I'll re-phrase. Imagine I'm a startup. If government force me to to delete some data, it makes my life easier, no data - no privacy issues. if someone tells me , I want to port my data to competitor, because my UI better then theirs, but they still prefer competitor, why should I care about this requests, why should i spent a single second of my engineers time to implement that?
> if someone tells me , I want to port my data to competitor, because my UI better then theirs, but they still prefer competitor, why should I care about this requests, why should i spent a single second of my engineers time to implement that?
Because you're a good person and care about providing value to your users, and not just extracting value from them.
But since in practice, we can't rely on every business to be run by good citizens, this needs to be made a legal requirement, to remove the competitive advantage from being predatory and locking users down.
While I agree 100% with this response, let's for the sake of argument assume OP is not a good person, and doesn't actually care about providing value to users.
An answer to "why" that does not depend on voluntary goodness is: Enough people is the world generally think representative democracy is a good thing. We stand by that system for making the rules. Enough people in part of the world think there is enough of a problem to the point where a rule was made. If you want to do business in that part of the world, you need to be bound by that rule. That's why you should spend time on it. As incomprehensible as it might be, it's important enough to those citizens that they are willing to levy a penalty on you if you don't.
...and so far, at least three people actually took time out of their day to go find the "down" arrow on this obviously raving insane viewpoint :) I love you guys!
I'll add another argument that doesn't depend on voluntary goodness, just on longer-term thinking: if you can establish a reputation that you're not making it hard for users to migrate away from you, people will be more likely to try your services out in the first place.
And yet another long-term thinking argument: if being able to easily export and migrate data between competing services becomes commonplace, then you'll not only have an outflow of users to competitors, you'll also have an influx of users migrating from your competitors. If you're trying to put a superior service on a market dominated by inferior incumbents, it's in your interest to promote data portability, as - if your service is truly as good as you think - user flow will predominantly go towards your business.
Is the point that you should feel good about any regulation, by virtue of its being the result of a democratic process? For (counter)example, I might not normally feel good about implementing “Muslim ban” functionality even if I recognize the nominally democratic process that forces me to.
the spirit of such a law is great, but there's a huge problem - what does the implementation even look like? Are we going to have regulatory committees oversee which types of data should be portable and when? Who writes the protocols?
The implementation of such a law is impossible as far as I can tell and opens up huge vulnerabilities to smaller companies.
Just imagine when large companies can hire lobbyists that can force a data protocol on the smaller businesses.
The spirit of many laws is great, the implementation is unfortunately, what actually matters and I don't see solutions to these hard problems.
Allow me to go on a soapbox here, but far too many laws are created with good intentions that are destroying competition and hurting the end users.
It's easier than you think. Offer a endpoint that spits out a ZIP file with JSON/multimedia of all the data you have associated with the user. Now you're done, you don't have to do anything else.
The intent of the article is not to allow people to import Facebook posts into Twitter, the intent of the article is to force businesses to allow people to export their data in a machine-readable format. What that entails exactly is up to each company to decide, and court of law to determine if it was followed properly.
I hadn't read the law yet, thanks for the link, but I don't think that solves any problems at all and has potential for plenty of issues. The devil is in the details and the people already have the power to only use services that allow data exporting.
You're attempting to force companies to behave in a pro-social manner but if that company never wanted to behave in a pro-social manner we'll have just given them another attack surface with their lobbyists to use to kill their competitors.
I'll withhold judgement until I see how this plays out, it could end up being a great thing, the issue with laws isn't that they can't help - the issue is that laws that end up hurting almost never go away.
> but I don't think that solves any problems at all and has potential for plenty of issues
It does solve the problem with some businesses not offering exports in machine-readable formats in order to stop users from being able to move to other services together with their data. Or which problems do you think they are aiming to solve here?
> the people already have the power to only use services that allow data exporting.
Yes, but the directives are not meant to help people to chose services, it's meant to help people already using a service and being able to move to a different one with their data. By forcing companies to follow these directives, users no longer have to chose an inferior product just because they offer exports, because all the products have to offer export.
> You're attempting to force companies to behave in a pro-social manner but if that company never wanted to behave in a pro-social manner we'll have just given them another attack surface with their lobbyists to use to kill their competitors.
I don't really understand this line of reasoning, but I'm interested in understanding it. We already have bunch of laws and directives to make companies behave more ethical, since they made it clear that they need laws sometimes to do the right thing. How is this adding another attack vectors to kill their competitors? If company A is "anti-social" (I guess), doesn't offer an export and want to kill their competitor B (who does offer export), how does the export tie into company A being able to kill company B? As I understand it, company B is following the directives while company A isn't, so users of company A could sue that company, but that doesn't affect lawful company B.
