Beyond Netflix And Chill: Gaining Control Of Our Digital Lives Via Data Portability

(Mis)Uses of Technology

from the control-through-portability dept

Sometimes, the best ideas for blog topics (or anything, really), come over a good meal with an amiable companion, and a few glasses of wine. As one does after a few glasses, my husband and I randomly ended up on the topic of data privacy — specifically, an aspect of data privacy and rights that are frequently overlooked: data portability. 

It all started with a rant.

My husband was relaying how our Netflix account had been suspended after I canceled the credit card it was funded by, and neither of us remembered to add a new card. He received a warning email, but hadn’t gotten around to correcting it — after all, it’s summer and a time to enjoy the long days — not binge-watch content. Then he got another email, informing him that if we didn’t pay up soon, our account data would be deleted in ten months. 

That led to the following discussion: 

Husband: I mean, ten months isn’t very long. What If I fell into a coma tomorrow and then woke up 11 months later? No more Netflix! No more recommendations.

Me: You could always download your data, of course.

Husband: But can I upload it back to Netflix? Or do I start from scratch?

At the time, I didn’t know, but it turns out that you can migrate or transfer your watch history, likes, etc. to a  new account, likely a result of the company’s crackdown on sharing account information.

A Glaring Port(ability) Hole

Of course, the question of how we meaningfully reconstitute our digital lives is broader than Netflix recommendations. And while the “What happens if I fall into a coma/get trapped on an island/lose access for months” question is probably a bit far-fetched for most, it does raise a related (and more likely) question: how do we control and curate our digital identities online?   

The law has contemplated this, at least in theory. For example, the EU General Data Protection Regulation (GDPR) and Digital Markets Act (DSA) both enshrine the concepts of ‘data portability’ and ‘interoperability’. These rights give people in the EU the ability to move or port their data from one service to another. The GDPR’s reading applies a bit more broadly than the DMA (which is restricted to large, market-dominating tech companies, so-called  ‘gatekeepers’), but the emphasis of both is to give individuals the power to move their identities and information freely between services without having to start over again. 

Under Article 20 of the GDPR, the concept of data portability is pretty simple: 

a) if your data lives on a computer or in a database somewhere; and

b) you provided the data directly (or through some automated means) to a controller (which can be an individual, company, or organization) who is doing stuff with (aka, ‘processing’) your data; and

c) the controller who’s doing stuff with your data is relying on your consent, or has a  contract with you; then

you should be able to get your data back out again and move it to somewhere else (like a competing service). 

Oh, and the output needs to be in a “structured, commonly used and machine-readable format,” which is law-speak for it should be easy to import to a database somewhere. Interoperability under the DMA is similar-ish, but is more focused on making it easy to say, send a chat message or image using Signal to a friend who uses WhatsApp, or to migrate your friends and chats across those services. 

Clearly, the drafters of the GDPR and DMA contemplated moving data between systems and services, but they overlooked another valuable opportunity: using data portability rights to migrate or curate data within systems. 

On Castaways, Comas, and Curation

It would be nice to know that if I disappeared off the internet, got trapped on a desert island, or fell into a coma for a few years, that I could still recreate the digital life I had before. It would certainly be better from a privacy, security & compliance perspective to build in functionality that would allow me to easily re-import saved data, versus the default – losing it all after some fixed point in time, or storing everything forever. It’s certainly technically possible to build in importability – Netflix does it, and both Apple and Google do this easily enough every time we migrate phones or laptops. 

But data portability can also be an important tool for curating our lives online. Few of us are static creatures. What we like and dislike may change over time. Just like hairstyles, careers, relationship statuses, and flirtations with fringe political movements, our personalities online change as we grow older, experience more of life, and evolve as people. Some of us go further, and even change our names, sexual orientations or genders. It makes a great deal of sense then to give people a mechanism to easily and selectively delete or modify records and account details that they feel no longer reflect who they are as people. The power to directly control our digital stories and lives online means that social media and publishing sites won’t continue to deadname people. It means that we can keep our online identities, favorite email addresses and social media profiles, without necessarily keeping every single awkward, painful, or regrettable memory exposed in a database somewhere. It means adults who made questionable life choices online as teenagers don’t need to live that down decades later. 

