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> A paper published in 2016 by Goodman / Flaxman outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ [blog entry] | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] 6y44wfs0v22cuu39oi7f0kzfgq4qe80 752343952 752343269 2016-11-30T19:12:49Z Mireillemoret 29786365 752343952 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation" when automated decisions are made that have legal effect or significant impact on individual data subjects. This includes decisions based on [[profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. It has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" AmsterdamDigital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> A paper published in 2016 by Goodman / Flaxman outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ [blog entry] | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] ixx7e0frme6wivfz3fx1zzzu9gb69my 752344100 752343952 2016-11-30T19:13:50Z Mireillemoret 29786365 /* Comparison to the right of explanation */ 752344100 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation" when automated decisions are made that have legal effect or significant impact on individual data subjects. This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. It has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" AmsterdamDigital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> A paper published in 2016 by Goodman / Flaxman outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ [blog entry] | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] 09jtxx2bxvign5stk2qxbipsd183qu4 752448643 752344100 2016-12-01T08:49:54Z Seniorexpat 12734809 to add heading about rights under GDPR 752448643 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation" when automated decisions are made that have legal effect or significant impact on individual data subjects; see the last item in the list cited in Footnote No.8 called there the "Right to not be evaluated on the basis of automated processing". This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. It has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" AmsterdamDigital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> A paper published in 2016 by Goodman / Flaxman outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ [blog entry] | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] exosnlcacpdz7nmer2uw8iuh8adc0vf 752451677 752448643 2016-12-01T09:15:36Z Seniorexpat 12734809 /* Comparison to the right of explanation */ to add Wired link 752451677 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation" when automated decisions are made that have legal effect or significant impact on individual data subjects; see the last item in the list cited in Footnote No.8 called there the "Right to not be evaluated on the basis of automated processing". This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" AmsterdamDigital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> A paper published in 2016 by Goodman / Flaxman outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> == References == {{Reflist}} [[Category:Interoperability]] o46l83j8uq1wzhsul3qu547ds6sdc6p 752452283 752451677 2016-12-01T09:21:53Z Seniorexpat 12734809 /* Comparison to the right of explanation */ to add NYU 752452283 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation" when automated decisions are made that have legal effect or significant impact on individual data subjects; see the last item in the list cited in Footnote No.8 called there the "Right to not be evaluated on the basis of automated processing". This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" AmsterdamDigital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> A paper published in 2016 by Goodman / Flaxman outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> On November 18th 2016 at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion. <ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url= http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18 2016 | publisher=NYU}}</ref> == References == {{Reflist}} [[Category:Interoperability]] qui7e54ussgpxh93vzrxsxuyvddvfgk 752473784 752452283 2016-12-01T13:09:48Z Keith D 2278355 /* Comparison to the right of explanation */ Formatting 752473784 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation" when automated decisions are made that have legal effect or significant impact on individual data subjects; see the last item in the list cited in Footnote No.8 called there the "Right to not be evaluated on the basis of automated processing". This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" AmsterdamDigital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> A paper published in 2016 by Goodman / Flaxman outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> On November 18th 2016 at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url= http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> == References == {{Reflist}} [[Category:Interoperability]] 6nq4ijqshu2yjoujk3qbr9fossc1hmd 752680826 752473784 2016-12-02T17:50:11Z Seniorexpat 12734809 /* Comparison to the right of explanation */ to add Mittelstadt et al. 752680826 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation" when automated decisions are made that have legal effect or significant impact on individual data subjects; see the last item in the list cited in Footnote No.8 called there the "Right to not be evaluated on the basis of automated processing". This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" AmsterdamDigital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, Mittelstadt et al., maps the literature and relates it to the GDPR on pages 13-14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> On November 18th 2016 at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url= http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> == References == {{Reflist}} [[Category:Interoperability]] bc2pnu5h5yefpxuvsjkik0l02m1sli3 752682836 752680826 2016-12-02T18:06:32Z Seniorexpat 12734809 /* Comparison to the right of explanation */ to add Boyd 752682836 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation" when automated decisions are made that have legal effect or significant impact on individual data subjects; see the last item in the list cited in Footnote No.8 called there the "Right to not be evaluated on the basis of automated processing". This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" AmsterdamDigital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, Mittelstadt et al., maps the literature and relates it to the GDPR on pages 13-14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by Dana Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> == References == {{Reflist}} [[Category:Interoperability]] l2zxqkcg9992yn0or2vrc596d759774 752791310 752682836 2016-12-03T09:36:25Z Seniorexpat 12734809 /* Comparison to the right of explanation */ to add Gabel /Hickman 752791310 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, Mittelstadt et al., maps the literature and relates it to the GDPR on pages 13-14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by Dana Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> == References == {{Reflist}} [[Category:Interoperability]] rpupsa3cfdaqy8vwn81dsq40mhxw9y0 753461900 752791310 2016-12-07T08:42:12Z Seniorexpat 12734809 /* Comparison to the right of explanation */ To add Hancock 753461900 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, Mittelstadt et al., maps the literature and relates it to the GDPR on pages 13-14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by Dana Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> == References == {{Reflist}} [[Category:Interoperability]] t0ziu8h8zsek4ujtscnhe8i092dkapk 753470522 753461900 2016-12-07T10:25:24Z Seniorexpat 12734809 /* Comparison to the right of explanation */ to add DARPA program 753470522 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry. <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, Mittelstadt et al., maps the literature and relates it to the GDPR on pages 13-14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by Dana Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> == References == {{Reflist}} [[Category:Interoperability]] 1iiujlicrb6cx973xrv8egnxvdjo71q 753495720 753470522 2016-12-07T14:42:24Z Seniorexpat 12734809 /* Comparison to the right of explanation */ to add LSE 753495720 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, Mittelstadt et al., maps the literature and relates it to the GDPR on pages 13-14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by Dana Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> == References == {{Reflist}} [[Category:Interoperability]] bsu10jz889i7h7jwokq0syqmfm5ziu1 754763395 753495720 2016-12-14T10:38:36Z Seniorexpat 12734809 /* Comparison to the right of explanation */ to add IEEE 754763395 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, Mittelstadt et al., maps the literature and relates it to the GDPR on pages 13-14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by Dana Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress.<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == References == {{Reflist}} [[Category:Interoperability]] ju1s47g9zef5hr31l4bvpmmxaob3j5a 754763774 754763395 2016-12-14T10:41:35Z Seniorexpat 12734809 /* Comparison to the right of explanation */ 754763774 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The French national data supervisor CNIL is hosting a discussion. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, Mittelstadt et al., maps the literature and relates it to the GDPR on pages 13-14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by Dana Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == References == {{Reflist}} [[Category:Interoperability]] rfep920kzgv5lyc6gup2pk7cq66tz07 755118823 754763774 2016-12-16T09:31:14Z Seniorexpat 12734809 /* European Union */ to add WP29 Guidelines consultation 755118823 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017. <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: "WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, Mittelstadt et al., maps the literature and relates it to the GDPR on pages 13-14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by Dana Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == References == {{Reflist}} [[Category:Interoperability]] 7v5431f8i185fdjtp3b1u5chto0hiwa 755119407 755118823 2016-12-16T09:36:54Z Seniorexpat 12734809 /* European Union */ 755119407 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017. <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, Mittelstadt et al., maps the literature and relates it to the GDPR on pages 13-14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by Dana Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == References == {{Reflist}} [[Category:Interoperability]] 29uy2v7193m83salpdbzt7fufm3fww5 755121064 755119407 2016-12-16T09:53:33Z Seniorexpat 12734809 /* European Union */ 755121064 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017. <ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there is a trend moving in the same direction. A cooperative is proposing to have a right to data portability anchored in the constitution of the Swiss Confederation, and the proposal is being seriously considered in the parliament.<ref>"Recht auf Nutzung der persönlichen Daten. Recht auf Kopie" (Right to the Use of Personal Data. Right to [obtain] a [digital] Copy), http://www.parlament.ch/de/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20154045</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, Mittelstadt et al., maps the literature and relates it to the GDPR on pages 13-14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by Dana Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == References == {{Reflist}} [[Category:Interoperability]] hgqp15a0rqrkntqdx6ojgjp6bwukvl9 756633771 755121064 2016-12-25T19:05:58Z Seniorexpat 12734809 /* Switzerland */ to update legislative draft 756633771 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017. <ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal has not been included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016 }}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, Mittelstadt et al., maps the literature and relates it to the GDPR on pages 13-14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by Dana Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == References == {{Reflist}} [[Category:Interoperability]] p9phgvvu48xlj60bnrbtdz82qq2cl5z 761710784 756633771 2017-01-24T11:04:02Z Seniorexpat 12734809 /* Comparison to the right of explanation */ to add Wachter, Mittelstadt and Floridi 761710784 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017. <ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal has not been included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016 }}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13-14.<ref> {{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR and proposes a limited ‘right to be informed’. <ref>{{cite web |first1= Sandra | last1=Wachter | first2=Brent | last2= Mittelstadt| first3=Luciano | last3=Floridi | title= Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation | url= http://www.academia.edu/31045353/Why_a_right_to_explanation_of_automated_decision-making_does_not_exist_in_the_General_Data_Protection_Regulation |date= Jan 22, 2016 | publisher=forthcoming}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by Dana Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == References == {{Reflist}} [[Category:Interoperability]] rzihbojkw4rrd7bte02p8ot1xg2z6j7 761711513 761710784 2017-01-24T11:13:38Z 212.90.209.233 761711513 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017. <ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal has not been included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016 }}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13-14.<ref> {{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR and proposes a limited ‘right to be informed’. <ref>{{cite web |first1= Sandra | last1=Wachter | first2=Brent | last2= Mittelstadt| first3=Luciano | last3=Floridi | title= Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation | url= http://www.academia.edu/31045353/Why_a_right_to_explanation_of_automated_decision-making_does_not_exist_in_the_General_Data_Protection_Regulation |date= Jan 22, 2016 | publisher=forthcoming}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == References == {{Reflist}} [[Category:Interoperability]] oj6a1vh9g7s8zqd3exa7igppnh9kdsi 761752563 761711513 2017-01-24T17:02:45Z Seniorexpat 12734809 /* Switzerland */ to offer possible explanation for Swiss hesitation 761752563 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017. <ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016 }}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with its bilateral-treaty partners in which Swiss companies would not be held to the same standard in order to keep competition fair. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13-14.<ref> {{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR and proposes a limited ‘right to be informed’. <ref>{{cite web |first1= Sandra | last1=Wachter | first2=Brent | last2= Mittelstadt| first3=Luciano | last3=Floridi | title= Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation | url= http://www.academia.edu/31045353/Why_a_right_to_explanation_of_automated_decision-making_does_not_exist_in_the_General_Data_Protection_Regulation |date= Jan 22, 2016 | publisher=forthcoming}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == References == {{Reflist}} [[Category:Interoperability]] lmn2dkxr0e43lzseju3mb4sgxvrbfvo 761757289 761752563 2017-01-24T17:30:36Z Seniorexpat 12734809 /* Switzerland */ to characterize Swiss / EU relations 761757289 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017. <ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016 }}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13-14.<ref> {{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR and proposes a limited ‘right to be informed’. <ref>{{cite web |first1= Sandra | last1=Wachter | first2=Brent | last2= Mittelstadt| first3=Luciano | last3=Floridi | title= Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation | url= http://www.academia.edu/31045353/Why_a_right_to_explanation_of_automated_decision-making_does_not_exist_in_the_General_Data_Protection_Regulation |date= Jan 22, 2016 | publisher=forthcoming}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == References == {{Reflist}} [[Category:Interoperability]] nzb1amo4uqbgia336yp8z88sv3st7sh 761904991 761757289 2017-01-25T14:25:08Z Seniorexpat 12734809 to add See also 761904991 wikitext text/x-wiki According to [http://dataportability.org/ DataPortability Project], '''data portability''' is the ability for people to reuse their data across interoperable applications. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017. <ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016 }}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13-14.<ref> {{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR and proposes a limited ‘right to be informed’. <ref>{{cite web |first1= Sandra | last1=Wachter | first2=Brent | last2= Mittelstadt| first3=Luciano | last3=Floridi | title= Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation | url= http://www.academia.edu/31045353/Why_a_right_to_explanation_of_automated_decision-making_does_not_exist_in_the_General_Data_Protection_Regulation |date= Jan 22, 2016 | publisher=forthcoming}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] mkauimj68xbiqdjti5cqrojglhrli56 765476079 761904991 2017-02-14T16:36:27Z Eugrus 326143 probably site marketing 765476079 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017. <ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016 }}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited in Footnote No.8. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13-14.<ref> {{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR and proposes a limited ‘right to be informed’. <ref>{{cite web |first1= Sandra | last1=Wachter | first2=Brent | last2= Mittelstadt| first3=Luciano | last3=Floridi | title= Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation | url= http://www.academia.edu/31045353/Why_a_right_to_explanation_of_automated_decision-making_does_not_exist_in_the_General_Data_Protection_Regulation |date= Jan 22, 2016 | publisher=forthcoming}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] 3zknimjseyy1ppi0uza0kh1fwbbqprl 765498301 765476079 2017-02-14T19:07:41Z Seniorexpat 12734809 /* Comparison to the right of access in the EU GDPR */ 765498301 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017. <ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016 }}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=http://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13-14.<ref> {{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR and proposes a limited ‘right to be informed’. <ref>{{cite web |first1= Sandra | last1=Wachter | first2=Brent | last2= Mittelstadt| first3=Luciano | last3=Floridi | title= Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation | url= http://www.academia.edu/31045353/Why_a_right_to_explanation_of_automated_decision-making_does_not_exist_in_the_General_Data_Protection_Regulation |date= Jan 22, 2016 | publisher=forthcoming}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] io3nsd7buqvnrfizxxcvpjlr6a68mrl 768876227 765498301 2017-03-06T08:37:59Z Bender the Bot 28903366 /* Comparison to the right of explanation */HTTP&rarr;HTTPS, per [[Wikipedia:Bots/Requests for approval/Bender the Bot 8|BRFA 8]] using [[Project:AWB|AWB]] 768876227 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017. <ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016 }}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm. <ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion. <ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale; <ref> {{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC . <ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation. <ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE). <ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | url= http://ssrn.com/abstract=2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13-14.<ref> {{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR and proposes a limited ‘right to be informed’. <ref>{{cite web |first1= Sandra | last1=Wachter | first2=Brent | last2= Mittelstadt| first3=Luciano | last3=Floridi | title= Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation | url= http://www.academia.edu/31045353/Why_a_right_to_explanation_of_automated_decision-making_does_not_exist_in_the_General_Data_Protection_Regulation |date= Jan 22, 2016 | publisher=forthcoming}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings, <ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework. <ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7th 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd. <ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] c5czr48kkai22kvzaev66bnlldvhvss 771002575 768876227 2017-03-18T23:04:25Z CitationCleanerBot 15270283 Cleanup SSRN links. Report bugs, errors, and suggestions at [[User talk:CitationCleanerBot]]. 