But I might misunderstand something so please, elaborate :)
> We already have bunch of laws and directives to make companies behave more ethical, since they made it clear that they need laws sometimes to do the right thing. How is this adding another attack vectors to kill their competitors?
I'd go as far as saying that such regulation fixes an attack vector. Before, a company behaving pro-socially was at a competitive disadvantage - their competitors that "never wanted to behave in a pro-social manner" could adopt antisocial strategies that the pro-social company couldn't. Banning those strategies levels the playing field.
> It does solve the problem with some businesses not offering exports in machine-readable formats
and which data should businesses allow users to export in machine readable formats, every click, view, views on other sites with that sites cookie/callback?
what is a common machine readable format? Literally all data is machine readable - what if the "common" format is purposefully complex and hard to implement right and you have to use paid libraries to do it correctly? These are things big companies can afford to do that kill small competition.
and since they are a big company simply them using it makes it "common" by some definition since more people will use it by virtue of more people using their services.
> If company A is "anti-social" (I guess), doesn't offer an export and want to kill their competitor B (who does offer export), how does the export tie into company A being able to kill company B?
company A, being the dominate evil-corp can pay lobbyists to define the protocol for export in a format they define....company B (the small good willed company) already exports in a format, but now they are forced to change their existing systems resulting in a lot of work lost - that is effectively money stolen from company B
Now, a reasonably pro-social reaction would be to allow both exported formats, but how difficult would it be to have lobbyists convince a non-technical governing body that their format is superior and should be used?
Imagine a non-technical family member is overseeing some committee and facebook shows up with their amazing analytics and awesome data export tool with graphs, charts, everything. Do you think your non-tech family member will recognize that the underlying format is bad for small businesses? I don't think I'd expect a non-techie to understand the costs there.
edit: further, are there SLAs for export uptime? what happens when bad PR hits a company and data export laws effectively mean a company is expected to export terrabytes of data within a day or so? Is that small company now legally liable because they can't handle that kind of load - which is further compounded by the fact they are getting data export requests because of bad PR to begin with? Does that company now have to choose between serving exports or keeping their service running?
I'm sure if I spend an hour thinking of scenarios that could hurt businesses that are otherwise doing the best they can I can come up with plenty.
I think you're approaching GDPR with a wrong mindset, perhaps one rooted in the US legal system. EU countries tend to put more weight to the spirit of the law than US does.
In GDPR, many of the things seem technically underspecified, because they aren't describing implementation details - they're describing the principle behind them.
For instance, what "common machine-readable format" means is obvious to everyone who does anything with digital data. For generic data, it's XML, JSON, CSV, you could probably get away with XSL(X) or DOC(X); for images it's BMP, PNG, JPG. Etc. If you think you have a valid reason to use something more niche, you can. If you're afraid someone will contest it, you can request an interpretation from appropriate regulatory body. If someone contests your choice, you can justify yourself - but if you're being purposefully obtuse, the ruling will be against you. The legal system gives you plenty of time to prepare, seek clarification, complain, dispute, get reprimanded - and ultimately comply, or, if you stubbornly refuse, get punished.
Consider what would have happened if GDPR actually defined what "common machine-readable format is". Plenty of companies would have a valid reason to complain that the list of allowed formats is too narrow, and unsuitable for their particular use case. The law would have to be updated to reflect the fast-changing landscape of computing technology, or risk slowing progress by forcing everyone to maintain legacy technologies.
Instead, GDPR, focuses on the guidelines to achieve the intended results, while leaving the implementation details for the industry to figure it out. It's better this way, than having regulators figuring out what's the difference between "cookie" and "local storage".
> and which data should businesses allow users to export in machine readable formats, every click, view, views on other sites with that sites cookie/callback?
"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
JSON, XML and a few others are candidates that are generally considered common. If you haven't heard about the term before you can find more information here: https://en.wikipedia.org/wiki/Machine-readable_data
> what if the "common" format is purposefully complex and hard to implement right
Then I guess the company is shooting itself in the foot if they make it harder to build the export functionality than it has to? The directive is not about being able to import data from any service, the directive is about being able to export your data in a machine-readable format. Not sure how much more clearer I can make this.
> company A, being the dominate evil-corp can pay lobbyists to define the protocol for export in a format they define
Company A is allowed to export the data in whatever data model they want, no lobbyists required. What it has to be though, is machine-readable.
> company B (the small good willed company) already exports in a format, but now they are forced to change their existing systems resulting in a lot of work lost
No, the directives nor laws around GDPR won't force a small company to change their export format. The directives are aimed at larger businesses that don't allow export at all, to get those companies to actually become user-friendly instead of user-hostile.
You should really give reading the full GDPR a go, it's not that long nor complicated and explains everything you're worried about (seemingly at least).