Now, some of you might be thinking, “Uh, Carey, can’t you already do this via other data subject rights (like rectification/correction and deletion)?” And the answer is, of course you can. But rectification and deletion rights usually require the requester to first file an access request (to discover what information the controller has), or to already know what information they want to correct or delete ahead of time. I can’t remember what I ate for breakfast this morning. I certainly can’t remember enough details to inform Google about what restaurants I favorited in 2015 that I no longer care about, embarrassing tweets I posted on the Hellsite that I’d prefer to delete in batch, or that one time I ordered a sex toy on Amazon in 2005 (theoretically).  

Deletion and rectification are also heavily time-consuming, cross-organizational, manual affairs, usually done by the controllers directly. When we make a data subject request, we’re taking it on faith that the companies doing stuff with our data will actually and correctly do what we ask them to. Judging by the sheer number of fines, reprimands, and enforcement actions levied against those who don’t by various regulatory authorities, that faith and trust might be a bit misplaced. 

Moving Towards Trust and Meaningful Control 

Data curation-through-portability also means that the companies and organizations who benefit from our data will have accurate, meaningful, quality information about us. If I can tell Google that I really love cats, data protection, beer, and coffee, and have zero interest in that one ‘Love Island’ link I clicked on 3 years ago while drunk, it’s better for everyone. It means that Google only blasts ads and content that I find relevant and more likely to click on. It means they gain insights about me as an evolving person that they can use that I don’t feel bad about them knowing because I’ve decided what they have a right to know. Or, as the Article 29 Working Party stated in 2017, “data portability [] represents an opportunity to ‘re-balance’ the relationship between data subjects and data controllers.” 

Building data curation features into data portability/interoperability obligations also means that we as individuals move away from the binary position of either resigning ourselves to the fact that privacy is dead, or being hypervigilant and having no digital life whatsoever. With a ‘curation right’ incorporated into data portability, we might instead get to engage in conversations about trust, mutually-beneficial insights, & the value of selective and easily revocable sharing. 

I honestly think that most companies would prefer to have accurate, relevant, and timely data about us, not everything about us. Based on my experiences as a data protection officer and consultant, I discovered after engaging with engineers, lawyers, and product teams that the problem usually isn’t one of greed – it’s one of fractal complexity. That is, it’s simply too difficult, time-consuming, costly, and error-prone to build systems and processes that sift out meaningful, relevant, useful insights about us while also purging the noise, so most companies default to keeping it all. As humans, we are pretty garbage at intuiting value from abstract data-at-scale, and loss-aversion is a thing. By comparison, storage is cheap, and it’s still probably less costly to hoard compared to accidentally deleting something of value.   

The data-curation-through-portability approach also meaningfully gives control of data to individuals in a way that the traditional data ownership or self-sovereign identity models usually don’t. For those not familiar, models presume that we should be able to monetize our personal data, by selectively selling access to companies willing to pay us for the privilege. The favored approach is for users to create an identity or identities, store those identities with one or multiple trusted third parties (or on the blockchain), and then consent to specific uses. So, instead of having a Facebook or Google profile, you’d have an identity managed and verified by someone else, that you effectively lease to Google or Facebook. You’d control at any given time what details you share, and have the ability to revoke those details at any time.  

The problem with most data ownership models I’ve seen in practice is that they’re either highly theoretical, or don’t scale. Data ownership is difficult to execute and most of us can’t be bothered to put in the work for what at best would be a few cents here and there. 

In short, data portability and interoperability shouldn’t only be about sharing between platforms — it can also be a powerful tool for individuals to take meaningful control over their data, build trust with the platforms we use daily, and to move away from an all-or-nothing approach to data. To make this real, we’ll need collaboration, legislative and cultural shifts, and probably new discussions about privacy and intellectual property. We’ll also need a lot of technologists in the loop – something that regulators and legislators often miss when drafting new laws and guidance. That last bit is important: None of this will work if we don’t talk to the implementers and folks who understand how these complex systems work.  

A version of this article first appeared in July on my Substack. 

Carey Lening is a writer and consultant based in Ireland. Follow her on Bluesky or Mastodon.

Filed Under: control, data, data portability, gdpr, interoperability, user control