European flag with zeros and ones to represent digital data

A sweeping new privacy law that goes into effect in the European Union on Friday promises to make life easier for U.S. consumers through a relatively obscure provision that lets them move data—everything from photos to credit information—from one online provider to another.

The law is the General Data Protection Regulation, better known as GDPR, and it covers familiar privacy topics, such as requiring companies to collect less data and to be transparent about how it’s used.

According to consumer advocates, the GDPR rules enabling data portability could be a big deal for internet users—loosening the grip that digital services have on consumer data.

“Data portability is an essential right in the modern age. Giving people the ability to move data between services helps to ensure meaningful competition—otherwise, consumers are stuck with whoever has their data,” says Justin Brookman, director of privacy and technology policy for Consumers Union, the policy and mobilization division of Consumer Reports.

That's why data portability is one of the measures set out in the Digital Standard, an open-source effort launched by Consumer Reports and several partners in 2017 to establish guidelines for privacy and other digital consumer rights.

Technology and legal experts say that consumers could start to see benefits quickly. “It’s going to have a tangible impact every day on you and me,” says Mathew Keshav Lewis, senior vice president and global head of regulatory practice for Axiom, an international law firm that’s helping hundreds of corporate clients prepare for GDPR. (The company is not connected to the data broker Axciom.)

However, Brookman and others caution that they're still waiting to see how well the new law is implemented and enforced.

Like Porting Your Phone Number

While GDPR is strictly an EU law, privacy experts expect it to affect U.S. consumers because many international companies will find it cheapest and easiest to adopt a single set of global privacy standards.

If you’ve noticed a lot of companies sending you updated privacy policies in the past few weeks, that’s why.

“Most of the large global tech platforms are planning to roll out GDPR solutions for all users around the globe,” says John Verdi, vice president of policy for the Future of Privacy Forum. “They’re not walling off EU persons and giving them a different experience.”

Consumer Privacy

What will the rules around data portability do? As more companies adjust to become compliant, digital services throughout the web will allow you to move your settings and files similar to the way you can switch your phone number from one carrier to another, or swap email accounts. GDPR aims to bring that kind of freedom to all kinds of consumer experiences.

It has already had an effect. Streaming music service Spotify just announced that to comply with GDPR it was creating a tool that lets consumers move their playlists to other services, such as Apple Music. To do that now, you need to download a paid third-party app, and apps like that don't exist for every kind of transaction.

The law doesn't just require companies to give you access to your data; it also says they have to make it easy to use on other platforms. Facebook provides an example. The company has long enabled you to download all your old posts and photos, but until last month it came in the form of a data dump formatted in HTML.

“It was optimized for your personal use,” Kevin Bankston, director of the Open Technology Institute, a Washington D.C. based advocacy group. “It was not optimized to be portable to another service.”

To comply with GDPR, Facebook made it possible to export all your data in JSON, a data format commonly used in web applications. The company did the same thing with Instagram, the photo-sharing service it owns. 

Of course, Facebook doesn’t have any real competitors in the social media space ready to receive all your social media data—at least not yet—but if other services do arise, it should be easier to upload your information. In the near term, the change could make it more convenient to move your photos to other image-hosting companies.

Chris Niggel, director of security and compliance for Okta, a Silicon Valley identity security firm, says exercise enthusiasts could benefit, too. Pre-GDPR, switching from one brand of fitness tracker to another has meant losing years of fitness data. The new rules require device makers to enable consumers to move that data to a new device—or to share it easily with a personal trainer or a doctor.  Fitbit, one of the biggest players in the market, confirms that users in the United States will get the same GDPR-mandated data portability as those in the EU.

The new law “opens up flexibility and choice,” Niggel says. “The barrier to exit for consumers is no longer too high.”

Competition and Choice

Experts on GDPR say that data portability could also bring bigger benefits down the road, as companies adapt to the new world of consumer choice.

Right now, the biggest companies retain market share partly by holding their customers’ data hostage, Brookman says. And once that advantage is gone they have a bigger incentive to compete on features, price, and service.

Additionally, start-ups are likely to find innovative ways to use the newly portable data to cater to consumer needs, according to Okta’s Niggel. As an example, a new company might find a way to combine data from your smart thermostat, a solar panel, and your electric utility to help optimize your energy usage. Instead of negotiating murky deals to acquire the data for that business, he says, the entrepreneur could appeal to consumers directly.

“It should unleash a lot of business creativity,“ says Lewis, the Axiom senior vice president.

There’s no better example of the power of data portability to promote new consumer services than Facebook. In its infancy, the fledgling social media platform actively encouraged users to find friends by importing their Microsoft Outlook contact lists—and Microsoft made that easy. “That’s why Facebook was able to grow insanely fast between 2010 and 2015,” Bankston says.

The Enforcement Question

Despite their optimism, consumer advocates and business observers say it’s too early to declare GDPR a victory for U.S. consumers.

Since data portability is not required by U.S. law, consumers here will have to wait for decisions by European courts and regulators to play out. And there could be pushback from tech firms. As consumer advocates point out, the most well-established companies with the biggest collections of consumer data have the strongest reasons to thwart data portability.

Finally, CU’s Brookman says, the new law has so many provisions covering how data is collected, stored, and used that interpreting and enforcing it all will be difficult.

“Like many aspects of the GDPR, the legal provisions surrounding data portability are vague,” he says. “So we'll have to see how companies and regulators interpret the law. If the data you get from a company is incomplete or difficult to use, the impact will be limited."