771002575 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016 }}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claims this to be one of the most important transparency rights in the era of machine learning and big data. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | ssrn= 2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR and proposes a limited ‘right to be informed’.<ref>{{cite web |first1= Sandra | last1=Wachter | first2=Brent | last2= Mittelstadt| first3=Luciano | last3=Floridi | title= Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation | url= http://www.academia.edu/31045353/Why_a_right_to_explanation_of_automated_decision-making_does_not_exist_in_the_General_Data_Protection_Regulation |date= Jan 22, 2016 | publisher=forthcoming}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] iiw7r1alaeqqyv79wzf7z0usipsnkz2 775666332 771002575 2017-04-16T09:50:00Z Seniorexpat 12734809 /* Comparison to the right of explanation */ to update ref. to published version of Wachter et al. 775666332 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016 }}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt, four years later, three other well-known authors contest whether a Right to Explanation exists in the GDPR. In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | ssrn= 2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement. <ref>{{cite web | first1= Sandra |last1= Wachter | Mittelstadt | first2= Brent| last2= Mittelstadt | first3= Luciano| last3= Floridi | title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |url=https://ssrn.com/abstract=2903469 | date=December 28, 2016 | publisher=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] nmoi8am8g9v81cz2ayktistjya7i59s 775667701 775666332 2017-04-16T10:04:23Z Seniorexpat 12734809 /* Comparison to the right of explanation */ 775667701 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016 }}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | ssrn= 2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement. <ref>{{cite web | first1= Sandra |last1= Wachter | Mittelstadt | first2= Brent| last2= Mittelstadt | first3= Luciano| last3= Floridi | title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |url=https://ssrn.com/abstract=2903469 | date=December 28, 2016 | publisher=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] 7wrycuhrbk67mlutpxq78ahbgebb1fm 775667750 775667701 2017-04-16T10:04:55Z Seniorexpat 12734809 /* Comparison to the right of explanation */ 775667750 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] has opened a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> The French national data supervisor CNIL is hosting a discussion on this in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016 }}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | ssrn= 2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement. <ref>{{cite web | first1= Sandra |last1= Wachter | Mittelstadt | first2= Brent| last2= Mittelstadt | first3= Luciano| last3= Floridi | title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |url=https://ssrn.com/abstract=2903469 | date=December 28, 2016 | publisher=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] r4y1mrgwqykc744d7j8t36myainnaqh 776051596 775667750 2017-04-18T17:53:13Z Seniorexpat 12734809 /* European Union */ to add link to new guidelines just published 776051596 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL | date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016 }}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web | title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016 }}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1= Bryce |last1=Goodman | first2= Seth | last2=Flaxman | title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date= February 5, 2016 }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web | title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ | date= February 5, 2016 }}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data . Queen Mary School of Law Legal Studies Research Paper No. 247/2016 | ssrn= 2865811 | date= November 7, 2016 }}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 | publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement. <ref>{{cite web | first1= Sandra |last1= Wachter | Mittelstadt | first2= Brent| last2= Mittelstadt | first3= Luciano| last3= Floridi | title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |url=https://ssrn.com/abstract=2903469 | date=December 28, 2016 | publisher=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making | url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web | title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms | url=http://www.fatml.org/resources/principles-for-accountable-algorithms | date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web | title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems | url=http://standards.ieee.org/news/2016/ethically_aligned_design.html | date=December 13, 2016 | publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] 9ymjdjznyz3oi8jglnweftf7neb1iji 776536205 776051596 2017-04-21T16:23:04Z Quebec99 8019410 fixed references 776536205 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller." <ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14 <ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program <ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian <ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 | date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement. <ref>{{cite web | first1=Sandra |last1= Wachter | Mittelstadt | first2= Brent| last2= Mittelstadt | first3= Luciano| last3= Floridi | title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |url=https://ssrn.com/abstract=2903469 | date=December 28, 2016 | publisher=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] 2vhur0t13evww6jx9v3aztmv4g8mfw6 776536315 776536205 2017-04-21T16:23:56Z Quebec99 8019410 References after punctuation per WP:REFPUNC and WP:PAIC 776536315 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web | first1= Dimitra |last1=Kamarinou |first2= Christopher | last2= Millard | first3= Jatinder | last3= Singh | title= Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 | date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web | first1=Sandra |last1= Wachter | Mittelstadt | first2= Brent| last2= Mittelstadt | first3= Luciano| last3= Floridi | title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |url=https://ssrn.com/abstract=2903469 | date=December 28, 2016 | publisher=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] 5ykh41opgihun4qautmg2zb9g97c5cx 776536571 776536315 2017-04-21T16:26:02Z Quebec99 8019410 fixed reference 776536571 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |url=https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2865811 |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web | first1=Sandra |last1= Wachter | Mittelstadt | first2= Brent| last2= Mittelstadt | first3= Luciano| last3= Floridi | title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |url=https://ssrn.com/abstract=2903469 | date=December 28, 2016 | publisher=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] 3dcdttv4ycyw57f8n3b5dj2deewbw2l 776546545 776536571 2017-04-21T17:44:13Z Quebec99 8019410 fixed reference 776546545 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |url=https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2865811 |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |url=https://ssrn.com/abstract=2903469 |date=December 28, 2016 |publisher=SSRN |deadurl=no |accessdate=April 21, 2017}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] s8cdvwp8jrqfle3i7qhr477iym5pm93 778125237 776546545 2017-05-01T08:22:04Z StuartJMackintosh 25541872 /* Requirements for effective data interoperability */ 778125237 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by "structured, commonly used, machine-readable" [[Open standard | Open Standard]] * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |url=https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2865811 |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |url=https://ssrn.com/abstract=2903469 |date=December 28, 2016 |publisher=SSRN |deadurl=no |accessdate=April 21, 2017}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] qvblsfjefrpb7jwsi9zgwyjybwtka1u 778206527 778125237 2017-05-01T18:53:09Z Seniorexpat 12734809 /* Requirements for effective data interoperability */ punctuation 778206527 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard | Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown; they are conveniently summarized in a handbook from a legal firm.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |url=https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2865811 |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |url=https://ssrn.com/abstract=2903469 |date=December 28, 2016 |publisher=SSRN |deadurl=no |accessdate=April 21, 2017}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] 4fiqt2lbvzrkitqt6zxxs5m8rtz1rb2 784246458 778206527 2017-06-07T07:46:36Z GreenReaper 72566 /* Rights of data subjects under the European Union's new GDPR */ Remove puffery about the source. Not entirely sure the source is appropriate given it may be promoting the source. 784246458 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard | Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |url=https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2865811 |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |url=https://ssrn.com/abstract=2903469 |date=December 28, 2016 |publisher=SSRN |deadurl=no |accessdate=April 21, 2017}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] 49tlsjdmz7ladrarlm0u0rl3x6x0of5 789949529 784246458 2017-07-10T17:14:28Z Headbomb 1461430 cleanup using [[Project:AWB|AWB]] 789949529 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] k0kgt1ly9o2uh2v6psdahmuxey2tmhe 790701326 789949529 2017-07-15T14:28:29Z Mirive 22314315 /* Comparison to the right of explanation */ Expanded paper review 790701326 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale that such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] 2m7tcbutoiwwtzp8orh2fuj58fs0o4r 790701382 790701326 2017-07-15T14:29:00Z Mirive 22314315 /* Comparison to the right of explanation */ 790701382 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[Lock-in (decision-making)|lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] 20gwpw18jbdpblok5k5ebrec6o5sdv4 791436363 790701382 2017-07-20T07:41:40Z Seniorexpat 12734809 to complement lock-in 791436363 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] 0kwh398v6tjt6smxkf6ofv2iw7p6dvt 794818333 791436363 2017-08-10T06:42:10Z Seniorexpat 12734809 to add U.K 794818333 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == U.K. post-Brexit== The U.K intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance,... the introduction of a new right to data portability". <ref> {{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al. , includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] h2trr8keuym6xhfpxgu4891dxf4ewri 798947563 794818333 2017-09-04T19:04:04Z BD2412 196446 /* Comparison to the right of explanation */clean up spacing around punctuation, replaced: , → , using [[Project:AWB|AWB]] 798947563 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == U.K. post-Brexit== The U.K intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance,... the introduction of a new right to data portability". <ref> {{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an Explainable AI (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] gipu16m4xwf7cx952gut6osd5y33tyz 808380680 798947563 2017-11-02T14:49:01Z Kku 5846 /* Comparison to the right of explanation */ l 808380680 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == U.K. post-Brexit== The U.K intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance,... the introduction of a new right to data portability". <ref> {{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "right to explanation", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] ts9uuyu8qudj8ub2xw10h3x8j6fzwrf 808380744 808380680 2017-11-02T14:49:30Z Kku 5846 /* Comparison to the right of explanation */ l 808380744 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. == European Union == The right to data portability was laid down in the European Union's General Data Protection Regulation [[GDPR]] passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> == U.K. post-Brexit== The U.K intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance,... the introduction of a new right to data portability". <ref> {{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> == Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. == Requirements for effective data interoperability == It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> == See also== [[Ethics of artificial intelligence]] == References == {{Reflist}} [[Category:Interoperability]] pblcgktj3uvj4tnh2m4ot8duot3x7h3 810706115 808380744 2017-11-16T23:01:39Z Tourorist 23921701 formatting peanuts 810706115 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==U.K. post-Brexit== The U.K intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance,... the introduction of a new right to data portability". <ref> {{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases were the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] g8lw4w71wussgt4zyz8cepqj8ls81kr 813055635 810706115 2017-12-01T13:52:04Z 217.18.20.244 /* Comparison to the right of access in the EU GDPR */ corrected typo cases were -->cases where 813055635 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==U.K. post-Brexit== The U.K intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance,... the introduction of a new right to data portability". <ref> {{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=http://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] t62xdyg0611xepc1axilp22n8rucfyf 813812610 813055635 2017-12-05T10:36:34Z KolbertBot 31691822 Bot: [[User:KolbertBot|HTTP→HTTPS]] (v477) 813812610 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==U.K. post-Brexit== The U.K intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance,... the introduction of a new right to data portability". <ref> {{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=http://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] pf4rb33gy6toqoeqvcg01n9bymkr7y0 822517398 813812610 2018-01-26T20:49:33Z KolbertBot 31691822 Bot: [[User:KolbertBot|HTTP→HTTPS]] (v481) 822517398 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==U.K. post-Brexit== The U.K intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance,... the introduction of a new right to data portability". <ref> {{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing is still in progress; public comments are invited on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] h9bk1v7imthx869lap807ukqa32torc 822926811 822517398 2018-01-29T09:01:07Z Seniorexpat 12734809 to add ref. 822926811 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==U.K. post-Brexit== The U.K intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance,... the introduction of a new right to data portability". <ref> {{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] asuc1w3yn1t4cl7otrcosybmtrw346p 824506214 822926811 2018-02-07T19:32:05Z Seniorexpat 12734809 added newer paper 824506214 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term Intellectual Property Rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]], the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The Regulation will apply to data processors in countries outside the EU as well under certain circumstances. "Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller."<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref> Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their Guidelines and FAQ on the right to Data Portability contain this call for action: :"WP29 strongly encourages cooperation between industry stakeholders and trade :associations to work together on a common set of interoperable standards and :formats to deliver the requirements of the right to data portability. This :challenge has also been addressed by the [[European Interoperability Framework]] (EIF)." page 14<ref>WP29 welcomes additional comments from stakeholders. Please submit them by the end of January 2017 to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr</ref> As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor CNIL hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==U.K. post-Brexit== The U.K intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance,... the introduction of a new right to data portability". <ref> {{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242|}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] m08jkw55n7sc4skgewzngptz14tvv94 827728676 824506214 2018-02-26T11:15:00Z Mauls 492987 827728676 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{fact}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{fact}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==UK post-Brexit== The UL intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an EFTA Member State,<ref>[[European Free Trade Association#EFTA and the European Union]]</ref> there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 Dec. 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242|}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] 8lofqff6cu2s0ueqx9n63g88zqah7vu 827728780 827728676 2018-02-26T11:16:17Z Mauls 492987 /* Switzerland */ Links to other WP articles are not valid citations. 827728780 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{fact}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{fact}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==UK post-Brexit== The UL intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. For data protection issues, what is relevant is an adequacy recognition by the EU Commission.<ref>{{cite web | title= Commission decisions on the adequacy of the protection of personal data in third countries | url= http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm |date= November 24, 2016 |publisher=European Commission}}</ref> Adequacy recognition applies to relations between third-party countries (e.g. Israel, Argentina, New Zealand, Switzerland) and the European Union. ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242|}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] 0lv0yjghghdfxquloyebh6b11u17vyh 827729111 827728780 2018-02-26T11:20:34Z Mauls 492987 /* Switzerland */ Adequacy is merely one route to acceptability, and adequacy of protection doesn't necessarily imply data portability. 827729111 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{fact}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{fact}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==UK post-Brexit== The UL intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{fact}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" [[Open standard|Open Standard]]. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242|}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] 7n07g1sj69ifytl8hnn6uxgdx9f4a33 827729233 827729111 2018-02-26T11:21:48Z Mauls 492987 /* Requirements for effective data interoperability */ No mention of open standards in the definition 827729233 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{fact}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{fact}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==UK post-Brexit== The UL intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{fact}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> Here there is room only for a few rights related to data portability such as those of access and to explanation. == Comparison to the right of access in the EU GDPR == The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. == Comparison to the right of explanation == The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242|}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] cwmi6vmb7ubzy5o578g3ys4qwou7kdf 827729364 827729233 2018-02-26T11:23:42Z Mauls 492987 827729364 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{fact}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{fact}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==UK post-Brexit== The UL intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{fact}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a Right to Explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242|}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] 0j60vo63ia05my3vxl3nksmta0hdany 827729422 827729364 2018-02-26T11:24:24Z Mauls 492987 /* Data portability in relation to the right of explanation */ 827729422 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{fact}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{fact}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==UK post-Brexit== The UL intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{fact}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in Wired emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242|}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] iscytcey3ipyzkvtp0o5hsxz1c0r3g0 827729475 827729422 2018-02-26T11:24:59Z Mauls 492987 /* Data portability in relation to the right of explanation */ 827729475 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{fact}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{fact}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==UK post-Brexit== The UL intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{fact}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center EPIC .