> edit: further, are there SLAs for export uptime? what happens when bad PR hits a company and data export laws effectively mean a company is expected to export terrabytes of data within a day or so? Is that small company now legally liable because they can't handle that kind of load - which is further compounded by the fact they are getting data export requests because of bad PR to begin with? Does that company now have to choose between serving exports or keeping their service running?
Again, I invite you to actually read GDPR before commenting further as both you and me spend more time answering each other than the time you could have taken to just read the resource you're commenting about now.
Article 12 (3):
> 1 The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. 2 That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. 3 The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. 4 Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
If you can not handle running your service + the export in a way so people clicking the export gets their data within 30 days, I don't feel so bad about you actually just closing down your service instead, as the uptime in general must be very bad.
> The devil is in the details and the people already have the power to only use services that allow data exporting.
The problem with this is that people are choosing products and services based on many different aspects simultaneously. In particular, price and (with Internet services) network effects are such a strong factors that they pretty much override all other considerations. How this plays out in practice is, the whole market stops offering value along the "irrelevant" factors.
In case of GDPR - because abusing users' data makes money, and not abusing it costs money, everyone starts abusing it to reduce price (or their costs). You're not going to ditch Facebook if all your friends are there. You're not going to ditch your primary care provider because it plays fast and loose with your data - it's a big hassle, and there's no guarantee other providers aren't even worse.
Imagine switching this discussion to one about food safety regulation. If they were suddenly all repealed, you can bet your top dollar that the quality of food would quickly degrade across the board. Even the most upstanding companies would start making sacrifices to keep up with their less ethical competitors, or risk getting outcompeted - relaxing standards allows to drop the price (or increase and reinvest profits), which allows to keep this up through economies of scale, while companies standing their ground on quality lose customers, lose efficiency, and have to increase the price. Customers won't choose the more increasingly more expensive, quality food, because in a typical countries, most people can't afford expensive food.
The end result is the market locking into a new, much lower, food safety level.
There are certain patterns on the market that are very predictable, and which are impossible to fix from within. That's where regulations are needed. And they do seem onerous to businesses when introduced - that's because we usually realize the problem only when we're deep in it.
> Because you're a good person and care about providing value to your users, and not just extracting value from them.
That's a false dichotomy that is also misrepresents the nature of a typical business transaction.
If you're a good person and a business owner, you're looking to make mutually beneficial business transactions. If someone is looking to move away from using your business, then it's them who's trying to extract value from you, without giving anything in return.
Of course, sometimes, as just a good person, you want to do good for other people without anything in return — but you can do it as a private person, putting your profits into charity funds. Separation of concerns is a good thing that make things clear. Also, from any moral point of view, money spent on engineer salary that allows some food app user to migrate to a competitor is probably not spent as well as feeding hungry or providing health care to sick anyway.
> If you're a good person and a business owner, you're looking to make mutually beneficial business transactions.
Exactly this. The transactions become much less mutually beneficial if the business is trying to hold my data hostage. Especially if they gave no indication of it previously, back when I was still evaluating the value of the transaction.
We had a good time, I got value from their services, they got my money and perhaps some extra benefits too - now it's time for us to part ways, I'm packing and I want my stuff back.
> If someone is looking to move away from using your business, then it's them who's trying to extract value from you, without giving anything in return.
Transactions on the market are supposed to be voluntary. This means I should be free to move away from using any business, after discharging all my obligations to it that I voluntarily accepted. By switching to a competitor, I'm not taking any more value from the company. As for asking for my data back, a business should consider my data loaned to them. It's their obligation - social, and now legal - to give it back.
GDPR specifies more than one way to do this. Controller to Subject transfers are a no-brainer. It's my data, I want it back. Controller to Controller transfers are gated by "where technically feasible". This point is there to ensure that businesses which don't have the necessary infrastructure in place aren't forced to spend time and effort to build it up. Only those that can do it at negligible costs are being forced to provide this option.
If you are a startup, then such a law directly benefits you because you might want to convince users to migrate to your services. If the big established competitor of yours has to offer data exports, such a migration is made easier for you, enabling your startup to grow faster, and giving users the ability to enjoy more innovation in the market.
Because removing an exit barrier means removing lock-in.
Not holding customers data hostage can increase your service adoption.
E.g. many companies would not pay for a web-only email service where you cannot download and backup emails.
E.g. A lot of people pay for non-locked books (epubs) that can be carried over across different devices.
Governments across the world broke lock-in mechanisms for decades (e.g. carrying phone numbers, being able to buy gas/car oil/car tires/PC components/ from independent vendors)
You don't write an API to port stuff to your competitor. You write a JSON or CSV export and competitors can then make an import tool for your data format (and vice versa).
