The past year saw a major milestone for Indian data protection legislation with the enactment of the Digital Personal Data Protection Act (the DPDP Act), the first data protection law in India. The first draft of the Act, which broadly follows the EU General Data Protection Regulation (GDPR) principles, was published in 2018 and was subject to multiple revisions in the subsequent years. One critique of the final version of the DPDP Act is the exclusion of the Right to Data Portability (RtDP) compared to previous versions. This blog briefly analyses the elements of data portability, reviews the relevant provisions under the DPDP Act, and argues for eventual inclusion of the RtDP in the Indian data protection regime.

The concept of (the Right to) Data Portability

Consider an individual who had used a social media platform A for the past five years, creating a rich online profile through numerous uploads of personal data. If that person decides to transition to platform B, they should be able to effortlessly transfer their profile data from platform A to platform B as part of the RtDP.

Data portability ensures a user’s control over their digital data. The fundamental concept behind the RtDP entails enabling users to seamlessly transfer their personal data and other content between online platforms without encountering impediments.

Proper implementation of the RtDP can lead to more effective user control over the transfer of personal data. Among other benefits, data portability can help to enable reuse of data and facilitate a better understanding of data flows for a common user. The EU GDPR was the first regulatory mechanism to adopt a personal data portability right and it has inspired policymakers in other jurisdictions, including Brazil, the US and India.

Absence of the RtDP from the Indian law and the significance of (portable) data

The 2019 version of the DPDP Act provided for the RtDP with three exceptions: a) compliance of law; b) information which could reveal a trade secret of a platform; and c) information which is not technically feasible to be extracted. However, the final version sought to do away with the RtDP altogether.

The reason behind removing the RtDP from subsequent versions of India’s data protection legislation remains up in the air. Lacking any explanation from the Indian Government, certain features of the RtDP might have contributed to its exclusion from the legislation. For example, easy portability can pose a risk to data security. A single identity fraud could potentially lead to a large-scale breach of personal data across multiple platforms, since a hacker will be able to port false identity across multiple platforms. Data portability also becomes difficult in cases where a single piece of information, such as a photograph, relates to multiple users who differ on how it should be transferred between various platforms.

It should be noted that the DPDP Act does maintain a limited form of data portability through the concept of consent managers, acting as a go-between for users and platforms. These managers – registered with the Data Protection Board – will serve as contact points for users to give, manage, review, and withdraw consent. The term ‘interoperable platform’ which has been included in the definition of consent managers, signals that what the legislature had in mind for consent managers is to facilitate some sort of data portability.

Even though there is still much uncertainty about the new system’s operationalisation, its scope and the managers’ liability, the new concept does have an interesting potential to gradually shift towards facilitating smoother data transfer of personal data to better manage user consent.

Why the right to data portability should remain part of the Indian data protection Act

Despite emerging criticism of the RtDP’s effectiveness, mainly drawing on the past EU GDPR experience, its benefits are two-fold as the right remains an enabler for both the platforms as well as the users. First and foremost, the RtDP facilitates control of the user over their personal data. Interoperability further accords the right to replicate data on various platforms, allowing the users and the platforms to reuse the same data in multiple ways. For instance, a user having their credentials on one platform can have them reflected on another platform without any hassle. Along with exercising the right to transfer or reuse the data, users can concomitantly exercise the right to erasure of their personal data, obliging the platforms to remove it. By incentivising interoperability between platforms, the RtDP reduces the risks of lock-in effects and heightened switching costs, thereby increasing market competition (including competitiveness of smaller data holders), and affording users the freedom to join their preferred platforms.

Conclusion

The debate surrounding the RtDP is complex, involving competition, consumer rights and the rights of online platforms. Correctly implementing the RtDP could uphold the rights and interests of all stakeholders involved and promote consumer welfare in the digital market. For the RtDP to work well, it is crucial that all online platforms use the same formats. Achieving this standardisation, however, has proven to be difficult. Even in 2020, the European Commission acknowledged that the full potential of the RtDP under the EU GDPR has not been realised. Although the inclusion of consent managers in the DPDP Act in India does suggest some user portability rights, the effects of this remain to be seen.