The CMA and the ICO are working on a joint statement about data sharing, which we expect to refer extensively to the concept of data portability. This blog poses three important questions that CODE members need the statement to answer.
UK digital regulators’ collaboration is world-leading
As more economic activity continues to shift online, the regulatory regimes that were introduced for a bricks and mortar economy increasingly find themselves overlapping with those designed for the digital world. This means that businesses are regularly finding themselves simultaneously captured by multiple rulebooks governing the same practices, many of which are motivated by very different public policy objectives. This can create confusion for businesses over how to conduct themselves without getting into trouble.
In 2020, in an effort to counter the growing risk of confusion or conflict, several of the UK’s regulators formalised their collaborative efforts under the banner of the Digital Regulation Cooperation Forum (DRCF).
The DRCF - which brings together the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and Ofcom - was a global first, and a similar model has since been introduced in Australia, the Netherlands, Ireland and Canada.
One of the earliest outputs under the banner of the DRCF was the CMA and ICO’s joint statement in 2021, which set out their shared views on the relationship between competition and data protection in the digital economy. As well as clarifying some important points of existing law, the statement also set the foundation for the two regulators’ work together on Google’s Privacy Sandbox.
The DRCF announced in its workplan for this year that the two regulators will produce an update to that 2021 statement, which will set out their “joint approach to issues such as data access; data sharing and interoperability; and user choice and control.” This is something that we have been actively calling for, and we expect it will have a similar impact in terms of legal clarity and providing a launchpad for joint intervention.
Zero conflict from data portability
The updated statement will be a unique opportunity to draw attention to a policy area where competition and data protection are in perfect alignment. In contrast to some other areas of overlap where tensions have to be carefully navigated, the concepts of data portability and consented data sharing are a chance for a full blown CMA-ICO love-in.
Data portability has in recent years most commonly been discussed as a pro-competition intervention in digital markets. But in fact it is actually already explicitly a right given to everyone in the UK (and the EU) within Article 20 of the GDPR. While the CMA will view increased data portability as a desirable outcome, the ICO is already on the hook for enforcing its availability.
Within the statement, the ICO will rightly be keen to highlight caution about the need for informed and actively given consent, not nudging people to overshare, being transparent about how data is used, and allowing consent to be easily withdrawn. But these are all things that are entirely consistent with competition working well. The CMA will wholeheartedly agree.
Questions to be answered by the joint statement
In practice, particularly in the digital world, legal standards and regulatory requirements are often overseen and enforced by large online platforms. This self-appointed quasi-regulatory responsibility leads to disputes between those platforms and the many smaller companies that depend on them to reach their customers.
Based on the ongoing challenges faced by several CODE members, we are seeking clarity from the CMA and ICO on the following three questions:
What legal responsibilities do large data controllers have over their users’ personal data in the context of data portability?
In what circumstances is a data portability request ‘technically feasible’?
In the absence of a dedicated data portability tool provided by the data controller, does the law support businesses and data subjects finding alternative solutions?
What legal responsibilities do large data controllers have over their users’ personal data in the context of data portability?
Even in rare circumstances where data controllers do, at least in principle, support some form of consented data sharing, there are often a number of other practical barriers that restrict users’ choices.
The most common way for large data controllers to do this is through the rules that they impose to control which third party developers can gain access to their tools, such as an API. By their nature, these rules are applied in advance of a user actually attempting to transfer their data to a third party, so user choices (and competition) are pre-emptively distorted and restricted without their knowledge.
These access rules typically go way beyond enforcing the law, for example by preventing data being used for purposes that are entirely legal, regardless of a user’s wishes. For example, in relation to several existing APIs that support consented data transfers, Google’s User Data Policy rules out a wide range of onward uses of data without any reference to user choice (see Figure 1 below). These practices should obviously be banned if they are carried out covertly, or disclosed only in the fine print of a privacy policy - of course, this would be illegal after all. But if an individual wishes to trade their data with an advertising platform, or use it to support a credit application, then they should be free to do so, shouldn’t they?
Figure 1: Extract from Google’s API Services User Data Policy
There are an increasing number of innovative new services (including some CODE members) making use of alternative data sources to help people get credit that would otherwise struggle through traditional routes, such as the under and unbanked, or workers in the gig economy. Google's policy (which applies to several APIs) explicitly bans such progressive business models, punishing those users that could benefit from them.
Similarly, Google’s policy for its Gmail APIs set out a finite prescribed list of use cases that can be supported by access to users’ Gmail data (see Figure 2 below). While this may be well-intentioned, it is explicitly restricting the bounds of competition and innovation, and limiting the potential application of individuals’ data portability rights.
Figure 2: Extract from Google’s Workspace API user data and developer policy
In the interests of balance, let’s be clear that this isn’t just an issue for the very largest tech firms. Yahoo equally seems to believe that it can tie up our economy in red tape by dictating what its users can and cannot do with their own data once they move a copy of it to another service. Yahoo users are even banned from onward sharing of their own data for consumer research!
Figure 3: Extract from Yahoo’s policy for accessing restricted scopes
These policies appear to stretch far beyond the legal rights or responsibilities of these companies, while lacking the necessary nuance required for fast-moving digital markets. They have the result of restricting users’ ability to exercise their data portability rights, and they restrict their users’ options over what they can do with their personal data going forwards. We view this as contrary to Article 20 of the GDPR, while also explicitly restricting competition, innovation, and consumer choice in the process.