Is this really an effort? It's basically a JOIN over a bunch of tables or maybe the JSON state tree of your SPA and that's about it.
Chances are, your startup works with all data of a user and has a way to request all data from the DB anyways.
A company that builds houses would very much avoid building those pointless and expensive security features. Why would they spend a second of their architects' time on that?
I'll re-phrase: why should I care about the requests of my users?
Now you know why they prefer your competitor over your better UI.
Your UI may be better, but your UX sucks.
That will make a whole lot of business models out there not feasible. The result will be fewer free services (to put it differently, fewer services and fewer choices). If you don't pay for stuff with your data, you can't have it for free. Are we sure we want to use government regulations to impose this on consumers of services, from the top down? Instead of, say, letting them decide?
(Yes, of course it's an industry talking point. The best kind - one that's true and valid, and so far not effectively refuted).
A business model does not have a right to exist just because individuals would choose to patronize it if legal. There are plenty of predatory business models that capitalize on market failures. "Free" definitely appears to be one of those business models.
To clarify, you are saying we should legislate away the right of a consumer to consent to a service whereby, in lieu of payment, the consumer is delivered targeted advertisement based on the data generated by their use of the service?
If this phrasing is incorrect, please correct it. It's just really helpful to be clear and precise in such discussions, because people sometimes hide the essence of their argument behind ambiguous verbiage.
To clarify, the sentiment seems to be that we should legislate the requirement that a consumer must explicitly consent to any service whereby, in lieu of payment, the consumer is delivered targeted advertisement based on the data generated by their use of the service rather than take the consumer use of the service as implicit consent.
I'm not proposing legislation outlawing any particular business model. If someone can make "free" work while respecting customer data ownership, more power to them.
What I am saying that customer data should legally belong to the customer, and if that makes some business models infeasible, so be it.
Given the context of GDPR data portability, it seems more likely that they're saying that businesses shouldn't have a right to hold data hostage as a method of lock-in, especially in lieu of providing a service people like enough to voluntarily stick with. The "targeted advertising as payment" thing is a separate can of worms that they may or may not care about.
From a subjective view I do not believe we want any business model that survives on utilising your data beyond the core of the product to exist e.g. I would think we want anyone to sell your data to add companies.
I do not believe there is a need for so much free stuff in general. But it should never be a situation where you have to pay for your data to be safe.
Isn’t engineering time cheaper than legal counsel time when your customers file complaints with the government against your org for not adhering to the law?
> engineering time cheaper than legal counsel time
For a Silicon Valley based company hiring EU lawyers, no. Engineers are more expensive. Also, for a Silicon Valley company with limited or no EU presence, the time value of money may make incurring that deferred cost worth the saves near-term engineering time.
Laws should be followed. But laws must be enforced. OP’s point is valid. The EU passed a law and delegated enforcement to its various members, each of whom have varying levels (and interpretations) of enforcement around different parts of the text.
Until that changes, GDPR compliance will remain a courtesy. Not a right.
Is any legal counsel time actually being spent on this? It seems like all the disability legislation. In theory it applies to websites. In practice, few give it a 2nd thought.
I have yet to hear of a company significantly harmed by failing to consider accessibility.
Why should your company be allowed to lock in other people's data in your company's computers and then refuse to give it back? This is obviously abusive. Why should your company be allowed to abuse its customers? Why should an abusive company even be allowed to exist?
Erm... because you need to follow laws. Your company would file tax records, right? And follow fire and building regulations in the office, correct? So why would it not follow GDPR?
It's not your responsibility to help your customers use a competitor's service, so you definitely don't have to care about that. However, you might care if you practice "dogfooding".
The idea of eating one's own dog food is to understand the experience of the customer and improve the product. It demonstrates confidence in your product and helps you empathize with your customers. If you do this & are confident in your product, then a portability feature (to allow your customers to try out your competitors) should not be a threat.
Assuming you can convey to your customers why your product is superior, they won't have need of the porting tool. If one day they think, "Hmm, I wonder if the competitor is better", and try to use the porting tool to use the competitor, and find out it's a huge pain because the competitor's product isn't as good (or doesn't work the way yours does), they may decide they just don't feel like switching. People might also use your product just because they can switch if they ever need to.
Pandora is a great example of a shitty company that does not believe in its own product. If you use the free version, you are constantly bombarded with dark patterns and direct advertisements to get you to upgrade to their paid account. It's annoyware. If you eventually pay for the product, the only value add is fewer ads. There's no improved functionality, there's no easier experience, no better algorithm. Just slightly less pain. It's like upgrading from dogfood that tastes like shit, to dogfood that only smells like shit. If Pandora created a data portability tool, they would be screwing themselves, because they know their product is shit. If they had a great product, portability wouldn't be a threat to their business.
