In today’s digital world, the question of data portability and the ability to transfer data from one platform to another is becoming increasingly important, especially in the context of AI-powered virtual assistants like ChatGPT. As data is increasingly being generated by users through their interactions with these platforms, it is essential to understand the feasibility and limitations of data portability.
The importance of the question in the topic also lies in the fact that data generated by virtual assistants can be highly valuable[1] and personal, and users should have the right to control and use this data as they see fit. Users may want to transfer their data to another platform for various reasons, including changing to a different virtual assistant, changing to a different type of service, or simply wanting to take their data with them if they switch to a different device or platform.
The GDPR defines the right to data portability as the right to receive data processed on the basis of contract or consent and processed by automated means, in a ‘structured, commonly used, and machine-readable format’ and to transmit that data to another controller without hindrance.[2]
The Rationale for Data Portability
The idea behind Data Portability is that individuals should have the right to transfer their personal data from one platform to another. This idea draws on development in the digital economy which treats data as property, albeit of an intangible kind. In addition, data portability particularly within the context of EU law reinforces the elevation of protection of privacy rights of individuals to the level of human rights. The right of portability within the human rights context thus gives individuals the element of choice, as well as greater control over how their personal data is used by third parties. The ability to transfer this data to other platforms would increase consumer choice and competition, leading to more innovation and better services for users. For instance, if one platform becomes unavailable, as ChatGPT sometimes is, users should be able to effortlessly transition to another without disruption.
Limitations to the Right of Data Portability in Europe
The European Commission introduced a right to Data Portability in January 2012 in its Proposal for a General Data Protection Regulation.[3] In October 2013, the European Council of Heads of State or Government focused on Digital Agenda and Innovation agreed on its Conclusions to make a reference not only to data portability but to a broader concept: portability of the digital life. The European Council Conclusions read as follows:
“…There is also a need to address the bottlenecks in accessing one’s “digital life” from different platforms which persist due to a lack of interoperability or lack of portability of content and data. This hampers the use of digital services and competition. An open and non-discriminatory framework must therefore be put in place to ensure such interoperability and portability without hindering the development of the fast-moving digital sphere and avoiding unnecessary administrative burden, especially for SMEs…”
The European Council conclusions emphasized the importance of data portability and interoperability as part of a broader concept of “portability of the digital life”. This highlights the global significance of the conversation on data portability and its impact on competition, innovation, and consumer choice. However, the resultant law, i.e., the General Data Protection Regulation (GDPR), which came into force in 2018 seems to have a narrower view of portability. Article 20 of the GDPR provides that data subjects have the right to receive personal data concerning them, and to transmit those data to another controller. The scope of the right is limited in that, first, the right can only be exercised where the processing of personal data is based on consent or on contract, and carried out by automated means (Article 20(1) (a-b) GDPR). Second, it applies only to personal data that was provided by the concerned data subject. Third, the transmission from one controller to another has to be technically feasible (Article 20(2) GDPR).[4]
Notwithstanding the foregoing, it has been argued that the scope of portable data is not clearly defined for many situations.[5] This problem plays out in the context of AI chatbot technologies as well, where it can be difficult to determine which data generated during a chat are personal data and which are not. ChatGPT is a large language model trained by OpenAI, and it is used by many people for various purposes, including search queries, personal assistant tasks, and much more. As a result, ChatGPT collects and generates a large amount of data about its users, including their search history, preferences, and other information. A chat transcript may not reveal the user’s identity on its own, but when combined with other data points, such as IP address or device information, it can become personal data. Regulators need to take this into account.
The author shares the view expressed in academic writings which suggests that the interpretation of “data provided” by the data subject in relation to portability rights should be construed broadly to extend beyond the information expressly provided by the data subject.[6] Thus, under this principle of expansive interpretation, the right to data portability will cover not only the information expressly provided by the data subject such as names, addresses, ages, personal preferences, etc., but it should also extend to other information collected in relation to the data subject under a contractual arrangement or by consent. If this approach is preferred, and collected by way of cookie selection, geo-location will be covered under the portability rights.
To solidify this position, in its European strategy for data, the European Commission plans to expand the right to portability. The recently released legislative proposals, i.e. the Data Act, the Data Governance Act, and the European Health Data Space Regulation are likely to promote an ‘enhanced’ right to data portability as a central tool for empowerment.[7]
Limitations to the Right to Data Portability in Nigeria
In Nigeria, the issue of data protection and data portability is also highly relevant and regulated by the Nigerian Data Protection Regulation (NDPR). The NDPR was introduced in 2019 to provide a comprehensive legal framework for the protection of personal data in Nigeria. The regulation recognizes the right to data portability, which empowers individuals to transfer their personal data from one platform to another. Section 3.17(h) of the NDPR provides that “a data subject has the right to transmit personal data from one data controller to another without hindrance from the data controller.”
However, the right to portability suffers even more limitations than the GDPR. For example, it limits this right significantly by adding the condition: “…provided that this right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.” In addition, despite the presence of the NDPR, there have been several challenges in its implementation and effective enforcement. One of the primary obstacles is a lack of understanding and awareness about the importance of data protection.
Conclusion
In conclusion, the question of whether it is possible to transfer search history from platforms like ChatGPT to other platforms is a critical one, as it touches upon the larger issues of data ownership, control, and portability in the context of AI. Conversations around this topic would shed light on the complexities of data portability in the context of AI and would highlight the need for platforms to consider the competition law and human rights aspects of data portability when developing their data policies and practices.
[1] Information generated thereon could very well become trade secrets for companies
[2] See Articles 12, 20, 28 Recitals 68, 73 of the GDPR
[3] See https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF accessed 3 February 2023
[4] See observations made by Teodora Lalova-Spinks and Daniela Spajić in ‘The broadening of the right to data portability for Internet-of-Things products in the Data Act: who does the act actually empower?’, Published 16 June 2022 on KU Leuven Centre for IT & IP Law: https://www.law.kuleuven.be/citip/blog/the-broadening-of-the-right-to-data-portability-for-internet-of-things-products-in-the-data-act-part-i/#:~:text=The%20GDPR%20was%20the%20first,those%20data%20to%20another%20controller. Accessed 3 February 2023
[5] James Mancini, ‘Data Portability Rights: Limits, Opportunities, and the Need for Going Beyond the Portability of Personal Data’, available: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3715357 accessed 6 February 2023
[6] Paul De Hert et al, ‘The right to data portability in the GDPR: Towards user-centric interoperability of digital services’ available at <https://www.sciencedirect.com/science/article/pii/S0267364917303333>
[7] Teodora Lalova-Spinks and Daniela Spajić ‘The broadening of the right to data portability for Internet-of-Things products in the Data Act: who does the act actually empower?’, Published 16 June 2022 on KU Leuven Centre for IT & IP Law: https://www.law.kuleuven.be/citip/blog/the-broadening-of-the-right-to-data-portability-for-internet-of-things-products-in-the-data-act-part-i/#:~:text=The%20GDPR%20was%20the%20first,those%20data%20to%20another%20controller. Accessed 3 February 2023
Leave a Reply