<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human." <ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242|}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and U.K. government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only 11 days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] te5gb58etm5n7p65q6prxggwcdvvuqv 827729582 827729475 2018-02-26T11:26:09Z Mauls 492987 /* Data portability in relation to the right of explanation */ 827729582 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{fact}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{fact}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==UK post-Brexit== The UL intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{fact}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242|}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] rugfcqa00ptompzmvi21pjp6afg95mz 827731305 827729582 2018-02-26T11:46:56Z AnomieBOT 7611264 Dating maintenance tags: {{Fact}} 827731305 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{fact|date=February 2018}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{fact|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==UK post-Brexit== The UL intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{fact|date=February 2018}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242|}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] 8hbyh9aq895ebjfbttjity1bumru2vz 828099593 827731305 2018-02-28T15:36:11Z Twiddlepin 10554549 Correction of obvious typo 828099593 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{fact|date=February 2018}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{fact|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> ==UK post-Brexit== The UK intends to incorporate much of the GDPR in its new legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{fact|date=February 2018}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242|}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] k6g5i2t9w2z6mkq4gptpcm28bgzuyq5 842456100 828099593 2018-05-22T15:43:10Z ViperSnake151 403055 too much EU discussion 842456100 wikitext text/x-wiki {{Globalize}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{fact|date=February 2018}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{fact|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{fact|date=February 2018}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242|}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] gt945lk3nhaviycadw4jcfhxfgcnw9l 842459088 842456100 2018-05-22T16:04:10Z AnomieBOT 7611264 Dating maintenance tags: {{Globalize}} 842459088 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their respective assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{fact|date=February 2018}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{fact|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{fact|date=February 2018}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242|}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] ki6v7whym89ev44avqkutmslh13un38 842593819 842459088 2018-05-23T12:42:12Z 84.237.216.226 842593819 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{fact|date=February 2018}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{fact|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}} </ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{fact|date=February 2018}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite web | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |url=https://arxiv.org/abs/1606.08813| date=August 31, 2016 | publisher=arXiv}}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|url=https://papers.ssrn.com/abstract=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242|}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR. <ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] s1v1vx7n4h7zbnu2rgxxepvkrd1a83a 843192435 842593819 2018-05-27T14:34:17Z CitationCleanerBot 15270283 arxivify URL / redundant url 843192435 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{citation needed|date=February 2018}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{citation needed|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{citation needed|date=February 2018}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{cite arxiv | first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |arxiv=1606.08813| date=August 31, 2016 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{cite web | first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2. |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage}}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|pages=233–242}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{cite web | first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | date= 20 November 2017 | publisher=Elsevier}}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] d3b0naujdxm0hh88r7y863o23rjlv5x 843212984 843192435 2018-05-27T17:29:18Z Citation bot 7903804 Alter: title. Add: doi, pages, issue, volume, journal. You can [[WP:UCB|use this bot]] yourself. [[WP:DBUG|Report bugs here]]. 843212984 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{citation needed|date=February 2018}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{citation needed|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).''}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{citation needed|date=February 2018}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] frukc961sc5tjj2gtjyshqs6ibvht6d 843213231 843212984 2018-05-27T17:31:15Z Headbomb 1461430 ce 843213231 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{citation needed|date=February 2018}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{citation needed|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{citation needed|date=February 2018}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite web |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite journal|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855|journal=|location=|volume=|pages=|via=SSRN}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] 1cbpjekjtlejzw1y9jjvri0jmi9d1ug 843213419 843213231 2018-05-27T17:32:51Z Headbomb 1461430 ce 843213419 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{citation needed|date=February 2018}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{citation needed|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{citation needed|date=February 2018}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite web |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] 43rgc2ruq48qq80v1nyd5qoz46z341b 843213442 843213419 2018-05-27T17:33:08Z Headbomb 1461430 ce 843213442 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{citation needed|date=February 2018}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{citation needed|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017.<ref>{{cite web | editor=Article 29 Working Party | title= Guidelines on the right to "data portability | url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 | date=December 15, 2016 | publisher=European Union}}</ref> Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} As of April 2017 new guidelines have been published [http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 here]. The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{citation needed|date=February 2018}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] jbu3sz5g6hv3512p54tpju31t95paf1 843708041 843213442 2018-05-30T22:46:59Z Loadmaster 842485 /* European Union */ Updated links 843708041 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{citation needed|date=February 2018}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{citation needed|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} As of April 2017, new guidelines have been published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{citation needed|date=February 2018}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Interoperability]] irjjveaz4v24ntsupv1cxmbxrssra45 862876362 843708041 2018-10-07T08:20:41Z Seniorexpat 12734809 /* See also */ 862876362 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. In a mixed economy, there are capitalist incentives that motivate businesses to guard their assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.{{citation needed|date=February 2018}} In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{citation needed|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} As of April 2017, new guidelines have been published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{citation needed|date=February 2018}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data_Transfer_Project]] ==References== {{Reflist}} [[Category:Interoperability]] l84npwq2qhzup5fq1t3xhlfnhwze5sq 862879646 862876362 2018-10-07T08:55:10Z Seniorexpat 12734809 Added internal link to Lessig 862879646 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Globally, there are at least three main jurisdictions where this issue is seen differently: China/India, the United States and the European Union. In a mixed economy as can be found in the second and third jurisdictions, there are capitalist incentives that motivate businesses to guard their assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights, and user consent adds more specific provisions. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.<ref>This balance between private and public is described in detail by Lawrence Lessig in his [[Free_Culture_(book)]]</ref>. In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{citation needed|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} As of April 2017, new guidelines have been published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair.{{citation needed|date=February 2018}} ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Interoperability]] 5jvkz0c3le3kfr052vz7cx1im7rmiut 862880824 862879646 2018-10-07T09:06:51Z Seniorexpat 12734809 To add link to Swiss legislation 862880824 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Globally, there are at least three main jurisdictions where this issue is seen differently: China/India, the United States and the European Union. In a mixed economy as can be found in the second and third jurisdictions, there are capitalist incentives that motivate businesses to guard their assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights, and user consent adds more specific provisions. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.<ref>This balance between private and public is described in detail by Lawrence Lessig in his [[Free_Culture_(book)]].</ref> In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{citation needed|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} As of April 2017, new guidelines have been published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Interoperability]] 4ofon4g9jpgyz0owywatn33s4cmmfvg 862933013 862880824 2018-10-07T17:21:57Z Seniorexpat 12734809 862933013 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Globally, there are at least three main jurisdictions where this issue is seen differently: China/India, the United States and the European Union. In a mixed economy as can be found in the second and third jurisdictions, there are capitalist incentives that motivate businesses to guard their assets. Governments allow businesses to protect such assets via limited-term [[intellectual property]] rights, and user consent adds more specific provisions. Even so, it often remains an ongoing task for public agencies to help overcome the urge of businesses, in this case acting as data controllers, to guard their pools of data on their customers, known as personal data or [[personally identifiable information]] too zealously.<ref>This balance between private and public is described in detail by Lawrence Lessig in his [[Free_Culture_(book)]].</ref> In the interest of promoting exchanges of data that would be beneficial to general welfare, in many cases considered [[consumer protection]],{{citation needed|date=February 2018}} the following related activities have been introduced by public-minded actors in the European Union and Switzerland. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Interoperability]] s7w5ccidnf9uf38hvdg1z9xbugsj3i6 862940121 862933013 2018-10-07T18:13:12Z Seniorexpat 12734809 To add global perspective 862940121 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying [[data ownership]] per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite web|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland, |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Interoperability]] e344z5xdm8tahy4ew4iwntcrkqqqqcd 869540647 862940121 2018-11-19T07:11:06Z Qzekrom 22251493 Add [[:Category:Digital rights]] 869540647 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying [[data ownership]] per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite web|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland, |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>Mireille Hildebrandt (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and Mireille Hildebrandt.<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] egi7qynnustaryig02kbz9bkwkto25x 869815564 869540647 2018-11-20T15:25:10Z Vycl1994 19014806 /* Data portability in relation to the right of explanation */ 869815564 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying [[data ownership]] per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite web|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland, |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the Recitals. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] iet0q1fhvrpmon7o3xo6t0y6qqd5hvv 878395506 869815564 2019-01-14T16:17:27Z Seniorexpat 12734809 /* Data portability in relation to the right of access */ Add Wikipedia-internal recital link 878395506 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying [[data ownership]] per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite web|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland, |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with the [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] o0v5w7uj2nmn1oonkfszeuxjdtplpnv 878395586 878395506 2019-01-14T16:17:54Z Seniorexpat 12734809 /* Data portability in relation to the right of access */ 878395586 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying [[data ownership]] per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite web|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland, |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the right of access; see the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] g6cg8bs4pwcvz488yit8idzmcdf98cs 881284573 878395586 2019-02-01T15:48:17Z Seniorexpat 12734809 to add internal link to Right_of_access_to_personal_data 881284573 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying [[data ownership]] per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite web|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland, |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] cnwqtedie9n44pncw4d7olbmbkw416h 882173664 881284573 2019-02-07T09:00:23Z Seniorexpat 12734809 /* Data portability in relation to the right of explanation */ To add critique 882173664 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying [[data ownership]] per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite web|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland, |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 | journal=SSRN Electronic Journal 16(1) |DOI=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a ‘Right to an Explanation’ is Probably not the Remedy you are Looking for }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] ssqgu3hyzm6s4ka4rfiwic7gl6fejk2 882572198 882173664 2019-02-10T01:05:32Z Ad Orientem 13259281 Removing link(s): [[Wikipedia:Articles for deletion/Data ownership]] closed as delete ([[WP:XFDC|XFDcloser]]) 882572198 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite web|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post, |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland, |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 | journal=SSRN Electronic Journal 16(1) |DOI=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a ‘Right to an Explanation’ is Probably not the Remedy you are Looking for }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite web | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24, |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>http://www.darpa.mil/program/explainable-artificial-intelligence</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 |url=https://dx.doi.org/10.1177/2053951716679679 |publisher=Sage| doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|url=https://doi.org/10.1093/idpl/ipx022|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | url=https://doi.org/10.1016/j.clsr.2017.10.003 | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | publisher=Elsevier| doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] hd9i5mr1be2ijaumsgowr1tti5bbxd4 884240811 882572198 2019-02-20T11:57:11Z Citation bot 7903804 Alter: template type, title. Add: title, journal, year, doi, date. Converted bare reference to cite template. Removed parameters. | You can [[WP:UCB|use this bot]] yourself. [[WP:DBUG|Report bugs here]]. | [[WP:UCB|User-activated]]. 884240811 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 | journal=SSRN Electronic Journal 16(1) |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] iel4zso77wjwrof3wb04al4s7r7288n 887197235 884240811 2019-03-11T05:11:15Z Headbomb 1461430 ce 887197235 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 | journal=SSRN Electronic Journal |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 5j0gys5lryiqk9pk82et13z85ok8hik 887197770 887197235 2019-03-11T05:16:38Z Citation bot 7903804 Add: bibcode. Removed parameters. | You can [[WP:UCB|use this bot]] yourself. [[WP:DBUG|Report bugs here]]. | [[User:Headbomb|Headbomb]] 887197770 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] f3cqc3ytfs7gbqqw45jwwjdxc0bvezb 899458986 887197770 2019-05-30T05:27:34Z 119.30.32.135 Social platform effected to Global GDPR 899458986 wikitext text/x-wiki {{Globalize|date=May 2018}}https://scontent.fdac3-1.fna.fbcdn.net/v/t1.0-9/fr/cp0/e15/q65/42619367_237895003544811_6361082238821466112_o.jpg?_nc_cat=111&efg=eyJpIjoiYiJ9&_nc_eui2=AeEybuxHpeWjRqVL0GERcPG1_xBWZZutG6S81Sen4HxhBBqY6yCSgnZwYpuVKqfz3NyojkmtXY3sJFH2pdRMonzoK3LFgFJodhpSUqPILfxxwg&_nc_ht=scontent.fdac3-1.fna&oh=83c5474a5cd4d775840d2e89dfa4cdda&oe=5D8FAA74/bd*. '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 58hifc4gsv6dxn82viim5vx6vaf2l4z 900224061 899458986 2019-06-04T07:28:43Z Hydrox 83642 Reverted edits by [[Special:Contribs/119.30.32.135|119.30.32.135]] ([[User talk:119.30.32.135|talk]]) to last version by Citation bot 887197770 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 |url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 |publisher=Bloomberg BNA}}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] f3cqc3ytfs7gbqqw45jwwjdxc0bvezb 906682997 900224061 2019-07-17T14:04:07Z InternetArchiveBot 27015025 Rescuing 1 sources and tagging 0 as dead. #IABot (v2.0beta15) 906682997 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | dead-url=yes }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. After being seriously considered in the parliament, however, the proposal was not included in the newest draft dated 21 December 2016.