This article is written by Nitya Ranjan of 3rd Semester of BALLB ofSLS, Central University of Kashmir, J&K, an intern under Legal Vidhiya
ABSTRACT
In this article, we are going to talk about “Legal aspects of data portability and interoperability in digital ecosystems”. The focus will be on what data portability and interoperability mean in a world where digital ecosystems and economies abound? Additionally, we will place a specific emphasis on the important legal matters pertaining to data protection, privacy regulations, intellectual property rights, and market competitors’ dominating positions. We’ll also find out who exactly is impacted by these developments. We will also examine the progress made thus far in the growth of data portability and interoperability.
We will also look at the legal concerns that are becoming more and more relevant in our increasingly digitally linked society: data ownership and its control and its use, liability for data breaches, and cross-border data transmission. We will also examine how governments are addressing these issues, such as the introduction of rules like the General Data Protection Regulation (GDPR), which have an influence on data portability and interoperability.
KEYWORDS
Data Portability and Interoperability, Data Protection, Intellectual Rights, Liability, Data Breaches, Data Ownership, GDPR.
INTRODUCTION
Data portability refers to the capacity to transfer data between various applications, programs, computer environments, or hosting providers. Within the context of cloud computing, data portability is a component of cloud mobility, which enables users to move apps and data across or among cloud service providers (CSPs).
The importance of data portability is growing as more businesses store larger amounts of data on cloud servers. The need to transport and transfer data in a portable manner naturally extends beyond cloud computing to include on-premises and other types of information technology (IT).[1]
Data interoperability is crucial in today’s data-driven business environment because it allows disparate information systems to access, share, and use data cooperatively and in a coordinated way both inside and across organisational boundaries. The need for straightforward interactions across these varied data sources and systems has never been more important than it is now, as companies create and gather large volumes of data from multiple sources. Data interoperability allows information to freely move between various platforms and applications, which helps firms foster cooperation and spur innovation[2].
Depending on the authority or community driving them, these Data Spaces may have distinct objectives, designs, economic models, and governance structures. Participants in these Data Spaces must interact with one other and across numerous Data Spaces in an interoperable manner while adhering to common standards and principles to prevent fragmentation and duplication of effort.
Depending on how well the systems and data are integrated and aligned, there are several levels of interoperability that may be reached. The ISO/IEC 19941 standard for cloud computing interoperability and portability and the European Interoperability Framework for public services are two well-known frameworks that provide interoperability levels. Technical (transport & syntactic), semantic, organisational, and legal are the four primary layers of interoperability identified by both frameworks:
The goals, designs, economic models, and governance structures of these Data Spaces may vary depending on the community or authority guiding them. To avoid fragmentation and duplication of effort, participants in these Data Spaces must communicate with one other and with many Data Spaces in an interoperable way while adhering to shared standards and principles.
Several interoperability levels may be attained, depending on how effectively the systems and data are aligned and integrated. Two well-known frameworks that offer interoperability levels are the European Interoperability Framework for public services and the ISO/IEC 19941 standard for cloud computing interoperability and portability. The four main levels of interoperability that both models identify are technical (transport & syntactic), semantic, organisational, and legal.
- The term “technical interoperability” describes the logical and physical interfaces, formats, and protocols that connect systems and data sources. This covers syntactic interoperability, which deals with the syntax and structure of data transmitted, including models, vocabularies, and schemas.
- The meaning and interpretation of the data, including ideas, connections, and ontologies, is referred to as semantic interoperability.
- Organisational interoperability encompasses the procedures, guidelines, and management of data exchange, including roles, duties, and contracts.
- Accepting the legal equivalents of contracts and contractual provisions between various data ecosystems is known as legal interoperability. These ecosystems can differ in several ways, depending on things like national or industry rules or regulations. Even identically worded contractual declarations may be interpreted differently in a different data ecosystem.
BACKGROUND
The ability for consumers of a digital service to transfer their personal data from one platform to another without having to manually enter it again is known as data portability. For instance, customers are entitled to obtain their data “in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance” [3]under the California Consumer Privacy Act (CCPA). Portability is a component of the larger set of consumer privacy rights under the EU’s General Data Protection Regulation (GDPR), which is required to build the trust that will allow the digital economy to grow.
Data portability requirements are frequently defended on the grounds of competition, as a means of promoting new entry and enhancing competition by lowering lock-in and consequently switching costs between digital platforms, even though such provisions are directly intended to affect a putative consumer “right” to control “their” data. “Portability is a key factor for effective competition,” the European Commission declared in its Impact Assessment Report on the then-proposed GDPR.
