What are consumers intuitively expecting compliance with this law to look like?<p>Data from one service may be in an entirely different schema than the service you want to import it too - let alone format. Service A may summarize your data and throw away the granular stuff, but service B runs on the granular data.<p>Are consumers going to implement ETL pipelines to achieve portability? Are they expecting to hook up streaming mechanisms for enormous swathes of data?<p>Just as an example, if I wanted to get a list of every song I liked on Spotify and import it into Apple Music, how would that even work? The songId of Spotify is undoubtedly different than the one Apple uses. Are Apple and Spotify supposed to agree on a common file format?<p>I agree with the intent of the law but I'm not surprised most services do not offer an automated way to take out data. It's a rare case, often a heavy workload, and there's really no way to guarantee the data you receive is actually portable.
I'll re-phrase. Imagine I'm a startup. If government force me to to delete some data, it makes my life easier, no data - no privacy issues. if someone tells me , I want to port my data to competitor, because my UI better then theirs, but they still prefer competitor, why should I care about this requests, why should i spent a single second of my engineers time to implement that?
Absolutely! I remember asking to export my data from one of the services and the support pretty much ignored me (they replied in general but “forgot” to mention anything related to that question).
There are still some issues with it (incomplete data, manually triggered data exports), but it's a notable improvement nonetheless.<p>It's particularly valuable when it lets you export instant messaging conversations and shared photo albums. It means that companies cannot hold your data hostage to keep you on their platform.<p>I use GDPR exports for a personal data thing I'm building [0][1]. It simply wouldn't work without GDPR, because public APIs are increasingly rare. Most of your personal data is locked and GDPR data exports are usually the only way to access it on your own terms.<p>[0] Intro: <a href="https://nicolasbouliane.com/projects/timeline" rel="nofollow">https://nicolasbouliane.com/projects/timeline</a><p>[1] Code: <a href="https://github.com/nicbou/timeline" rel="nofollow">https://github.com/nicbou/timeline</a>
it took me fighting 6 months with viacom support to get my song plays for last.fm . spotify improved from 2 weeks to 2 days but its still ridiculous to call something true data portability that is not automatic and not instant. a lot of companies tried giving me semi obfuscated pdfs or html without classes or classes that were random strings, we need to improve the law to enforce instant availability and an industry standard format like json or xml. also this needs to be completely automatable without having to do it myself.
For what it's worth Facebook and Instagram (also owned by FB, but is fairly separate product-wise) have pretty good export tools. You make a request in the web UI and a short time later, can download a zip with a bunch of JSON files. I was pleasantly surprised by how much they included.
Co-author here of the research. The most simple and effective and rapid solution would be to impose API neutrality.
As explained in the report, it would just obliges API providers to give back the same API access to users than they give to their partners.
For instance, why I get less data from Facebook if I ask my personal data, than if I create an app and ask maximum app permission (all OAuth scopes)?
API neutrality already works. For instance, Open banking in UK and PSD2 in Europe apply API neutrality. Any 3rd party can access to a bank API if they are granted by the user to do so.
After 2 years, for instance, up to 20% of the UK online banking population beneficiated from it as "Banking data Portability via APIS" . 20% is huge.
If FAMGAs and all other big companies data was accessible via "neutral APIs" to users, data portability would be "a thing"<p>Also, the fact that you don't know what to do with you data dump in JSON is a blocker. With APIs, integrations by 3rd parties are simpler and more user oriented.<p>Last point, with API neutrality, no need of maximizing "interoperablity" (even is is always useful and makes things simpler, we have seen that with DataTransferProject it does not work really as companies don't work with the same data model)
Developers will do the matching work between the original app and the destination app, no worries, when incentive is here, middleware glue will come. The problem these days is that the source of data is useless, has no value, so no incentive. You can look at this study with GDPR Facebook data value for developers <a href="https://www.law.nyu.edu/centers/engelberg/pubs/2019-11-06-Data-Portability-And-Platform-Competition" rel="nofollow">https://www.law.nyu.edu/centers/engelberg/pubs/2019-11-06-Da...</a>
The main question is : Why a Facebook GDPR Data dump/takeout has no value for developers where Facebook API has value for millions of applications developers and businesses?
With API neutrality it will have maximum value for users (as it has already value for partners) and minimizing fatigue to implement portability (an API is lot more developer friendly than a JSON dump that you receive in 30 days via email and that the user need to upload somewhere)
The best use of GDPR for data portability that I’ve ever seen was right here on HN: <a href="https://news.ycombinator.com/item?id=24764371" rel="nofollow">https://news.ycombinator.com/item?id=24764371</a><p>Long story short, Confiks takes Spotify to task for removing the API that SongKick used to retrieve playlist data; a short time and several factual emails later they restore API access.
ZKP all the way <a href="https://www.aepd.es/en/prensa-y-comunicacion/blog/encryption-privacy-iv-zero-knowledge-proofs" rel="nofollow">https://www.aepd.es/en/prensa-y-comunicacion/blog/encryption...</a>
Exporting your personal data is only half of the story. Importing is the other half.<p>Suppose I exported all of my posts, photos, contacts, and a bunch of metadata from social network A. Perhaps I could view the contacts in Excel and browse the photos in my favorite gallery app. But unless I can upload it all to social network B and continue as if I've been using B all along, the data is not really "portable". It's just a backup, a frozen snapshot that can't be unpacked anywhere else.<p>I'm not even sure if it makes any sense to import one's Twitter feed into Instagram or one's Facebook profile into Reddit. Edit: I'm not saying this is because of anti-competitive behavior on anyone's part. The services simply are so drastically different.
Not sure it got forgotten, I think members of <a href="https://datatransferproject.dev/" rel="nofollow">https://datatransferproject.dev/</a> didn't start actively moving until GDPR came into effect, and it seems they are doing _something_, although still it's very basic.
Forgotten? It's a basic GDPR article (article 20) that every somewhat serious EU company know.<p>Link bait by a company making their profit of GDPR confusion.
Overall, I think GDPR is a positive force that protects consumers. It does have one major downside though, and that's that it treats entities of all sizes in the same way.<p>Placing the same regulatory burdens on start-ups as on big tech is a drag on innovation, and it's frustrating that there is no minimal cap on users before GDPR comes into effect, given how the EU has constant exception for artisanal food and goods manufacturers.<p>Lawyers and third parties want to get a piece of the pie, so they'll present themselves as indispensable. It's almost as if this is the EU version of TurboTax.
The problem is that the what actually has to be made portable is not well defined in GDPR. It basically says that it means any data by which the user can be identified by. When I requested a data export from some companies their legal team argued, that they cannot send me my projects in a structured format nor they won't allow import of project files from another service, because this is not a personal data (or rather not a PII).
So this is actually another area where GDPR is all bark but no bite.
I could only request my personal data, that is my name, address, email and IP addresses...
Though an important part of privacy, I think this data portability is really useless, for both consumers and businesses.<p>1. There is no format defined in which the data must be given<p>2. There is no feasible way of defining such format anyway<p>3. Thanks to 1 and 2, there is no feasible way of importing this data into another service.<p>AFAIK, a consumer has the right of requesting the export in any chosen format, but it says nowhere in the GDPR that the data controller must supply this for free [0]. As a business you are allowed to charge a fee to cover the cost of exporting the data, as long as this fee is considered 'reasonable'.<p>[0] Note: IANAL, a befriended paralegal told me this.