<ref>{{cite web | title=Revision of the Data Protection Law / Revision des DSG: Vorentwurf und begleitende Unterlagen veröffentlicht, 21. Dezember 2016 |url=http://datenrecht.ch/revision-des-dsg-vorentwurf-und-begleitende-unterlagen-veroeffentlicht/ | accessdate=December 25, 2016}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] sh50ia15tmyxog55vx3jywytdvmna6q 911547256 906682997 2019-08-19T15:49:11Z Seniorexpat 12734809 /* Switzerland */ To add law passed 911547256 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | dead-url=yes }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. A law has been passed that includes data portability. <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] ls20trakks71ypcawgpyasessf24w8x 913798577 911547256 2019-09-03T07:54:51Z Seniorexpat 12734809 To add United States/ California and Australia 913798577 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation will apply to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | dead-url=yes }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. A law has been passed that includes data portability. <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA. <ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Australia== In Australia a Consumer Data Right has been proposed. <ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] a8jakc9zl6y1ltgphtyn5hp6eoms8jd 914972741 913798577 2019-09-10T13:12:08Z Seniorexpat 12734809 /* European Union */ 914972741 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | dead-url=yes }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. A law has been passed that includes data portability. <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA. <ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Australia== In Australia a Consumer Data Right has been proposed. <ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] fk5zjq2wfn6dcfm6ivyor5ptslnz1sr 914973736 914972741 2019-09-10T13:20:46Z Seniorexpat 12734809 /* European Union */ To update German position 914973736 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | dead-url=yes }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements. <ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission ‘Competition Law 4.0’, Summary, |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. A law has been passed that includes data portability. <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA. <ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Australia== In Australia a Consumer Data Right has been proposed. <ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] hw7jgm1t7jt35pnhk803fxukh66j8uf 916262001 914973736 2019-09-17T23:39:45Z Monkbot 20483999 /* European Union */[[User:Monkbot/task 16: remove replace deprecated dead-url params|Task 16]]: replaced (1×) / removed (0×) deprecated |dead-url= and |deadurl= with |url-status=; 916262001 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements. <ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission ‘Competition Law 4.0’, Summary, |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. A law has been passed that includes data portability. <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA. <ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Australia== In Australia a Consumer Data Right has been proposed. <ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 7c7hhzg4qsn4aun9py650ejpq3tnc0p 916531538 916262001 2019-09-19T10:58:42Z Seniorexpat 12734809 /* Switzerland */ 916531538 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection. <ref> {{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data. <ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements. <ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission ‘Competition Law 4.0’, Summary, |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF). <ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. A law is in the process of being passed that includes data portability. <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity <ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA. <ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Australia== In Australia a Consumer Data Right has been proposed. <ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital_(law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at https://works.bepress.com/mireille_hildebrandt/40/</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Ethics of artificial intelligence]] * [[Data Transfer Project]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] lrscdhcls6k34fymjzwme8o42yhzs6r 917513957 916531538 2019-09-24T05:17:11Z Lotje 10434788 <ref></ref> 917513957 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission ‘Competition Law 4.0’, Summary, |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> A cooperative proposed to have a right to data portability anchored in the constitution of the Swiss Confederation. A law is in the process of being passed that includes data portability.<ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> The cooperative is called MIDATA.coop; besides proposing legislation, it will offer users a place to store their data.<ref>{{cite web |title=Das Recht auf Kopie – a Swiss-national and international movement towards digital self determination where citizens control any secondary use of their personal data|url=http://www.midata.coop | accessdate=April 15, 2016}}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] pv49333am3dmcrolrx26muevrijmear 920232383 917513957 2019-10-08T12:48:33Z Seniorexpat 12734809 /* Switzerland */ To update link to association 920232383 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission ‘Competition Law 4.0’, Summary, |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat “Recht auf Kopie” vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law is in the process of being passed that includes data portability.<ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] f4rlgddipxpbd7lefnr2sr5q243vt2w 928202544 920232383 2019-11-27T13:50:26Z Seniorexpat 12734809 /* European Union */ To add Internet Governance Forum Berlin 928202544 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 | }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url = https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 | }}</ref> <ref>{{cite web | url = https://doi.org/10.1093/idpl/ipz008 | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson | accessdate = 27 November 2019 | }}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission ‘Competition Law 4.0’, Summary, |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat “Recht auf Kopie” vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law is in the process of being passed that includes data portability.<ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] pj5bo0wkuj1mlelgu6w9dy7pu0g334v 928473192 928202544 2019-11-29T12:50:01Z Seniorexpat 12734809 /* European Union */ To add author 928473192 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 | }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url = https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 | }}</ref> <ref>{{cite web | url = https://doi.org/10.1093/idpl/ipz008 | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson | accessdate = 27 November 2019 | }}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission ‘Competition Law 4.0’, Summary, |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat “Recht auf Kopie” vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law is in the process of being passed that includes data portability.<ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 11oh46193g5r4qlbwqnw5u4e3pmm9rf 929201549 928473192 2019-12-04T08:28:28Z Seniorexpat 12734809 /* Switzerland */ To document law passed 929201549 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 | }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url = https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 | }}</ref> <ref>{{cite web | url = https://doi.org/10.1093/idpl/ipz008 | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson | accessdate = 27 November 2019 | }}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission ‘Competition Law 4.0’, Summary, |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat “Recht auf Kopie” vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l’examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 4fg1dfqrphfvcs11mklw2crj2g733pl 930299858 929201549 2019-12-11T15:15:02Z Seniorexpat 12734809 To add India 930299858 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 | }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url = https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 | }}</ref> <ref>{{cite web | url = https://doi.org/10.1093/idpl/ipz008 | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson | accessdate = 27 November 2019 | }}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission ‘Competition Law 4.0’, Summary, |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat “Recht auf Kopie” vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l’examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2018 (India)]] about to become law as section 26 in chapter VI. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite web |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |DOI= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 | publisher=Wired}}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|location=|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 4ofs5x2ufa902udf5ho709agomm76qh 930464650 930299858 2019-12-12T17:38:06Z Citation bot 7903804 Alter: url, template type, title. Add: doi. Removed URL that duplicated unique identifier. Removed accessdate with no specified URL. Removed parameters. | You can [[WP:UCB|use this bot]] yourself. [[WP:DBUG|Report bugs here]].| Activated by [[User:Nemo bis]] | via #UCB_webform 930464650 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2018 (India)]] about to become law as section 26 in chapter VI. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 6jlgqz4qoupv40jwwz6r0oic6s34eu1 930970622 930464650 2019-12-16T04:11:30Z Privschol91 38043853 Added additional references and description of relevant work in right to explanation section. Clarified contribution of two existing references. 930970622 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2018 (India)]] about to become law as section 26 in chapter VI. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. The utility of the right to explanation has been subject to scholarly debate.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed.<ref name=":0">{{Cite journal|last=Wachter|first=Sandra|last2=Mittelstadt|first2=Brent|last3=Floridi|first3=Luciano|date=2017|title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation|url=https://academic.oup.com/idpl/article-lookup/doi/10.1093/idpl/ipx005|journal=International Data Privacy Law|language=en|volume=7|issue=2|pages=76–99|doi=10.1093/idpl/ipx005|issn=2044-3994|via=}}</ref> An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes that what the GDPR actually provides is a limited ‘right to be informed’ about the general functionality of automated decision-making systems. They call for the creation of an agency to implement the transparency requirement.<ref name=":0" /> Subsequent papers by Wachter, Mittelstadt, and Russell nonetheless explore the practical requirements for good explanations (if a right to explanation were to be enforced),<ref>{{Cite journal|last=Mittelstadt|first=Brent|last2=Russell|first2=Chris|last3=Wachter|first3=Sandra|date=2019|title=Explaining Explanations in AI|url=http://doi.acm.org/10.1145/3287560.3287574|journal=Proceedings of the Conference on Fairness, Accountability, and Transparency|series=FAT* '19|location=New York, NY, USA|publisher=ACM|pages=279–288|doi=10.1145/3287560.3287574|isbn=978-1-4503-6125-5}}</ref> and propose 'counterfactual explanations' as a method to provide such explanations.<ref>{{Cite journal|last=Wachter|first=Sandra|last2=Mittelstadt|first2=Brent|last3=Russell|first3=Chris|date=2017-2018|title=Counterfactual Explanations without Opening the Black Box: Automated Decisions and the GDPR|url=https://heinonline.org/HOL/Page?handle=hein.journals/hjlt31&id=859&div=&collection=|journal=Harvard Journal of Law & Technology (Harvard JOLT)|volume=31|pages=841}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] gr3p3fuyeci1s3vgvpztzx4sq9bc74d 931018769 930970622 2019-12-16T12:26:02Z MrOllie 6908984 Reverted to revision 930464650 by [[Special:Contributions/Citation bot|Citation bot]] ([[User talk:Citation bot|talk]]): Apparent COI / selfcite ([[WP:TW|TW]]) 931018769 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2018 (India)]] about to become law as section 26 in chapter VI. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 6jlgqz4qoupv40jwwz6r0oic6s34eu1 932096903 931018769 2019-12-23T11:58:44Z Seniorexpat 12734809 /* India */ 932096903 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 9rf4ejbibopiskgphuft3sxe5fumo5f 932668201 932096903 2019-12-27T13:53:48Z Seniorexpat 12734809 To add Thailand 932668201 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Thailand== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] jykm7fs01g0t6dzjubnfq318146tp3k 932673881 932668201 2019-12-27T14:44:57Z Seniorexpat 12734809 To add controversy in Kenya 932673881 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Thailand== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ==Kenya== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] iyndog7jhxfthtr9x2odm6sy6kxjqk9 933842526 932673881 2020-01-03T09:11:33Z Seniorexpat 12734809 To add Canada 933842526 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Canada== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Thailand== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ==Kenya== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 9towblgoe9xz9bbi5zecok5fwtb0v32 937647699 933842526 2020-01-26T09:36:06Z Seniorexpat 12734809 To add Brazil 937647699 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Canada== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Brazil== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Thailand== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ==Kenya== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] oar2ckoump9kfm92bvy6dnocqy8nlxc 937649867 937647699 2020-01-26T09:59:52Z Seniorexpat 12734809 /* See also */ To link to external wiki 937649867 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents seeing the protection of digital data as a human right. Thus in an emerging civil society draft declaration one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Canada== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Brazil== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Thailand== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ==Kenya== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] dghlez47blz99zql4u9yh2uwv6i5xhe 942988910 937649867 2020-02-28T03:58:11Z MooCow1 31941103 made some grammar and wording edits 942988910 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Canada== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Brazil== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Thailand== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ==Kenya== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] h3ogpq4s130wntjc2yz9aagwhc5fzol 944623389 942988910 2020-03-08T23:13:31Z Citation bot 7903804 Alter: template type. | You can [[WP:UCB|use this bot]] yourself. [[WP:DBUG|Report bugs here]]. | Activated by [[User:AManWithNoPlan]] | All pages linked from [[User:AManWithNoPlan/sandbox2]]. 944623389 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Canada== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Brazil== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Thailand== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ==Kenya== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] qnth2biavl0z8ma7fvgbxpcged45mp7 961423605 944623389 2020-06-08T11:19:19Z Seniorexpat 12734809 /* See also */ 961423605 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Canada== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Brazil== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Thailand== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ==Kenya== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[https: General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] h4d7fk9l9m7ex87pj6c9wbkp6byflph 961423641 961423605 2020-06-08T11:19:36Z Seniorexpat 12734809 /* See also */ 961423641 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Canada== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Brazil== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Thailand== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ==Kenya== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] atj7rf7njxi4a3tv38y7gb4f8d147ho 962692626 961423641 2020-06-15T14:01:49Z Seniorexpat 12734809 /* Requirements for effective data interoperability */ to add new paper 962692626 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Canada== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Brazil== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Thailand== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ==Kenya== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] niwn0ss4mvoine5jt5jpe03y0kdc5hi 975192268 962692626 2020-08-27T08:06:03Z Seniorexpat 12734809 /* Switzerland */ to add guideline 975192268 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]]. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Canada== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Brazil== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Thailand== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ==Kenya== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 6gjf98xucgu2iyan7dcxuhfl56c8zyl 984221723 975192268 2020-10-18T22:33:02Z 79.241.207.111 Ading examples of such 984221723 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[backup (computing)|data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to export user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Canada== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Brazil== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Thailand== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ==Kenya== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] odca92ppb4gp4mtkamskq78jyo76i9p 984221879 984221723 2020-10-18T22:34:26Z 79.241.207.111 Linking [[data backup]] (→[[backup]]) 984221879 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to export user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Canada== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Brazil== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Thailand== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ==Kenya== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last=Edwards|first=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last=Selbst|first=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 5tx5gou8ck7884zj0od8mdg78btmqcq 984839705 984221879 2020-10-22T12:24:26Z Citation bot 7903804 Add: s2cid, publisher, author pars. 1-2. Removed parameters. Some additions/deletions were actually parameter name changes. | You can [[WP:UCB|use this bot]] yourself. [[WP:DBUG|Report bugs here]]. | Suggested by AManWithNoPlan | All pages linked from cached copy of User:AManWithNoPlan/sandbox3 | via #UCB_webform_linked 1670/3258 984839705 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to export user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for behavioral advertising, and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. ==European Union== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ==Switzerland== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ==United States, California== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Canada== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ==India== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ==Brazil== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ==Australia== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ==Thailand== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ==Kenya== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] tikg14zbbhq73gtjjerpgnzvvntpm4j 985090433 984839705 2020-10-23T22:03:13Z 84.147.38.121 Section structure 985090433 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to export user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 8ssce23bv1vk2m3g8ly41mahqz2t76x 985091696 985090433 2020-10-23T22:13:37Z 84.147.38.121 Data portability on online platforms 985091696 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to export user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of GDPR, [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 1z5szxqs18b9gdtum475g0k8fzo47to 985094301 985091696 2020-10-23T22:36:17Z 84.147.38.121 /* Developement */ Consumer electronics and software criticism 985094301 wikitext text/x-wiki {{Globalize|date=May 2018}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to export user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until a successful [[reverse engineering]] by third parties. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 9a6tmdybv17i7u0jy2mfkzlzp85lzur 985681596 985094301 2020-10-27T09:33:33Z 46.114.110.211 Looks like the globalization of the article [[#By_country|is already completed]]. 985681596 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to export user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until a successful [[reverse engineering]] by third parties. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] brsu09ro1t2ntt5ybp4rl4d4spdn6c6 985692296 985681596 2020-10-27T11:34:57Z 84.147.43.250 /* In consumer electronics */ On mobile devices 985692296 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to export user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s store user data in private directories which are inaccessible without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an example of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until a successful [[reverse engineering]] by third parties. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 18uxxu6plbhjmigxwaz2go94cbazd12 985698934 985692296 2020-10-27T12:42:33Z 84.147.43.250 /* In consumer electronics */ Wording, more information and sources 985698934 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to export user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s store user data in private directories which are inaccessible without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor which requires an external host computer, lacking the ability to directly export the data to a local file in a common user data directory.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until a successful [[reverse engineering]] by third parties. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] o1jmf8o9jz1savmts7njkz1in7vquy2 985703489 985698934 2020-10-27T13:23:49Z 84.147.43.250 Improved wording and linking 985703489 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in private directories which are inaccessible without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor. Such software requires an external host computer to run on, lacking the ability to directly export the data to a local file in the mobile device's common user data directory.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until a successful [[reverse engineering]] by third parties. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] nw23hp6r812b2vqn4af5y22ea9besvi 985712192 985703489 2020-10-27T14:32:43Z 84.147.43.250 /* In consumer electronics */ About cloud backups 985712192 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in private directories which are inaccessible without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferrably high internet speeds and data plan limits if used regularly. Some services may only allow moving some data between devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into files accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref> === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until a successful [[reverse engineering]] by third parties. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 352ga3wrr24sxaieuyjfkfonn1eawre 985714159 985712192 2020-10-27T14:48:37Z 84.147.43.250 /* In consumer electronics */ + example and reference 985714159 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked directories, also known as private app directories, which are inaccessible without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferrably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Another posible restraint on data portability is poor reliability, stability and performance of existing means of data transfer, as described in {{section link||Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until a successful [[reverse engineering]] by third parties. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] hven87urno6qjux7bia0p514wmr9fr1 985716110 985714159 2020-10-27T15:03:20Z 84.147.43.250 /* In consumer electronics */ Broken template repaired; another example. 985716110 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked directories, also known as private app directories, which are inaccessible without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferrably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Another posible restraint on data portability is poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until a successful [[reverse engineering]] by third parties. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 11hf62sttshxpq3dp2aeu3mvg55yt4w 985729585 985716110 2020-10-27T16:36:30Z 84.147.43.250 Wording 985729585 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked directories, also known as private app directories, which are inaccessible without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferrably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Another posible restraint on data portability is poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 5zzxrbg0u3tp0gqyl76ehg8ea8msw4l 985784341 985729585 2020-10-27T22:56:18Z 84.147.43.250 /* Mobile devices */ More about boot loader 985784341 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked directories, also known as private app directories, which are inaccessible without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferrably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Another posible restraint on data portability is poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] ocoiqrk6fp7sw96v0nq2j99mvawuh3t 987255138 985784341 2020-11-05T21:55:21Z 84.147.37.178 /* Mobile devices */ [[Scoped storage]] documented 987255138 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked directories, also known as private app directories, which are inaccessible without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferrably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further posible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] fu6zduel75dhy93o0vw91fesopap5fm 988842085 987255138 2020-11-15T15:59:50Z Woodlot 10841396 spelling 988842085 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked directories, also known as private app directories, which are inaccessible without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 8kkp2pdc2yqbviwrgc1gjemas1nai9m 991596893 988842085 2020-11-30T21:56:17Z 84.147.32.60 /* Mobile devices */+ Examples for user data 991596893 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[multimedia player]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 4cjh3jqhycpwlwebtqmu0xzrqh9gx1m 991727061 991596893 2020-12-01T14:34:32Z Rodw 125972 Disambiguating links to [[Media player]] (link changed to [[Media player software]]) using [[User:Qwertyytrewqqwerty/DisamAssist|DisamAssist]]. 991727061 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] dlnh7eumehj90z1ih61w76i22jutwma 992130238 991727061 2020-12-03T17:32:54Z Mikeblas 327592 notelist 992130238 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18. ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] fpcl4m5azyi6m8m36oflry050k0u32f 992615890 992130238 2020-12-06T06:10:51Z Sfwarriors99 40255661 /* Brazil */ 992615890 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] f6ntqnijslb34qz4nuk1pljyf1h64qj 992846114 992615890 2020-12-07T12:19:46Z 84.147.35.160 /* Mobile devices */ + Entries in [[note taking]] and [[memorandum]] software 992846114 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]]. Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 1amm6yzb16uo4dbzlm6nx6ypfu9lzjr 994168360 992846114 2020-12-14T12:16:15Z 84.147.42.228 [[grep]] searchability 994168360 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches “Data Download” tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 9egcnxgesmlsgkr0wg1i70si12soc1m 995495539 994168360 2020-12-21T10:01:14Z Citation bot 7903804 Alter: title. | You can [[WP:UCB|use this bot]] yourself. [[WP:DBUG|Report bugs here]]. | Suggested by AManWithNoPlan | All pages linked from cached copy of User:AManWithNoPlan/sandbox3 | via #UCB_webform_linked 1185/5022 995495539 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] jo39n00zswrjk2mxszupli4wujlmv16 999400785 995495539 2021-01-10T00:11:22Z Bianco93 40816654 /* Online platforms */ [[Quora]] 999400785 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Developement == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet, United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China/India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] qunhnvtwp9kt1u75pe54ccn3valaywt 1002151082 999400785 2021-01-23T02:42:32Z Mild Bill Hiccup 5202324 /* Developement */ Spelling/grammar/punctuation/typographical correction 1002151082 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a new Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] r87jp0c1m6sby75ulethwxn80ljntvr 1002151146 1002151082 2021-01-23T02:43:09Z Mild Bill Hiccup 5202324 /* United States, California */ Fixing style/layout errors 1002151146 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 9fqj7s4l59np08315257dthfkmw3frw 1026076782 1002151146 2021-05-31T07:27:33Z Seniorexpat 12734809 /* European Union */ To add new report 1026076782 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art. <ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically currently a Brexit-prone nation -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 7fc716sh0bl98d9w16d0vqdua7jih89 1036762777 1026076782 2021-08-02T15:14:36Z Seniorexpat 12734809 To add new ref. 1036762777 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art. <ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically post-Brexit -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite document | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and big data. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] osaqjlnttthliu1su9is10e7gj1w147 1045563039 1036762777 2021-09-21T06:35:18Z Kku 5846 link [bB]ig data 1045563039 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite web |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |website=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art. <ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically post-Brexit -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite document | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite journal | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | journal=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] erlzabmh1lctli6ohjv31gkci1gssry 1055502327 1045563039 2021-11-16T06:55:21Z Citation bot 7903804 Alter: template type, title. Add: date, magazine. Removed parameters. Some additions/deletions were parameter name changes. | [[WP:UCB|Use this bot]]. [[WP:DBUG|Report bugs]]. | Suggested by BrownHairedGirl | Linked from User:BrownHairedGirl/Articles_with_bare_links | #UCB_webform_linked 254/2185 1055502327 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]] and [[Instagram]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art. <ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically post-Brexit -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite document | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] mn9850dezzvoahfvnuvacshum4et53j 1065068055 1055502327 2022-01-11T17:08:28Z 87.140.12.228 /* Online platforms */ 1065068055 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and Tnder have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art. <ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically post-Brexit -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite document | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 1876nfzvga5p45f2m8tv93qlzit3llq 1065068088 1065068055 2022-01-11T17:08:42Z 87.140.12.228 /* Online platforms */ 1065068088 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and Tinder have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art. <ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically post-Brexit -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite document | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 7050jh5gkbd8wl5h7po5o9q0rwdvlxi 1065068238 1065068088 2022-01-11T17:09:39Z Axisroi 42805011 1065068238 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art. <ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically post-Brexit -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite document | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] qr2aq4s5qo32h32yhsj0kv9xctj93i8 1068427722 1065068238 2022-01-28T10:42:05Z Citation bot 7903804 Alter: template type. | [[WP:UCB|Use this bot]]. [[WP:DBUG|Report bugs]]. | Suggested by AManWithNoPlan | #UCB_webform 1163/2600 1068427722 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite journal|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art. <ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically post-Brexit -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] hznslkc4g5b2k18ei0p7wdb1cpqpoi2 1074174202 1068427722 2022-02-26T20:49:03Z Citation bot 7903804 Alter: template type. Add: isbn. | [[WP:UCB|Use this bot]]. [[WP:DBUG|Report bugs]]. | Suggested by BrownHairedGirl | Linked from User:BrownHairedGirl/Articles_with_bare_links | #UCB_webform_linked 1145/2847 1074174202 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=9789279621819}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art. <ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically post-Brexit -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] clvibzl9rvmk6do44cawwii04mrhauq 1088211487 1074174202 2022-05-16T19:22:46Z MilkMiruku 35699 Add cite to original dataportability.org project, better summary wording about interoperability 1088211487 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web|url= https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16|date=2009-07-23 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=9789279621819}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session_(computer_science)#Browser_session_management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art. <ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically. <ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK -- ironically post-Brexit -- researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }} </ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}} </ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data. <ref>http://www.midata.coop </ref> A second association has issued its guideline on the topic. <ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }} </ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter. <ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy_law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law. <ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested. <ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill. <ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref> {{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }} </ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 1nmtyjbyzpur9tyd2t2anl7x62z1o9b 1089266875 1088211487 2022-05-22T20:43:49Z BrownHairedGirl 754619 Cleanup cite template: extracted original URL from 1 ref archived at web.archive.org 1089266875 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 |url-status=dead}}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=9789279621819}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>http://www.midata.coop</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] qupgk19n1q44o1gc74zopjgb776be39 1089519839 1089266875 2022-05-24T08:20:39Z Seniorexpat 12734809 /* European Union */ Arranged paragraphs chronologically 1089519839 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 |url-status=dead}}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=9789279621819}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>http://www.midata.coop</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 29n3e2tqjspdpfryy1kbvrh9ro3gfy3 1103041516 1089519839 2022-08-08T03:34:04Z BrownHairedGirl 754619 Crudely fill 1 bare URL ref to website homepage, using title 'Home' 1103041516 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 |url-status=dead}}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=9789279621819}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] e521sbgqavwrflv1a5fv1jr36blt2tk 1119364824 1103041516 2022-11-01T05:33:49Z PeterSpalord 16448527 /* Digital video recorders */Fixed typo 1119364824 wikitext text/x-wiki '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 |url-status=dead}}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=9789279621819}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 06iglx3qzyn5e3n4phyvwigxigkacxk 1129901900 1119364824 2022-12-27T17:33:47Z Hanif Al Husaini 20566455 Importing Wikidata [[Wikipedia:Short description|short description]]: "Ability to export, back up and transfer user data to prevent vendor lock-in" 1129901900 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 |url-status=dead}}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=9789279621819}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 }}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] hux5vniwcsfmm9t8b9blb9wygr6o5gj 1136420395 1129901900 2023-01-30T06:17:43Z OAbot 28481209 [[Wikipedia:OABOT|Open access bot]]: doi added to citation with #oabot. 1136420395 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 |url-status=dead}}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20 }}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=9789279621819}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 8ufa16h30i1tqfn2u99bz6e75y5rc8q 1144594349 1136420395 2023-03-14T15:04:11Z 141.23.207.222 /* adding a part on reputation data */ 1144594349 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 |url-status=dead}}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=9789279621819}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another <ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6}}</ref> <ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z }}</ref>. This concept is becoming increasingly important in today’s interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual’s reputation should not be tied solely to a single community or platform <ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref>. Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called “cold-start” problem <ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217}}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref>, and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today’s digital landscape, and research has shown that imported reputation can serve as viable signals for building trust <ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 }}</ref> <ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 }}</ref> <ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref>. As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] tupgfctfcfintk67tqwpfs9hzdlkmm4 1145443842 1144594349 2023-03-19T05:21:02Z WikiCleanerBot 18872885 v2.05b - [[User:WikiCleanerBot#T20|Bot T20 CW#61]] - Fix errors for [[WP:WCW|CW project]] (Reference before punctuation) 1145443842 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 |url-status=dead}}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=9789279621819}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6}}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z }}</ref> This concept is becoming increasingly important in today’s interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual’s reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called “cold-start” problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217}}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today’s digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] c33s68izg8z178i6iwel085oyoy8jq6 1160603277 1145443842 2023-06-17T16:31:34Z Citation bot 7903804 Add: s2cid. | [[WP:UCB|Use this bot]]. [[WP:DBUG|Report bugs]]. | Suggested by Headbomb | Linked from Wikipedia:WikiProject_Academic_Journals/Journals_cited_by_Wikipedia/Sandbox2 | #UCB_webform_linked 211/999 1160603277 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 |url-status=dead}}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=9789279621819}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today’s interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual’s reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called “cold-start” problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217}}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today’s digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 | url-status=dead }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité : quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |accessdate=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | accessdate = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | accessdate = 27 November 2019 }}</ref> <ref>{{cite document | title = Exploring the implications of the technologically neutral GDPR. In: International Data Privacy Law, 6 Jul 2019| first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |accessdate=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | accessdate=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | accessdate=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | accessdate=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | accessdate=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | accessdate=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | accessdate=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | accessdate=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR, page 6 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | accessdate=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite journal |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite journal |accessdate=6 February 2019 |volume=16 |issue=1 |doi=10.2139/ssrn.2972855|url= https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3083277_code2070340.pdf?abstractid=2972855&mirid=1 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, “Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling”, Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite web | first=Marc | last=Rotenberg |editor= Electronic Privacy Information Center EPIC | title= [8] EPIC Book Review: 'The Black Box Society'. In: EPIC Alert, Volume 21.24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014 | publisher=EPIC}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |pages=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite document |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data. Queen Mary School of Law Legal Studies Research Paper No. 247/2016 |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | pages=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited ‘right to be informed’ instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite document|first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite document|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | pages= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] ocyyparixjssay3f7tvut29h0uhmz90 1161144153 1160603277 2023-06-20T23:00:24Z Trappist the monk 10289486 cite repair; 1161144153 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn={{Format ISBN|9789279621819}}}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217}}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite ssrn |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite ssrn |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite ssrn |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite ssrn |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 7aexk0g2brpxl6y7j9yf0m9xw7l45py 1161146109 1161144153 2023-06-20T23:20:10Z AnomieBOT 7611264 [[User:AnomieBOT/docs/TemplateSubster|Substing templates]]: {{Format ISBN}}. See [[User:AnomieBOT/docs/TemplateSubster]] for info. 1161146109 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=978-92-79-62181-9}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217}}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite ssrn |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite ssrn |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite ssrn |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite ssrn |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] o5f3a0qu3n9jobpztfh1cykzmrommc5 1166981849 1161146109 2023-07-25T00:29:15Z Citation bot 7903804 Misc citation tidying. | [[:en:WP:UCB|Use this bot]]. [[:en:WP:DBUG|Report bugs]]. | #UCB_CommandLine 1166981849 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=978-92-79-62181-9}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217}}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008}}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite SSRN |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite SSRN |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite SSRN |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite SSRN |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] cplprkeotvkfnandec4jxf5ovc6cqx0 1170222905 1166981849 2023-08-13T20:33:23Z OAbot 28481209 [[Wikipedia:OABOT|Open access bot]]: hdl added to citation with #oabot. 