The Commission goes on: When users choose to switch from a service, they believe does not meet their needs for data protection, the ability to transfer data between service providers could be a factor in this competition and boost competition in some areas, such as social networks. [4]
Data interoperability and data portability are not the same. While interoperability refers to the continuous transfer or alignment of data as it is generated on one service with another, data portability often refers to a one-time transfer—the removal of data from one service and its transfer to another one.
Even though portability, interoperability just refers to allowing users to “port” their data across time without having to switch services. Interoperability is necessary for the most important use of data portability as a remedy for competition—Open Banking in the UK, as will be covered below.
Portability mandates have been proposed for markets where weak competition is thought to allow companies to collect “too much” data from their users, or for markets where customers do not realise the value of their data until they have agreed to a set of terms. These markets are in addition to those where there is perceived to be insufficient levels of customer switching.[5]
DATA PROTECTION AND PRIVACY LAWS
As elaborated in Section III. Privacy & Security, safeguarding data necessitates a comprehensive approach to system design that integrates legal, administrative, and technical measures. ID systems should, first and foremost, be supported by legislative frameworks that protect user rights, privacy, and personal information. Numerous nations have enacted broad privacy and data protection legislation that include not only the ID system but also any other public or private sector activity involving the processing of personal data. Complying with global norms for confidentiality and data security, these legal frameworks often have extensive clauses and guidelines about the gathering, retaining, and application of personal data. These comprise:
- Limitation of purpose: The following reasons should be the only ones for which personal data is collected and used: those specified by law, which the person can thus know (at least in theory) at the time of the data collection; or those for which the person has granted consent.
- Minimisation and proportionality: To prevent needless data gathering and “function creep,” which both pose privacy hazards, the data acquired must be appropriate for the ID system’s intended use. This is sometimes expressed as saying that to accomplish the intended goal, just the “minimum necessary” data—including transaction metadata—should be gathered.
- Legality: Personal data should only be collected and used legally, for example, through permission, contractual requirements, legal duty compliance, safeguarding critical interests, public interest, or legitimate interest.
- impartiality and openness: Fair and open practices should be followed while collecting and using personal data.
- Precision: Personal information must be current and accurate, and errors must be quickly fixed.
- limits on storage: It is not appropriate to retain personal data, including transaction information, for longer than is required for the reasons for which it is gathered and handled. People may be offered a choice about the duration of retention for transaction metadata.
- Liability: A suitable, independent monitoring body as well as the data subjects themselves should keep an eye on how personal data is processed in compliance with the criteria.
DATA SAFETY
Personal data must be handled and stored securely to prevent loss, theft, unauthorized or illegal processing, deletion, or damage. The importance of this concept grows for digital ID systems considering the threat posed by cyberattacks. Typical steps to guarantee data security that the law can require include the following, some of which are covered in greater depth under Section III. Privacy & Security:
- Encrypting personal information
- Anonymization of personal information
- Personal data pseudonymization
- Data and system confidentiality when using or producing personal data
- Data integrity and systems using or producing personal data
A need to notify data subjects of material data breaches impacting their personal information is likewise imposed by several international standards on data controllers. Countries may also have laws that prohibit unauthorised access to, use of, or manipulation of data, as well as regulations aimed at identifying and mitigating cyberthreats (see the section on cybersecurity, below). Finally, legal frameworks should sufficiently penalise data administrators and other parties that gain unauthorised access to, use, or modify personal data. This should include making the following offences illegal:
- improper entry into databases containing personal information, such as identity systems
- misuse of personal data or unapproved use of ID systems or other databases containing personal information
- change of information obtained or kept in databases containing personal data, such as identity systems, without authorisation
DATA SHARING
Legal frameworks can reduce risks by specifying all the reasons government and non-government businesses can exchange personal data in an ID system, as the linking of information across databases exacerbates privacy and data protection problems. Additionally, due to their roles, public bodies could only be able to access certain information (the “need-to-know” concept).
