Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20

Emmanuel Syrmoudis; Stefan Mager; Sophie Kuebler-Wachendorff; Paul Pizzinini; Jens Grossklags; Johann Kranz

Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20

Authors: Emmanuel Syrmoudis (Technical University of Munich), Stefan Mager (Ludwig-Maximilians-University of Munich), Sophie Kuebler-Wachendorff (Ludwig-MaximiliansUniversity of Munich), Paul Pizzinini (Ludwig-Maximilians-University of Munich), Jens Grossklags (Technical University of Munich), Johann Kranz (Ludwig-Maximilians-University of Munich)

Volume: 2021
Issue: 3
Pages: 351–372
DOI: https://doi.org/10.2478/popets-2021-0051

Download PDF

Abstract: Data portability regulation has promised that individuals will be easily able to transfer their personal data between online service providers. Yet, after more than two years of an active privacy regulation regime in the European Union, this promise is far from being fulfilled. Given the lack of a functioning infrastructure for direct data portability between multiple providers, we investigate in our study how easily an individual could currently make use of an indirect data transfer between providers. We define such porting as a two-step transfer: firstly, requesting a data export from one provider, followed secondly by the import of the obtained data to another provider. To answer this question, we examine the data export practices of 182 online services, including the top one hundred visited websites in Germany according to the Alexa ranking, as well as their data import capabilities. Our main results show that high-ranking services, which primarily represent incumbents of key online markets, provide significantly larger data export scope and increased import possibilities than their lower-ranking competitors. Moreover, they establish more thorough authentication of individuals before export. These first empirical results challenge the theoretical literature on data portability, according to which, it would be expected that incumbents only complied with the minimal possible export scope in order to not lose exclusive consumer data to market competitors free-of-charge. We attribute the practices of incumbents observed in our study to the absence of an infrastructure realizing direct data portability.

Keywords: Data portability, Privacy regulation, Competition between online services, General Data Protection Regulation (GDPR), Data economy, Consumer rights, Switching costs, Data controller

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.