1170222905 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=978-92-79-62181-9}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217}}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008|hdl= 10023/23477 |hdl-access= free }}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite SSRN |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite SSRN |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite SSRN |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite SSRN |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 6770hh342gcjj25d02bh8rz34rtnnzt 1171990238 1170222905 2023-08-24T08:55:04Z OAbot 28481209 [[Wikipedia:OABOT|Open access bot]]: doi updated in citation with #oabot. 1171990238 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – United Nations Guidelines for Consumer Protection.<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=978-92-79-62181-9}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217}}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 |doi-access=free}}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008|hdl= 10023/23477 |hdl-access= free }}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite SSRN |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite SSRN |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite SSRN |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite SSRN |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] myuc1kkaxfzuydzzkwbfi632kb9zc63 1177166031 1171990238 2023-09-26T11:50:38Z Kku 5846 link [UU]nited Nations Guidelines for Consumer Protection 1177166031 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – [[United Nations Guidelines for Consumer Protection]].<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=978-92-79-62181-9}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217}}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 |doi-access=free}}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008|hdl= 10023/23477 |hdl-access= free }}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite SSRN |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite SSRN |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite SSRN |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite SSRN |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] n5j7yjeqnk953lntcawpbypizk5rgjx 1188953806 1177166031 2023-12-08T19:13:26Z Citation bot 7903804 Add: s2cid. | [[:en:WP:UCB|Use this bot]]. [[:en:WP:DBUG|Report bugs]]. | Suggested by Abductive | [[Category:Digital rights]] | #UCB_Category 21/32 1188953806 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23}}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – [[United Nations Guidelines for Consumer Protection]].<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=978-92-79-62181-9}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217|s2cid=9398036 }}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 |doi-access=free}}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17}}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008|hdl= 10023/23477 |hdl-access= free }}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite SSRN |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite SSRN |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite SSRN |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite SSRN |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] o0egww59xxngmlwuijy968k97twg4i4 1195938779 1188953806 2024-01-15T21:31:41Z InternetArchiveBot 27015025 Rescuing 2 sources and tagging 0 as dead.) #IABot (v2.0.9.5 1195938779 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23 |access-date=2020-12-14 |archive-date=2021-10-23 |archive-url=https://web.archive.org/web/20211023020934/https://thecommandline.net/2010/06/23/data-portability-policy/ |url-status=dead }}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – [[United Nations Guidelines for Consumer Protection]].<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=978-92-79-62181-9}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217|s2cid=9398036 }}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 |doi-access=free}}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17 |access-date=2020-10-23 |archive-date=2021-04-12 |archive-url=https://web.archive.org/web/20210412055921/https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |url-status=dead }}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1= Perarnaud | publisher=Diplo Foundation | title= GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15)| url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date = 27 November 2019 }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008|hdl= 10023/23477 |hdl-access= free }}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite SSRN |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1= Pasquale |title= Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) |url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ |date= February 5, 2016}}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability | url=http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date=February 5, 2016}}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite SSRN |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite SSRN |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite SSRN |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] j1jbqmduozh7onk8xxttqavfm02fqgb 1216987683 1195938779 2024-04-03T03:46:04Z InternetArchiveBot 27015025 Rescuing 3 sources and tagging 0 as dead.) #IABot (v2.0.9.5) ([[User:Whoop whoop pull up|Whoop whoop pull up]] - 18543 1216987683 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23 |access-date=2020-12-14 |archive-date=2021-10-23 |archive-url=https://web.archive.org/web/20211023020934/https://thecommandline.net/2010/06/23/data-portability-policy/ |url-status=dead }}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – [[United Nations Guidelines for Consumer Protection]].<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=978-92-79-62181-9}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217|s2cid=9398036 }}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 |doi-access=free}}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17 |access-date=2020-10-23 |archive-date=2021-04-12 |archive-url=https://web.archive.org/web/20210412055921/https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |url-status=dead }}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1=Perarnaud | publisher=Diplo Foundation | title=GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15) | url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date=27 November 2019 | archive-date=29 July 2020 | archive-url=https://web.archive.org/web/20200729035207/https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | url-status=dead }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008|hdl= 10023/23477 |hdl-access= free }}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite SSRN |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1=Pasquale | title=Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date=February 5, 2016 | access-date=November 30, 2016 | archive-date=December 1, 2016 | archive-url=https://web.archive.org/web/20161201014921/http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | url-status=dead }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability |url= http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date= February 5, 2016 |access-date= December 7, 2016 |archive-date= December 20, 2016 |archive-url= https://web.archive.org/web/20161220084911/http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |url-status= dead }}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite SSRN |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite SSRN |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite SSRN |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] r7muf41xq98w0va7s27lr7fzyvax7dn 1220175201 1216987683 2024-04-22T07:13:49Z OAbot 28481209 [[Wikipedia:OABOT|Open access bot]]: hdl updated in citation with #oabot. 1220175201 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23 |access-date=2020-12-14 |archive-date=2021-10-23 |archive-url=https://web.archive.org/web/20211023020934/https://thecommandline.net/2010/06/23/data-portability-policy/ |url-status=dead }}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – [[United Nations Guidelines for Consumer Protection]].<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=978-92-79-62181-9}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]] and [[Snapchat]] have widely adapted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]]. Other platforms such as [[Google]] and [[Facebook]] already were equipped with export options earlier. However, some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |title=Instagram launches "Data Download" tool to let you leave |url=https://techcrunch.com/2018/04/24/instagram-export/ |website=TechCrunch |date=2018-04-24}}</ref><ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref><ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref><ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Other sites such as [[Quora]] or Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data- |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217|s2cid=9398036 }}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 |doi-access=free|hdl=10419/286941|hdl-access=free}}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17 |access-date=2020-10-23 |archive-date=2021-04-12 |archive-url=https://web.archive.org/web/20210412055921/https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |url-status=dead }}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1=Perarnaud | publisher=Diplo Foundation | title=GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15) | url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date=27 November 2019 | archive-date=29 July 2020 | archive-url=https://web.archive.org/web/20200729035207/https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | url-status=dead }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008|hdl= 10023/23477 |hdl-access= free }}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite SSRN |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1=Pasquale | title=Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date=February 5, 2016 | access-date=November 30, 2016 | archive-date=December 1, 2016 | archive-url=https://web.archive.org/web/20161201014921/http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | url-status=dead }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability |url= http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date= February 5, 2016 |access-date= December 7, 2016 |archive-date= December 20, 2016 |archive-url= https://web.archive.org/web/20161220084911/http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |url-status= dead }}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite SSRN |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite SSRN |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite SSRN |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] g0995jq7vp429ogsi3o2pns70vuwobg 1227486903 1220175201 2024-06-06T00:45:04Z FeralOink 15685779 /* Online platforms */ Don't need 3 refs to same news story 1227486903 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23 |access-date=2020-12-14 |archive-date=2021-10-23 |archive-url=https://web.archive.org/web/20211023020934/https://thecommandline.net/2010/06/23/data-portability-policy/ |url-status=dead }}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – [[United Nations Guidelines for Consumer Protection]].<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=978-92-79-62181-9}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]], [[Snapchat]], and the [[Wall Street Journal]] online subscriber community have widely adopted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]].<ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref> Other platforms such as [[Google]] and [[Facebook]] were equipped with export options earlier.<ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref> Other sites such as [[Quora]] and Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217|s2cid=9398036 }}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 |doi-access=free|hdl=10419/286941|hdl-access=free}}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17 |access-date=2020-10-23 |archive-date=2021-04-12 |archive-url=https://web.archive.org/web/20210412055921/https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |url-status=dead }}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1=Perarnaud | publisher=Diplo Foundation | title=GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15) | url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date=27 November 2019 | archive-date=29 July 2020 | archive-url=https://web.archive.org/web/20200729035207/https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | url-status=dead }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008|hdl= 10023/23477 |hdl-access= free }}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a Consumer Data Right has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite SSRN |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1=Pasquale | title=Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date=February 5, 2016 | access-date=November 30, 2016 | archive-date=December 1, 2016 | archive-url=https://web.archive.org/web/20161201014921/http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | url-status=dead }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability |url= http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date= February 5, 2016 |access-date= December 7, 2016 |archive-date= December 20, 2016 |archive-url= https://web.archive.org/web/20161220084911/http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |url-status= dead }}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite SSRN |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite SSRN |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite SSRN |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] dbb7sg4ootl3ta279rbx90k80bazxd1 1235423954 1227486903 2024-07-19T06:31:54Z StephenMccalman 44804584 add a link to the Consumer Data Right page 1235423954 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23 |access-date=2020-12-14 |archive-date=2021-10-23 |archive-url=https://web.archive.org/web/20211023020934/https://thecommandline.net/2010/06/23/data-portability-policy/ |url-status=dead }}</ref> Data portability applies to personal data. It involves access to the personal data without implying data ownership per se. == Development == At the global level there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – [[United Nations Guidelines for Consumer Protection]].<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=978-92-79-62181-9}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]], [[Snapchat]], and the [[Wall Street Journal]] online subscriber community have widely adopted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]].<ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref> Other platforms such as [[Google]] and [[Facebook]] were equipped with export options earlier.<ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref> Other sites such as [[Quora]] and Bumble offer no automated request form, requiring the user to request a copy of their data through a personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217|s2cid=9398036 }}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 |doi-access=free|hdl=10419/286941|hdl-access=free}}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17 |access-date=2020-10-23 |archive-date=2021-04-12 |archive-url=https://web.archive.org/web/20210412055921/https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |url-status=dead }}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1=Perarnaud | publisher=Diplo Foundation | title=GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15) | url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date=27 November 2019 | archive-date=29 July 2020 | archive-url=https://web.archive.org/web/20200729035207/https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | url-status=dead }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008|hdl= 10023/23477 |hdl-access= free }}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia a [[Consumer Data Right]] has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to not only consider an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite SSRN |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text has been finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1=Pasquale | title=Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date=February 5, 2016 | access-date=November 30, 2016 | archive-date=December 1, 2016 | archive-url=https://web.archive.org/web/20161201014921/http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | url-status=dead }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability |url= http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date= February 5, 2016 |access-date= December 7, 2016 |archive-date= December 20, 2016 |archive-url= https://web.archive.org/web/20161220084911/http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |url-status= dead }}</ref> Another 2016 paper, this one published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite SSRN |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite SSRN |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite SSRN |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] l0d9cqdoe69l98o89sx0sexfi8pkloc 1236699113 1235423954 2024-07-26T03:34:55Z 192.226.135.80 Added a reference for support and corrected minor grammar 1236699113 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23 |access-date=2020-12-14 |archive-date=2021-10-23 |archive-url=https://web.archive.org/web/20211023020934/https://thecommandline.net/2010/06/23/data-portability-policy/ |url-status=dead }}</ref> Data portability applies to personal data. It involves access to personal data without implying data ownership per se.<ref>{{cite web | first= Ignacio | last= Cofone | title=Beyond Data Ownership |url=https://cardozolawreview.com/beyond-data-ownership/ | date=2021 | publisher=Cardozo Law Review |volume=43 |issue=2 |pages=507}}</ref> == Development == At the global level, there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – [[United Nations Guidelines for Consumer Protection]].<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level, there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=978-92-79-62181-9}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]], [[Snapchat]], and the [[Wall Street Journal]] online subscriber community have widely adopted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]].<ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref> Other platforms such as [[Google]] and [[Facebook]] were equipped with export options earlier.<ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref> Other sites such as [[Quora]] and Bumble offer no automated request form, requiring the user to request a copy of their data through personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217|s2cid=9398036 }}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 |doi-access=free|hdl=10419/286941|hdl-access=free}}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17 |access-date=2020-10-23 |archive-date=2021-04-12 |archive-url=https://web.archive.org/web/20210412055921/https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |url-status=dead }}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1=Perarnaud | publisher=Diplo Foundation | title=GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15) | url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date=27 November 2019 | archive-date=29 July 2020 | archive-url=https://web.archive.org/web/20200729035207/https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | url-status=dead }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008|hdl= 10023/23477 |hdl-access= free }}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia, a [[Consumer Data Right]] has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to consider not only an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite SSRN |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text was finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1=Pasquale | title=Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date=February 5, 2016 | access-date=November 30, 2016 | archive-date=December 1, 2016 | archive-url=https://web.archive.org/web/20161201014921/http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | url-status=dead }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability |url= http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date= February 5, 2016 |access-date= December 7, 2016 |archive-date= December 20, 2016 |archive-url= https://web.archive.org/web/20161220084911/http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |url-status= dead }}</ref> Another 2016 paper, published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite SSRN |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite SSRN |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite SSRN |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic, there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 4sm7os5u6b6adfefafe01pgnoqhf2a1 1237650820 1236699113 2024-07-30T20:40:40Z GreenC bot 27823944 Rescued 1 archive link. [[User:GreenC/WaybackMedic_2.5|Wayback Medic 2.5]] per [[WP:URLREQ#ieee.org]] 1237650820 wikitext text/x-wiki {{Short description|Ability to export, back up and transfer user data to prevent vendor lock-in}} '''Data portability''' is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. [[closed platform]]s, thus subjecting them to [[vendor lock-in]] and making the creation of [[data backup]]s or moving accounts between services difficult. Data portability requires common [[technical standard]]s to facilitate the transfer from one data controller to another, such as the ability to [[Import and export of data|export]] user data into a user-accessible local file, thus promoting [[interoperability]], as well as facilitate searchability with sophisticated tools such as <code>[[grep]]</code>.<ref>{{Cite web |url= http://www.dataportability.org |archive-url=https://web.archive.org/web/20090723171111/http://www.dataportability.org |website= DataPortability.org |title= DataPortability.org - Share and remix data using open standards |access-date=2022-05-16 |date=2009-07-23 |archive-date=23 July 2009 }}</ref><ref>{{cite web |last1=Gideon |first1=Thomas |title=Data Portability Policy – The Command Line |url=https://thecommandline.net/2010/06/23/data-portability-policy/ |website=The Command Line |date=2010-06-23 |access-date=2020-12-14 |archive-date=2021-10-23 |archive-url=https://web.archive.org/web/20211023020934/https://thecommandline.net/2010/06/23/data-portability-policy/ |url-status=dead }}</ref> Data portability applies to personal data. It involves access to personal data without implying data ownership per se.<ref>{{cite web | first= Ignacio | last= Cofone | title=Beyond Data Ownership |url=https://cardozolawreview.com/beyond-data-ownership/ | date=2021 | publisher=Cardozo Law Review |volume=43 |issue=2 |pages=507}}</ref> == Development == At the global level, there are proponents who see the protection of digital data as a human right. Thus, in an emerging civil society draft declaration, one finds mention of the following concepts and statutes: Right to Privacy on the Internet, Right to Digital Data Protection, Rights to Consumer Protection on the Internet – [[United Nations Guidelines for Consumer Protection]].<ref>{{Cite web|url= https://www.intgovforum.org/multilingual/content/the-charter-of-human-rights-and-principles-for-the-internet-educational-resource-guide-v2 |title=The Charter of Human Rights and Principles for the Internet Educational Resource Guide (v2) (Internet Rights and Principles Coalition) |access-date=2018-10-07|date=2017-10-20}}</ref> At the regional level, there are at least three main jurisdictions where data rights are seen differently: China and India, the United States and the European Union. In the latter, personal data was given special protection under the 2018 [[General Data Protection Regulation]] (GDPR). The GDPR thus became the fifth of the 24 types of legislation listed in Annex 1 Table of existing and proposed European Directives and Regulations in relation to data.<ref>{{Cite book|url=https://publications.europa.eu/en/publication-detail/-/publication/d0bec895-b603-11e6-9e3c-01aa75ed71a1/language-en|title=Legal study on ownership and access to data: final report. Publications Office of the European Union|date=2016-11-28|language=en|doi=10.2759/299944|access-date=2018-10-07|last1=European Commission. Directorate General For Communications Networks|first1=Content Technology|author2=Osborne Clarke LLP|publisher=Publications Office|isbn=978-92-79-62181-9}}</ref> Personal data are the basis for [[targeted advertising|behavioral advertising]], and early in the 21st century their value began to grow exponentially, at least as measured in the market capitalization of the major platforms holding personal data on their respective users. European Union regulators reacted to this perceived power imbalance between platforms and users, although much still hinges on the terms of consent given by users to the platforms. The concept of data portability comprises an attempt to correct the perceived power imbalance by introducing an element of competition allowing users to choose among platforms. === Online platforms === With the advent of the [[General Data Protection Regulation]]s (GDPR), [[social media platform]]s such as [[Twitter]], [[Instagram]], [[Snapchat]], and the [[Wall Street Journal]] online subscriber community have widely adopted the ability to export and download user data into a [[ZIP file|ZIP]] [[archive file]].<ref>{{cite web |last1=Gartenberg |first1=Chaim |title=Instagram adds new data download tool to export pictures and user information |url=https://www.theverge.com/2018/4/24/17276106/instagram-data-download-tool-export-privacy-gdpr-compliance |website=The Verge |language=en |date=24 April 2018}}</ref> Other platforms such as [[Google]] and [[Facebook]] were equipped with export options earlier.<ref>{{cite magazine |last1=Burgess |first1=Matt |title=How Apple, Facebook and Google are changing to comply with GDPR |url=https://www.wired.co.uk/article/gdpr-facebook-google-analytics-apple-amazon-twitter |magazine=Wired UK |date=24 May 2018}}</ref> Some platforms restrict exports with time delays between each, such as once per 30 days on Twitter, and many platforms lack partial export options.<ref>{{cite web |last1=Canales |first1=Katie |title=Instagram is rolling out a feature that will let you download all of your photos and past searches in one fell swoop |url=https://www.businessinsider.com/instagram-data-download-feature-gdpr-privacy-photos-searches-2018-4 |website=Business Insider |date=2018-04-24}}</ref> Other sites such as [[Quora]] and Bumble offer no automated request form, requiring the user to request a copy of their data through personal support [[email]].<ref>{{cite web |title=Can I get a copy of my data? |url=https://help.quora.com/hc/en-us/articles/360000839503-Can-I-get-a-copy-of-my-data |website=Quora Help Center |date=2019-12-13}}</ref> === Ratings and Reviews === Reputation portability refers to the ability of an individual to transfer their reputation or credibility from one context to another.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|year=2020|title=Reputation portability — quo vadis?|journal=Electronic Markets|volume=30|issue=2|pages=331–349|doi=10.1007/s12525-019-00367-6|s2cid=255573927 }}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Hawlitschek|first2=Florian|last3=Adam|first3=Marc T. P.|year=2019|title=Reputation Transfer|journal=Business & Information Systems Engineering|volume=61|issue=2|pages=229–235|doi=10.1007/s12599-018-00574-z |s2cid=255613268 }}</ref> This concept is becoming increasingly important in today's interconnected world, where individuals are involved in multiple online and offline communities. The idea behind reputation portability is that an individual's reputation should not be tied solely to a single community or platform.<ref>{{cite web|title=Exploratory study of consumer issues in online peer-to-peer platform markets|url=http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=77704|website=European Commission|access-date=March 14, 2023}}</ref> Rather, it should be transferable across different contexts, such as professional networks, social media platforms, and online marketplaces. This enables individuals to maintain a consistent reputation across various contexts, which can be beneficial in terms of building trust, and overcoming the so-called "cold-start" problem,<ref>{{cite journal|last1=Kokkodis|first1=Marios|last2=Ipeirotis|first2=Panagiotis G.|year=2016|title=Reputation transferability in online labor markets|journal=Management Science|volume=62|issue=6|pages=1687–1706|doi=10.1287/mnsc.2015.2217|s2cid=9398036 }}</ref><ref>{{cite conference|last1=Wessel|first1=Michael|last2=Thies|first2=Ferdinand|last3=Benlian|first3=Alexander|year=2017|title=Competitive Positioning of Complementors on Digital Platforms: Evidence from the Sharing Economy|book-title=Proceedings of the International Conference on Information Systems (ICIS)|url=https://aisel.aisnet.org/icis2017/Peer-to-Peer/Presentations/21|access-date=March 14, 2023}}</ref> and hence mitigating platform lock-in. Overall, reputation portability is an important concept in today's digital landscape, and research has shown that imported reputation can serve as viable signals for building trust.<ref>{{cite journal|last1=Hesse|first1=Maik|last2=Teubner|first2=Timm|last3=Adam|first3=Marc T. P.|year=2022|title=In stars we trust – A note on reputation portability between digital platforms|journal=Business & Information Systems Engineering|volume=64|issue=3|pages=349–358|doi=10.1007/s12599-021-00717-9 |s2cid=244171274 |doi-access=free|hdl=10419/286941|hdl-access=free}}</ref><ref>{{cite journal|last1=Teubner|first1=Timm|last2=Adam|first2=Marc T. P.|last3=Hawlitschek|first3=Florian|year=2020|title=Unlocking online reputation: On the effectiveness of cross-platform signaling in the sharing economy|journal=Business & Information Systems Engineering|volume=62|issue=6|pages=501–513|doi=10.1007/s12599-019-00620-4 |s2cid=208832472 }}</ref><ref>{{cite conference|last1=Otto|first1=Lisa|last2=Angerer|first2=Peter|last3=Zimmermann|first3=Steffen|year=2018|title=Incorporating external trust signals on service sharing platforms|book-title=Proceedings of the European Conference on Information Systems (ECIS)|pages=1–17|url= https://aisel.aisnet.org/ecis2018_rp/78/ |access-date=March 14, 2023}}</ref> As technology continues to evolve, it is likely that reputation portability will become increasingly important in shaping how we interact with each other online and offline. == In consumer electronics == === Mobile devices === Some [[mobile app]]s restrict data portability by storing user data in locked [[directory (computing)|directories]] while lacking [[Import and export of data|export]] options. Such may include [[configuration file]]s, [[bookmark (digital)|digital bookmarks]], [[browsing history]] and [[Session (computer science)#Browser session management|sessions]] (e.g. list of open [[tabbed browsing|tabs]]{{efn|Not limited to [[internet browser]]s, but also, for example, [[text editor]]s.}} and navigation histories), watch and search histories in multimedia [[streaming]] apps, custom [[playlists]] in [[Media player software|multimedia player]] software, entries in [[note taking]] and [[memorandum]] software, digital [[phone book]]s ([[contact list]]s), call logs from the telephone app, and conversations through [[SMS]] and [[instant messaging]] software. Locked directories are inaccessible to an end-user without extraordinary measures such as so-called [[rooting (Android)]] or [[jailbreaking (iOS)]]. The former requires the so-called [[boot loader]] of the device to be in an unlocked state in advance, which it usually is not by default. Toggling that state involves a full erasure of all user data, known as the ''wipe'', making it a [[vicious cycle]] if the user's aim were to access their locked data.<ref>{{cite web |title=Bootloader, Recovery, and the joy of unlocking |url=https://de.ifixit.com/Anleitung/Bootloader+Recovery+and+the+joy+of+unlocking/62398 |website=iFixit |language=de |date=29 April 2016}}</ref> Other mobile apps only allow the creation of user data backups using [[proprietary software]] provided by the vendor, lacking the ability to directly export the data to a local file in the mobile device's common user data directory. Such said software requires an external host computer to run on.<ref>{{cite web |title=How to Back Up SMS Messages on Your Android Phone |url=https://gadgets.ndtv.com/apps/features/how-to-backup-sms-android-messages-inbox-sms-backup-and-restore-1744131 |website=NDTV Gadgets 360 |language=en |date=2017-08-31}}</ref><ref>{{cite web |title=How do I backup contacts from my old Samsung smartphone to my PC using Kies? {{!}} Samsung Support Gulf |url=https://www.samsung.com/ae/support/mobile-devices/how-do-i-backup-contacts-from-my-old-samsung-smartphone-to-my-pc-using-kies/ |website=Samsung ae |language=en-AE}}</ref> Some device vendors offer [[cloud storage]] and synchronisation services for backing up data. Such services however require registration and depend on internet connection and preferably high internet speeds and data plan limits if used regularly. Some services may only allow moving parts of the data such as text messages and [[phone book]]s between locked directories on devices of the same vendor ([[vendor lock-in]]), without the ability to export the information into local files directly accessible by the end user.<ref>{{cite web |last1=Raphael |first1=J. R. |title=Android backups: A simple guide to keeping your stuff synced |url=https://www.computerworld.com/article/3215095/how-to-back-up-android-phones-complete-guide.html |website=Computerworld |language=en |date=31 January 2020}}</ref><ref>{{cite web |title=PSA: [Cloud storage] Shouldn't Be Your Sole Backup for Your Files |url=https://lifehacker.com/psa-dropbox-shouldnt-be-your-sole-backup-for-your-file-1612803794 |website=Lifehacker |language=en-us |date=2014-07-29}}</ref> Restrictions added in more recent versions of [[operating system]]s, such as ''[[scoped storage]]'', which is claimed to have been implemented with the aim to improve user privacy, compromise both [[backwards compatibility]] to established existing software such as [[file manager]]s and [[FTP server]] applications, as well as legitimate uses such as cross-app communication and facilitating large [[file transfer]]s and [[backup]] creation.<ref>{{cite web |title=Android 11, Can't access /storage/emulated/0/android/data · Issue #2015 · TeamAmaze/AmazeFileManager |url=https://github.com/TeamAmaze/AmazeFileManager/issues/2015#issuecomment-712900067 |website=GitHub |language=en |date=2020-10-20}}</ref><ref>{{cite web |last1=Hildenbrand |first1=Jerry |title=What is Scoped Storage in Android 11? |url=https://www.androidcentral.com/what-scoped-storage |website=Android Central |date=17 August 2020}}</ref> Further possible restraints on data portability are poor reliability, stability and performance of existing means of data transfer, such as described in {{section link|Media Transfer Protocol#Performance}}. === Digital video recorders === Some [[digital video recorder]]s (DVRs) which store recordings on an internal hard drive lack the ability to back up recordings, forcing a user to delete existing recordings upon exhausted disk space, which is an instance of poor data portability. Some DVRs have an [[operating system]] that depends on an Internet connection to boot and operate, meaning that recordings stored locally are inaccessible if no internet connection is available. If service for the device gets deprecated by the television service provider, the existing recordings become inaccessible and thus considerably lost.<ref>{{cite web |title=Telekom zieht 2019 beim alten "Entertain" den Stecker |url=https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |website=www.onlinekosten.de |language=de |date=2019-01-17 |access-date=2020-10-23 |archive-date=2021-04-12 |archive-url=https://web.archive.org/web/20210412055921/https://www.onlinekosten.de/news/telekom-zieht-2019-beim-alten-entertain-den-stecker_214313.html |url-status=dead }}</ref><ref>{{cite web |last1=AG |first1=Deutsche Telekom |title=MagentaTV löst Entertain ab |url=https://www.telekom.com/de/konzern/details/magentatv-loest-entertain-ab-558808 |website=www.telekom.com |publisher=[[German Telekom]] |language=de |date=2019-01-22}}</ref> === Other appliances === [[Cordless telephone|Cordless]] [[landline telephone]] units, as well as their associated base stations, which have [[firmware]]s with [[phone book]] and [[SMS]] messaging functionality, commonly lack an interface to connect to a computer for backing the data up. == In software == Some software such as the [[Discourse (software)|''Discourse'']] forum software offers a built-in ability for users to download their posts into an archive file. Other software may operate locally, but store user data in a [[proprietary format]], thus causing [[vendor lock-in]] until successfully [[reverse engineering|reverse-engineer]]ed by third party developers. == By country == ===European Union=== The right to data portability was laid down in the European Union's [[General Data Protection Regulation]] (GDPR) passed in April 2016. The regulation applies to data processors, whether inside or outside the EU, if they process data on individuals who are physically located within an EU member state. {{cquote|''Controllers must make the data available in a structured, commonly used, machine-readable and interoperable format that allows the individual to transfer the data to another controller.''<ref>The right to data portability is now enshrined as such in Article 20 {{cite web | title=Official Journal of the European Union, 156 page PDF |url=http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=NL |date=May 4, 2016 | publisher=European Commission}}</ref><ref>{{cite web | title=The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4 | url=http://www.bna.com/final-european-union-n57982067329/#! | date=February 12, 2016 | publisher=Bloomberg BNA | access-date=April 18, 2016 | archive-url=https://web.archive.org/web/20160419153334/http://www.bna.com/final-european-union-n57982067329#! | archive-date=April 19, 2016 }}</ref>}} Earlier the [[European Data Protection Supervisor]] had stated that data portability could "let individuals benefit from the value created by the use of their personal data".<ref>{{cite web | title=European_Data_Protection_Supervisor (EDPS) (2015): Meeting the challenges of big data: A call for transparency, user control, data protection by design and accountability, Opinion 7/2015, 19 Nov., page 13 |url=https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-11-19_Big_Data_EN.pdf | date=November 19, 2015 | publisher=EDPS}}</ref> The European-level [[Article 29 Data Protection Working Party]] held a consultation on this in English lasting until the end of January 2017. Their guidelines and FAQ on the right to data portability contain this call for action: {{cquote|WP29 strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. This challenge has also been addressed by the [[European Interoperability Framework]] (EIF).}} The French national data supervisor [[Commission Nationale de l'Informatique et des Libertés|CNIL]] hosted a discussion in French. Current participants offer opinions on how the legislation provides few benefits for companies, but many for users.<ref>{{cite web | title=Commission Nationale de l'Informatique et des Libertés (CNIL) (2016): Sujet de discussion > Le droit à la portabilité: quelles opportunités ? |url=http://www.cnil.fr/fr/consultation-reglement-europeen/portabilite/le-droit-la-portabilite-quelles-opportunites | date=June 15, 2016 | publisher=CNIL}}</ref> In April 2017, new guidelines were published on the Article 29 Working Party website.<ref>{{cite web |url=http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358 |title=EU Article 29 Working Party |access-date=30 May 2018 |publisher=European Union}} Official website.</ref> In late 2019 the Data Governance Act was published by the Commission.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> In 2021 researchers, many of them French and Finnish, published a 46-page report covering the state-of-the-art.<ref>{{cite web | first1= Stéphanie | last1= Exposito-Rosso | first2= François-Xavier |last2= Cao |first3= Antoine |last3= Piquet |first4= Mehdi |last4= Medjaoui | title=GDPR Data Portability: The Forgotten Right, a research report|url=https://cellar-c2.services.clever-cloud.com/alias-code-is-law-assets/static/report/gdpr_data_portability_the_forgotten_right_report_full.pdf | date=2021 | publisher=ALIAS, société Code is Law}}</ref> In 2022 the European Commission published the Data Act.<ref>{{cite web | title=EU Data Act – making data portability actionable, blog post |url=https://www.mydata.org/2022/02/25/eu-data-act-making-data-portability-actionable/ | date=February 25, 2022 | publisher=MyData network}}</ref> Although the United Kingdom [[Brexit|voted to withdraw from the EU]], it intends to incorporate much of the GDPR in its own legislation, which will include data portability, as "...the GDPR itself contains some noteworthy innovations – for instance… the introduction of a new right to data portability".