The Portability and Other Required Transfers Impact Assessment (PORT-IA): Assessing Competition, Privacy, Cybersecurity, and Other Considerations
The goal of this article is to provide a framework for assessing issues of data portability and other required transfers of data. Greater portability and other required transfers of data can have pro-competitive effects – if more companies have access to commercially valuable data, then there can be less monopoly power and more innovation. On the other hand, making portability too easy can lead to serious privacy and cybersecurity effects, when the “wrong” people gain access to personal data. There is thus a tension between opening data flows, to promote competition and innovation, provide user control, and for other reasons, and closing data flows, for reasons including protecting privacy and cybersecurity.
Part I explains that “portability” has become a technical legal term for transfers of an individual’s data. “Other Required Transfers” are mandated transfers for two or more people, so “PORT” is the general term for Portability or Other Required Transfers.
Part II examines three major trends causing increased importance for PORTability issues: (1) the individual right to data portability that took effect in the European Union (“EU”) in 2018 and in California in 2020; (2) the current, intense policy debates about whether and how to regulate the largest digital platforms; and (3) beyond digital platforms, important sectors of the economy increasingly have PORTability requirements.
Part III proposes a Portability and Other Required Transfers Impact Assessment (“PORT-IA.”). The approach is similar to Privacy or Data Protection Impact Assessments. The PORT-IA sets forth fourteen structured questions (“Structured Questions”) with detailed sub-parts.
Part IV and the appendices present seven case studies: (1) U.S. and EU phone number portability; (2) the new U.S. health care interoperability regulation; (3) EU portability requirements concerning health care data; (4) the EU Payment Services Directives; (5) U.S. financial services requirements under Section 1033 of the Dodd-Frank Act; (6) Open Data requirements for government agencies; and (7) lesser-known recent laws in Arizona and other states mandating portability for the data of automobile dealers.
Each case study maps the mandated data flows: where does the data originate; where does it go; what types of data are covered; and what precisely are the legal requirements. Each case study then examines the benefits of the PORT initiative, the risks and costs of the PORT initiative, and lessons learned.
Part V of the article “shows the work” for developing the Structured Questions for the PORT-IA. The Structured Questions evolved considerably during research on the case studies, and the current version of the Structured Questions has been validated by being tested against case studies across diverse sectors, data type, and geography.
The intent of the article is to create a coherent intellectual framework for assessing proposed PORTability initiatives. The PORT-IA, with its Structured Questions, can assist policymakers in deciding whether and how to mandate PORTability. The PORT-IA can similarly assist companies in deciding whether and how to implement new PORTability features in their products and services. More broadly, the article shows the importance of multi-disciplinary assessment of proposals for portability and other required transfers.
Elizabeth and Tommy Holder Chair of Law and Ethics, School of Cybersecurity and Privacy and Scheller College of Business at the Georgia Institute of Technology; Senior Counsel, Alston & Bird LLP.