- Sharing information may have the following advantages:
- the government’s and the citizens’ convenience;
- improved delivery of public services by the government;
- when a data subject changes addresses, a smooth service transfer;
- enhanced risk handling
- savings from removing duplication of effort; and
- enhanced productivity via more intelligent data utilisation
DOMINANCE IN DATA PORTABILITY AND INTEROPERABILITY
Dominance in data portability and interoperability indicates that a competitor in the market has considerable control over the ease with which users can transfer their data to other platforms. This could potentially create a barrier to entry for new competitors and impede consumer choice by essentially “locking in” users to their service because it is difficult for them to switch to another provider; as a result, there may be less competition within the market. [6]
Important details on this matter:
- Decreased Switching Costs: Data portability makes it simple for users to move their data between platforms, which can reduce switching costs and boost competition by enabling customers to quickly switch to a new supplier if they’re not happy.
- Network Effects: Users are reluctant to leave their current network to join a new platform with fewer connections, hence in marketplaces where there are large network effects (such as social media), a dominant company with poor data portability can provide a serious obstacle to new entrants.
Data Lock-in: When an organisation forbids users from moving their data to another location, it can lead to a situation known as “data lock-in,” in which people feel stuck in their ecosystem and unable to leave. - Innovation Disincentive: Because they are under less pressure from possible new competitors, a dominant firm with data control may be less motivated to innovate.
Various strategies that a business might employ to be at the forefront of data portability and interoperability include:
- proprietary data formats: Employing distinct data formats that are difficult for consumers to transfer to other systems.
- Restricted Application Programming Interface (API) Access: Limiting the use of APIs, which are required for other platforms to easily connect and share data.
- Creating intricate export processes that demand customers to go through several steps to access their data is known as a complex data transfer process.
REGULATORY TAKEN BY GOVERNMENT
If government entities share information without proper regulation, this might become a “back door” that permits protections for personal privacy and data security to be violated. Law enforcement agencies find extensive population databases, such as those created as part of ID systems, to be an alluring resource, especially if they include biometrics. There are special issues with DNA data gathering as, like other biometric data, it can be used to identify a person and serve as evidence in a criminal investigation.
This kind of information exchange is possible even in the absence of interoperability in terms of technology. For instance, police might get in touch with ID officials and request that they retrieve a certain person’s record and disclose details like fingerprints, a picture of the face, an address, or the names of family members.
Legislators and judges have had difficulty finding the right balance to help criminal investigations while also preserving registrants’ privacy. Applying the same laws that govern other types of searches and seizures in the relevant nation, such as the necessity of obtaining a warrant, might be one strategy for handling such cases. When a compromise has already been reached in this area between individual private rights and the public interest, this might be advantageous.
The EU 2016 Police and Criminal Justice Data Protection Directive 2016/680, Article 4(2), states that personal data collected for other purposes, such as ID systems or civil registration, may only be processed for crime-related purposes by the same controller or by another controller if: (a) there is legal authorisation for this; and (b) such processing is necessary and proportionate to the purpose for which the personal data was collected. (See, for example, The European Council, Data Protection in Law Enforcement.)
The Aadhaar Act [7]of 2016 in India allows information to be disclosed, apart from “core biometric information,” in accordance with a suitable court order. However, this can only happen after the Unique Identification Authority of India (UIDAI) has been given a chance to comment on the disclosure. On the recommendation of government officers above a certain rank, it also permits the disclosure of information, including core biometric data, “in the interest of national security” when approved by a central government order and subject to oversight by a committee made up of the Cabinet Secretary and the Secretaries to the Government in the Department of Legal Affairs and the Department of Electronics and Information Technology.
One of the “Privacy Principles” of Australia’s federal Privacy Act 1988 (as modified) states that personal information about an individual that is gathered for a certain reason may not be used or disclosed for another purpose without the individual’s agreement. A few exceptions exist, though. These include instances in which the use or disclosure is “reasonably necessary” for enforcement-related activities carried out by or on behalf of an enforcement body, such as when police use or disclose information while preventing, detecting, investigating, prosecuting, or punishing criminal offences. To foster accountability, use for actions connected to enforcement must be documented in writing.
Except in some situations, the EU’s GDPR restricts the transfers of personal data outside the European Economic Area. If the European Commission rules in favour of the recipient nation that it “ensures an adequate level of protection,” then such transfers are permitted (Article 45). A thorough evaluation of the nation’s data protection laws, especially those pertaining to personal data protection, oversight, and redress procedures, is necessary before making such a determination. Twelve nations have had adequate conclusions made about them, including the United States (restricted to the Privacy Shield system), Israel, Canada (commercial organisations), and Switzerland.[8]
In July 2018, the European Commission started the official process of issuing an adequacy decision after Japan and the EU agreed to recognise each other’s data protection systems as equal. In a similar vein, the UK is requesting an adequate ruling from the European Commission to implement following its departure from the EU (Brexit). Transfers to non-EU countries are also permitted in other circumstances, such as if the transferor has provided “appropriate safeguards” which may be established through several means including a legally binding agreement between public authorities, certain contractual clauses (e.g. the EU Commission’s Model Clauses) or the existence of an approved and enforceable code of conduct, among others (GDPR Article 46).