<ref>{{cite web | first1= Orla | last1= Lynskey | title=The Great Data Protection Rebranding Exercise, blog post |url=http://blogs.lse.ac.uk/mediapolicyproject/2017/08/08/the-great-data-protection-rebranding-exercise/ | date=August 8, 2017 | publisher=London School of Economics}}</ref> In November at the Internet Governance Forum 2019 in Berlin panelists reported that Article 20 GDPR is not actionable, neither legally nor technically.<ref>{{cite web | first1=Clement | last1=Perarnaud | publisher=Diplo Foundation | title=GDPR - After More than One Year: How to Make it Happen? Report, Internet Governance Forum, Berlin, 25 Nov 2019, Pre-event 45 (15:45 to 18:15) | url=https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | access-date=27 November 2019 | archive-date=29 July 2020 | archive-url=https://web.archive.org/web/20200729035207/https://dig.watch/sessions/gdpr-after-more-one-year-how-make-it-happen | url-status=dead }}</ref> In the UK—ironically post-Brexit—researchers are monitoring developments.<ref>{{cite web | title= Port My Data, About The Project| url =https://portmydata.github.io/about/ | publisher=University College London | access-date = 27 November 2019 }}</ref> <ref>{{cite journal | title = Exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 | first1 = Janis | last1 = Wong| first2 = Tristan | last2= Henderson |doi = 10.1093/idpl/ipz008|hdl= 10023/23477 |hdl-access= free }}</ref><ref>{{cite web | title = Between incrementalism and revolution: How the GDPR right to data portability is revamped by the EU and the UK post Brexit will appear in the Research Handbook of EU Data Protection Law| first1 = Wenlong | last1 = Li| url=https://osf.io/8u2pr/ |access-date=August 2, 2021}}</ref> Germany has called to strengthen the European Union's right to data portability using competition law. A commission was set up for the purpose of proposing improvements.<ref>{{cite web | title=A New Competition Framework for the Digital Economy Report by the Commission 'Competition Law 4.0', Summary |url=https://www.bmwi.de/Redaktion/EN/Downloads/a/a-new-competition-framework.pdf?__blob=publicationFile&v=2 | date=September 8, 2019 | publisher=Federal Ministry for Economic Affairs and Energy}}</ref> ===Switzerland=== Likewise, in Switzerland, a nation-state that is related to the EU only on a bilateral basis and as an [[EFTA]] member state, there has been a trend moving in the same direction. The Swiss view was officially published in March 2018 (as a document in PDF).<ref>{{cite web | title= The GDPR and its consequences for Switzerland |url=https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2018/EU%20DSGVO.pdf.download.pdf | date= March 2018 | access-date=October 7, 2018 }}</ref> An association proposed to have a right to data portability anchored in the constitution of the Swiss Confederation.<ref>{{cite web |title=Postulat "Recht auf Kopie" vom Bundesrat angenommen| url=https://www.datenundgesundheit.ch/2015/11/12/posultat-recht-auf-kopie-vom-bundesrat-angenommen/?lang=en | publisher=Verein Datenundgesundheit | access-date=October 8, 2019}}</ref> A law was passed that includes data portability; as described here in German <ref>{{cite web | title=Kommission schliesst Beratung der Revision des Datenschutzgesetzes ab, press release |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1031 | access-date=August 19, 2019}}</ref> and here in French.<ref>{{cite web | title=Réforme de la protection des données: fin de l'examen du projet, Press release, 16 August 2019 |url=https://www.parlament.ch/press-releases/Pages/mm-spk-n-2019-08-16-a.aspx?lang=1033 | access-date=December 4, 2019}}</ref> The association partners with a cooperative called MIDATA.coop, which will offer users a place to store their data.<ref>{{cite web |url=http://www.midata.coop/ |title=Home |website=midata.coop}}</ref> A second association has issued its guideline on the topic.<ref>{{cite web | last1=Swiss Data Alliance | title= Guideline for the implementation of data portability in Switzerland |url=https://drive.google.com/file/d/1EbTbIOnF95z-1GH-Rv9AfY8XU4mJCF3i/view | date= August 2020 | access-date=August 28, 2020 }}</ref> Over the longer term, the Swiss may have to consider that data portability is in the GDPR. Given that the GDPR will raise compliance costs for EU-based companies, it is unlikely that the EU would tolerate a situation with third-party countries in which Swiss companies would not be held to the same standard in order to keep competition fair. The legal terms involved are adequacy and reciprocity.<ref>{{cite web |title=Transborder data flows|url=https://www.edoeb.admin.ch/edoeb/en/home/data-protection/arbeitsbereich/transborder-data-flows.html | access-date=October 7, 2018}}</ref> ===United States, California=== California has a Consumer Privacy Act (CCPA) of 2018, which introduces data portability to the USA.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Canada=== Canada anticipates a law in that it shows Transparency, Portability and Interoperability as Principle No. 4 of its Digital Charter.<ref>{{cite web |title=Canada's Digital Charter: Trust in a digital world |url=https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html | access-date=January 2, 2020}}</ref> ===India=== Data portability is included in the [[Personal Data Protection Bill 2019]] about to become law as section 26 in chapter VI. ===Brazil=== Data portability is included in the [[Privacy law#Brazil]] as its Article 18.<ref>{{Cite web|title=Brazilian General Data Protection Law (LGPD, English translation)|url=https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/|access-date=2020-12-06}}</ref> ===Australia=== In Australia, a [[Consumer Data Right]] has been proposed.<ref>{{cite journal |first1= Janis |last1=Wong |first2= Tristan|last2= Henderson| title=The right to data portability in practice: exploring the implications of the technologically neutral GDPR |journal=International Data Privacy Law |volume=9 |issue=3 |date=August 2019 |pages=173–191 |doi= 10.1093/idpl/ipz008|url=https://tnhh.org/research/pubs/rtdp_idpl2019.pdf | access-date=September 3, 2019}}</ref> ===Thailand=== Data portability is included in the new law.<ref>{{Cite web| first1= Marion | last1=Lagrange | first2=Yada | last2=Hongchayangkool | title = Personal Data Protection in Thailand, June 2019 | website= DFDL Thailand, Bangkok |url=https://www.etda.or.th/app/webroot/content_files/13/files/1.PDPA%20Presentation_CyberSecurity%20Week%202019.pdf |access-date = December 27, 2019}}</ref> ===Kenya=== A right to data portability is enshrined in the new data protection law under clause 34.<ref>{{Cite web| title=Data Protection Act, 2018 (in bill status) | website= Government of Kenya |url= http://www.ict.go.ke/wp-content/uploads/2016/04/Kenya-Data-Protection-Bill-2018-14-08-2018.pdf |access-date = December 27, 2019}}</ref> However, the intentions behind the new law, its enforcement and relation to the government's new [[Identity management]] system have already been contested.<ref>{{Cite web| title= Kenya now has a data protection law. What does this mean for netizens? 24 December 2019 | first= Njeri | last= Wangari| date= 24 December 2019 | url=https://advox.globalvoices.org/2019/12/24/kenya-now-has-a-data-protection-law-what-does-this-mean-for-netizens/|access-date = December 27, 2019}}</ref> ==Requirements for effective data interoperability== It is always tricky for legislators to regulate at the right level of precision, as everyone understands technology will evolve faster than the law. So far, only the European Union has formalized the expectations around data portability, requiring the data "in a structured, commonly used, machine-readable and interoperable format". This touches on at least two distinct technical requirements for effective interoperability: * the need to use file standards that allow for easy reuse (for instance CSV or JSON instead of PDF or even printed paper), encompassed by a "structured, commonly used, machine-readable" format. * the need (hinging on "interoperable") to consider not only an individual's data release on its own, but also in conjunction with other systems and other individuals' data releases from the same company. This hints at requirements regarding data schemas, versioning and specification of those schemas in case of frequent changes, and generally the absence of efforts on the part of the source data controller to complicate the effective interoperability downstream. Likewise, European researchers stress that there are both practical and legal gaps that the EU should fill.<ref>{{cite web |last1=Krämer |first1=Jan |last2=Senellart |first2=Pierre |last3=de Streel |first3=Alexandre | title = Making data portability more effective for the digital economy |website=Centre on Regulation in Europe |url=https://www.cerre.eu/publications/report-making-data-portability-more-effective-digital-economy| access-date=June 13, 2020 }}</ref> == Rights of data subjects under the European Union's new GDPR == The list of these rights has grown.<ref>{{cite web | first1=Detlev | last1= Gabel | first2=Tim | last2=Hickman | title=Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | url=http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation | date=2016 | publisher=White & Case LLP}}</ref> === Data portability in relation to the right of access === The data portability right is slightly different from the [[Right of access to personal data]]; see [[GDPR]] and the seventh item in the list cited immediately above. The right of access only mandates that the data subject gets to see their personal data. The old EU Data Protection Directive used to require explicitly in such cases for the data to be provided in "intelligible" form, which has been interpreted so far as "human readable". This requirement is still somewhat present in the EU's General Data Protection Regulation, but only implicitly in conjunction with [[Recital (law)]]. Since the right to portability is mostly concerned with reuse by other services (i.e. most likely automated), it could be that both "human readable" and "raw format" would be inappropriate for effective data portability. Some intermediate level might need to be sought. In addition, the GDPR limits the scope of data portability to cases where the processing is made on the basis of either consent of the data subject, or the performance of a contract. === Data portability in relation to the right of explanation === The data portability right is related to the "[[right to explanation]]", i.e. when automated decisions are made that have legal effect or significant impact on individual data subjects. How to display an algorithm? One way is through a [[decision tree]]. This right, however, was found to be not very useful in an empirical study.<ref>{{cite SSRN |ssrn=2972855 | first1= Lilian| last1 = Edwards | first2=Michael | last2=Veale | title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably not the Remedy you are Looking for | year=2017 }}</ref> The right to explanation is related to the "Right to not be evaluated on the basis of automated processing" shown as the last item in the list shown in Gabel / Hickman.<ref>{{cite web |first1= Detlev | last1=Gabel | first2=Tim | last2= Hickman | title=Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation | url= http://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation |date= July 22, 2016 |publisher=White & Case}}</ref> This includes decisions based on [[Profiling (information science)|profiling]]. Such a right was included in the EU Data Protection Directive of 1995, but not much enforcement followed. An article in ''Wired'' emphasised the poignancy of the discussion.<ref>{{cite magazine | first1= Cade | last1=Metz | title=Artificial Intelligence Is Setting Up the Internet for a Huge Clash With Europe | magazine=Wired | url=https://www.wired.com/2016/07/artificial-intelligence-setting-internet-huge-clash-europe/ | date=July 11, 2016 }}</ref> The issue has been discussed by Bygrave,<ref>[http://folk.uio.no/lee/oldpage/articles/Minding_machine.pdf Lee Bygrave, "Minding the Machine: Article 15 of the EC Data Protection Directive and Automated Profiling", Computer Law & Security Report, 2001, vol. 17, pp. 17–24, available at folk.uio.no]</ref> and by Hildebrandt,<ref>[[Mireille Hildebrandt]] (2012) "The Dawn of a Critical Transparency Right for the Profiling Era" Amsterdam Digital Enlightenment Yearbook 2012, p. 41-56, available at [https://works.bepress.com/mireille_hildebrandt/40/ works.bepress.com]</ref> who claimed this to be one of the most important transparency rights in the era of machine learning and [[big data]]. Contrary to Hildebrandt's high expectations in 2012, four years later, after many revisions to the GDPR, when the text was finalized, three other well-known authors contest whether a right to explanation still exists in the GDPR (see below). In the United States there was a description of related developments in a seminal book by law professor Frank Pasquale;<ref>{{Cite book | first=Frank | last=Pasquale | title= The Black Box Society | date=2015 | publisher=Harvard University Press}}</ref> the relevant passages were reviewed by the Electronic Privacy Information Center (EPIC).<ref>{{cite periodical | first=Marc | last=Rotenberg | title= [8] EPIC Book Review: 'The Black Box Society'. |periodical=EPIC Alert |volume=21 |number=24 |url=https://epic.org/alert/epic_alert_21.24.html | date=December 19, 2014}}</ref> Even the U.S. Defense Advanced Research Projects Agency DARPA has an [[Explainable AI]] (XAI) program<ref>{{Cite web | url=http://www.darpa.mil/program/explainable-artificial-intelligence | title=Explainable Artificial Intelligence}}</ref> cited critically by blogger Artur Kiulian.<ref>{{cite web | first=Artur | last=Kiulian | title= Saving Humanity From Dangerous Artificial Intelligence Scenario |url=https://medium.com/swlh/saving-humanity-from-dangerous-artificial-intelligence-scenario-223273cf8810?source=catalog_tab---------1--------- | date=2016 | publisher=Medium.com}}</ref> Several papers have been published on these topics in 2016, the first of which, by Goodman / Flaxman, outlines the development of the right to explanation.<ref>{{Cite journal| first1=Bryce |last1=Goodman | first2= Seth | last2=Flaxman |title=European Union regulations on algorithmic decision-making and a "right to explanation" |journal=AI Magazine |volume=38 |issue=3 |page=50 |arxiv=1606.08813| date=August 31, 2016 |doi=10.1609/aimag.v38i3.2741 |bibcode=2016arXiv160608813G |s2cid=7373959 }}</ref> Pasquale does not think the approach goes far enough, as he has stated in a blog entry at the [[London School of Economics]] (LSE).<ref>{{cite web | first1=Frank | last1=Pasquale | title=Bittersweet Mysteries of Machine Learning (A Provocation) (blog entry) | url=http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | date=February 5, 2016 | access-date=November 30, 2016 | archive-date=December 1, 2016 | archive-url=https://web.archive.org/web/20161201014921/http://blogs.lse.ac.uk/mediapolicyproject/2016/02/05/bittersweet-mysteries-of-machine-learning-a-provocation/ | url-status=dead }}</ref> In fact at LSE there is a whole series on Algorithmic Accountability of which that was one entry in Feb. of 2016, and other notable ones were by Joshua Kroll and [[Mireille Hildebrandt]].<ref>{{cite web |title= Series on Algorithmic Accountability |url= http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |date= February 5, 2016 |access-date= December 7, 2016 |archive-date= December 20, 2016 |archive-url= https://web.archive.org/web/20161220084911/http://blogs.lse.ac.uk/mediapolicyproject/category/algorithmic-accountability/page/2/ |url-status= dead }}</ref> Another 2016 paper, published by Katarinou et al., includes remarks on a right of appeal such that "individuals would have a right to appeal to a machine against a decision made by a human."<ref>{{cite SSRN |first1= Dimitra |last1=Kamarinou |first2= Christopher |last2= Millard |first3= Jatinder |last3= Singh |title=Machine Learning with Personal Data |ssrn= 2865811 |date=November 7, 2016}}</ref> A third 2016 paper, one co-authored by Mittelstadt et al., maps the literature and relates it to the GDPR on its pages 13–14.<ref>{{Cite journal| first1= Brent D.| last1=Mittelstadt | first2= Patrick | last2=Allo | first3= Mariarosaria |last3=Taddeo | first4= Sandra |last4= Wachter | first5= Luciano | last5= Floridi | title=The ethics of algorithms: Mapping the debate. In: Big Data & Society, Vol. 3, No. 2 | journal=Big Data & Society | volume=3 | issue=2 | page=205395171667967 |date= November 1, 2016 | doi=10.1177/2053951716679679 | s2cid=40342036 | doi-access=free }}</ref> A fourth paper, one co-authored by Wachter, Mittelstadt and Floridi, refutes the idea that such a right might be included in the GDPR, proposes a limited 'right to be informed' instead and calls for the creation of an agency to implement the transparency requirement.<ref>{{cite SSRN |first1=Sandra |last1= Wachter |first2=Brent |last2=Mittelstadt |first3=Luciano| last3=Floridi |title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation |ssrn=2903469 |date=December 28, 2016}}</ref> A further paper by Edwards and Veale claims such a right is unlikely to apply in the cases of the 'algorithmic harms' attracting recent media attention, and that insufficient attention has been paid to both the computer science literature on explanation and how other GDPR provisions, such as data protection impact assessments and data portability, might help.<ref>{{Cite SSRN |last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|date=2017-05-23|title=Slave to the Algorithm? Why a 'Right to an Explanation' is Probably Not the Remedy You are Looking For|ssrn=2972855}}</ref> Almost two years later a paper appeared that challenges earlier papers, especially Wachter / Mittelstadt / Floridi.<ref>{{Cite journal|last1=Selbst|first1=Andrew D |last2=Powles|first2=Julia |date=2017-01-11|title=Meaningful information and the right to explanation|journal=International Data Privacy Law|volume=7|issue=4 |pages=233–242|doi=10.1093/idpl/ipx022 |doi-access=free}}</ref> On both sides of the Atlantic, there has been recent activity pertaining to this ongoing debate. Early in 2016 experts on artificial intelligence and UK government officials met during a number of meetings,<ref>{{cite web | first1= Matt | last1= Hancock | title= Artificial intelligence: opportunities and implications for the future of decision making |url= https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/566075/gs-16-19-artificial-intelligence-ai-report.pdf | date=2015 | publisher= [UK] Government Office for Science}}</ref> and developed a Data Science Ethical Framework.<ref>{{cite web | first1=Matt | last1=Hancock | title= Data Science Ethical Framework |url= https://www.gov.uk/government/publications/data-science-ethical-framework |date=May 19, 2016 | publisher= Cabinet Office, Government Digital Service}}</ref> On November 7, 2016 an event was held in Brussels, organized by MEP Marietje Schaake in the European Parliament and described by danah Boyd.<ref>{{cite web | first1=danah | last1= Boyd | title= Transparency ≠ Accountability: Remarks prepared for a public roundtable on algorithmic accountability and transparency in the digital economy | url=http://points.datasociety.net/transparency-accountability-3c04e4804504 | date=November 7, 2016 | publisher=datasociety.net}}</ref> Only eleven days later at New York University there was a conference on "Fairness, Accountability, and Transparency in Machine Learning " where Principles for Accountable Algorithms and a Social Impact Statement for Algorithms were articulated and placed online for discussion.<ref>{{cite web |title=Principles for Accountable Algorithms and a Social Impact Statement for Algorithms |url=http://www.fatml.org/resources/principles-for-accountable-algorithms |date=November 18, 2016 | publisher=NYU}}</ref> By mid-December the IEEE came out with a document whose editing was backed up by public comments that were invited by March 2017 on "Ethically Aligned Design".<ref>{{cite web |title= Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems |url=http://standards.ieee.org/news/2016/ethically_aligned_design.html |archive-url=https://web.archive.org/web/20161217025544/http://standards.ieee.org/news/2016/ethically_aligned_design.html |url-status=dead |archive-date=December 17, 2016 |date=December 13, 2016 |publisher=IEEE}}</ref> Later in 2017 data portability was analysed by professors of data protection as a central innovation of the new GDPR.<ref>{{Cite journal| first1=Paul | last1= De Hert | first2=Vagelis | last2 =Papakonstantinou| first3= Gianclaudio| last3= Malgieri| first4=Laurent | last4 =Beslay| first5= Ignacio| last5= Sanchez | title=The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Open Access funded by Joint Research Centre | journal=Computer Law & Security Review | volume= 34 | issue= 2 | page= 193 | date= 20 November 2017 | doi= 10.1016/j.clsr.2017.10.003 | doi-access= free }}</ref> ==See also== * [https://gdprhub.eu/index.php?title=Article_20_GDPR External wiki] GDPR Hub maintained by Max Schrems et al. * [[Data Transfer Project]] * [[Ethics of artificial intelligence]] * [[General Data Protection Regulation]] ==Notes== {{notelist}} ==References== {{Reflist}} [[Category:Digital rights]] [[Category:Interoperability]] 63au15daela8txh1vclabf04wbb300y