In each case, the policies would require only a small addition to make them fit for purpose. Following lists of restrictions towards legal activities, each policy ought to include the following essential exception: "Except in circumstances where the developer can demonstrate it has informed consent of the user to do so."
We request that the joint statement provides some clarity on the following points:
The full range of legal responsibilities placed on data controllers (from competition and data protection law) in the context of data portability, including in relation to pre-screening of potential destinations based on their ultimate use of the data.
The extent to which large data controllers are within their rights (from competition and data protection law perspective) to restrict users’ choices as to where they may transfer their personal data to.
The extent to which large data controllers are within their rights (both from a competition and data protection law perspective) to dictate how their users’ data may be used or processed once a copy of it has been transferred to a third party of their users’ choosing.
The legality of individuals (and organisations acting with valid consent on an individual’s behalf) commercialising their own personal data, whether that is within the advertising sector, for market or consumer research, or for any other legal activity.
In what circumstances is a data portability request ‘technically feasible’?
The most common reason given for rejecting a data portability request is that it is not ‘technically feasible’, which is a loophole offered up by the text of the GDPR. If interpreted too widely, this wording within Article 20 of the GDPR could be leading to a lack of compliance with data protection law at the same time as harming competition and innovation in the digital economy. It is therefore imperative that we gain an understanding of what these two words actually mean.
At one end of the spectrum, it could be argued that something is not technically feasible only if it is literally impossible, because the technology does not exist to deliver the desired outcome. This is clearly too extreme, and fails to recognise that not all companies have the same resources or technical capabilities at their disposal.
At the other end of the spectrum, it could be argued that something is not technically feasible because the relevant machine is currently turned off, or simply because the company has chosen not to hire someone to operate it. This is actually much closer to how data controllers apply the term. Invariably, the requested data transfer is not considered ‘technically feasible’ because the company has chosen not to develop a suitable mechanism to enable it. The technology is widely available and simple to deliver for a company with moderate technical capabilities and capacity. So it may arguably be true that, at the time of the request, the company does not have a dedicated tool to enable it, but it seems a bit of a stretch to suggest that the barrier is a technical one.
We believe that the technical feasibility defence is being grossly overused, and we therefore seek clarity from the CMA and ICO over how responsible data controllers should interpret this terminology. In addition to some guidance on interpretation, it would be helpful to set out some illustrative examples within the statement whereby the CMA and the ICO agree that technical feasibility would or would not be a reasonable excuse.
For example, we ask for a shared view of the regulators on each of the following scenarios:
A user requests to have a copy of their data transferred to a third party by email.
A user requests to have a copy of their data saved in a cloud storage bucket provided by them or the intended data recipient.
A user requests to have a copy of their data transferred to a third party via an API supplied by the intended data recipient.
A user requests to transfer a copy of their data to a third party via an existing API maintained by the data controller available in the UK, but it was originally developed by the data controller for a different purpose.
A user requests to transfer a copy of their data to a third party via an existing API maintained by the data controller in a different country or region, but that it has chosen not to make available in the UK.
A user requests to transfer a copy of their data to a third party and the data controller does not have a data transfer facility, but it has the in-house technical capability to build such technology.
Setting out the regulators’ shared view on how to interpret this terminology in the real world would finally allow Article 20 to have the effect that was originally intended. This will simultaneously drive up compliance with existing data protection law, empower consumers to take back control of their data, and add value to the UK economy through increased competition and disruptive innovation. This additional clarity will also save businesses time and money engaging in disputes with one another about where to draw the arbitrary line.
In the absence of a dedicated data portability tool provided by the data controller, does the law support businesses and data subjects finding alternative solutions?
While waiting for purpose-built solutions such as data transfer APIs to be delivered, businesses have been forced to seek out innovative solutions and workarounds to facilitate the data transfers expected by their users.
For example, some have sought to conduct subject access requests on behalf of their users, some have utilised APIs that were built for other purposes, while others have gained access to user data with consent by gaining access credentials from the user.
Data controllers seek to shut down these alternative methods on the basis of apparent privacy concerns, breaking of company policies, or breaches of contractual terms. But they do not seem to recognise they are forcing companies and their users to take these sub-optimal routes, as their legal rights to data portability are being denied. We would therefore welcome some clarity on the CMA and ICO’s shared view on the following topics, in the context of valid and informed consent:
Can such ‘workaround’ methods be considered as a legitimate attempt by individuals to exercise their data portability rights?
Can third parties execute subject access requests on behalf of a data subject, and if so, how should they demonstrate an authority to do so to the data controller?
Can third parties legitimately gain consented access to user data through the deliberate sharing of login credentials?
Joint action is necessary
The joint statement in 2021 concluded with a summary of the ways in which the two regulators were working together on some of the issues identified.
It demonstrated that the statement was not all talk, and that the regulators were putting their words into action. This included the parallel announcement to launch, and work together on, enforcement action relating to Google’s Privacy Sandbox.
We would expect the updated statement to conclude with something similar this time around, possibly including an update regarding continued collaboration on Google's approach to third-party cookies on Chrome. Also, through our parallel complaints to each regulator regarding Amazon, Apple, LinkedIn and TikTok, we have served up the perfect opportunity for the next collaboration, this time with the ICO taking the lead.
The perfect conclusion to the updated joint statement would be confirmation of action taken or underway to compel the four gatekeepers to make their existing data portability tools available to their UK users.
Comments