CONCLUSION
The legal environment pertaining to interoperability and data portability in digital ecosystems is dynamic and complicated. Legal frameworks are being established to reconcile conflicting interests as data becomes more and more essential to commercial operations and social functions:
- Utility vs. Privacy: Legislation seeks to safeguard people’s privacy while permitting the advantageous use of data for economic development, innovation, and better services.
- Innovation vs. Competition: While data portability is seen to be a strategy to encourage competition and lessen the impacts of lock-in, too restrictive regulations may hinder innovation by established businesses.
- Individual Rights vs. National Security: Governments are struggling with how to protect individual privacy while using data for justifiable reasons like law enforcement.
- Global Data Flows vs. Data Sovereignty: When data travels across national boundaries, countries are putting laws in place to safeguard the personal information of their inhabitants, which occasionally causes obstacles to cross-border data transfers.
- Flexibility vs. Standardisation: While some degree of standardisation is necessary for interoperability, laws also need to be adaptable enough to consider the quick pace of technological advancement.
Globally, there is a trend towards stricter, more comprehensive data privacy legislation that emphasise giving people control over their personal information. But there are a lot of obstacles to overcome before these rules can be put into effect, especially in terms of technological viability, enforcement, and international collaboration.
Legal frameworks will probably need to change on a regular basis as digital ecosystems continue to change. Encouraging innovation and economic growth will be the aim, together with strong individual rights protection and equitable competition in the digital economy. To create complex and practical legal solutions, legislators, engineers, corporations, and civil society will need to work together continuously.
REFERENCES
- www.techtarget.com/searchcloudcomputing/definition/data-portability
- https://www.zendata.dev/post/what-is-data-interoperability-and-why-is-it-important#:~:text=Data%20interoperability%20is%20the%20ability%20of%20different%20systems,decision-making%20and%20drives%20innovation%20in%20products%20and%20services.
- California Consumer Privacy Act of 2018
- https://www.congress.gov/bill/116th-congress/senate-bill/2658/text; S.1951, Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data, available at https://www.congress.gov/bill/116th-congress/senate-bill/1951/text.
- . https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3203289
- The AADHAAR Act, https://doi.org/10.2139/ssrn.3550738
- https://doi.org/10.1007/978-3-540-74409-2_18
[1] Craig S. Mullins, data portability, www.techtarget.comhttps, Feb. 2021, //www.techtarget.com/searchcloudcomputing/definition/data-portability
[2] What Is Data Interoperability and Why Is It Important? Zendata, May 3, 2024, https://www.zendata.dev/post/what-is-data-interoperability-and-why-is-it-important#:~:text=Data%20interoperability%20is%20the%20ability%20of%20different%20systems,decision-making%20and%20drives%20innovation%20in%20products%20and%20services.
[3] California Consumer Privacy Act of 2018, CA Civ. Code §1798.100, et seq. (2018) [hereinafter CCPA] at §1798.100(d).
[4] Id. at 106 (Annex 5).
[5] S.2658, Augmenting Compatibility and Competition by Enabling Service Switching Act of 2019, available at https://www.congress.gov/bill/116th-congress/senate-bill/2658/text; S.1951, Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data, available at https://www.congress.gov/bill/116th-congress/senate-bill/1951/text.
[6] Banda, C. (2018). Enforcing Data Portability in the Context of EU Competition Law and the GDPR. SSRN Electronic Journal. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3203289
[7] The AADHAAR Act: Is It Disturbs the Right to Privacy? A Critical Study. (2020). SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3550738
[8] Quirchmayr, G., & Wills, C. C. (2007). Data Protection and Privacy Laws in the Light of RFID and Emerging Technologies. In Lecture notes in computer science (pp. 155–164). https://doi.org/10.1007/978-3-540-74409-2_18
Disclaimer: The materials provided herein are intended solely for informational purposes. Accessing or using the site or the materials does not establish an attorney-client relationship. The information presented on this site is not to be construed as legal or professional advice, and it should not be relied upon for such purposes or used as a substitute for advice from a licensed attorney in your state. Additionally, the viewpoint presented by the author is personal.
0 Comments