Because you're a good person and care about providing value to your users, and not just extracting value from them.
But since in practice, we can't rely on every business to be run by good citizens, this needs to be made a legal requirement, to remove the competitive advantage from being predatory and locking users down.
An answer to "why" that does not depend on voluntary goodness is: Enough people is the world generally think representative democracy is a good thing. We stand by that system for making the rules. Enough people in part of the world think there is enough of a problem to the point where a rule was made. If you want to do business in that part of the world, you need to be bound by that rule. That's why you should spend time on it. As incomprehensible as it might be, it's important enough to those citizens that they are willing to levy a penalty on you if you don't.
...and so far, at least three people actually took time out of their day to go find the "down" arrow on this obviously raving insane viewpoint :) I love you guys!
The implementation of such a law is impossible as far as I can tell and opens up huge vulnerabilities to smaller companies.
Just imagine when large companies can hire lobbyists that can force a data protocol on the smaller businesses.
The spirit of many laws is great, the implementation is unfortunately, what actually matters and I don't see solutions to these hard problems.
Allow me to go on a soapbox here, but far too many laws are created with good intentions that are destroying competition and hurting the end users.
That's a false dichotomy that is also misrepresents the nature of a typical business transaction.
If you're a good person and a business owner, you're looking to make mutually beneficial business transactions. If someone is looking to move away from using your business, then it's them who's trying to extract value from you, without giving anything in return.
Of course, sometimes, as just a good person, you want to do good for other people without anything in return — but you can do it as a private person, putting your profits into charity funds. Separation of concerns is a good thing that make things clear. Also, from any moral point of view, money spent on engineer salary that allows some food app user to migrate to a competitor is probably not spent as well as feeding hungry or providing health care to sick anyway.
Not holding customers data hostage can increase your service adoption.
E.g. many companies would not pay for a web-only email service where you cannot download and backup emails.
E.g. A lot of people pay for non-locked books (epubs) that can be carried over across different devices.
Governments across the world broke lock-in mechanisms for decades (e.g. carrying phone numbers, being able to buy gas/car oil/car tires/PC components/ from independent vendors)
Is this really an effort? It's basically a JOIN over a bunch of tables or maybe the JSON state tree of your SPA and that's about it.
Chances are, your startup works with all data of a user and has a way to request all data from the DB anyways.
The answer should be obvious, it's their data just like it's their savings.
(Yes, of course it's an industry talking point. The best kind - one that's true and valid, and so far not effectively refuted).
For a Silicon Valley based company hiring EU lawyers, no. Engineers are more expensive. Also, for a Silicon Valley company with limited or no EU presence, the time value of money may make incurring that deferred cost worth the saves near-term engineering time.
Laws should be followed. But laws must be enforced. OP’s point is valid. The EU passed a law and delegated enforcement to its various members, each of whom have varying levels (and interpretations) of enforcement around different parts of the text.
Until that changes, GDPR compliance will remain a courtesy. Not a right.
I have yet to hear of a company significantly harmed by failing to consider accessibility.
And it's true - there are a number of services for work that we've never tried because there's no easy way "back".
That is the opinion that GDPR encodes into law
The idea of eating one's own dog food is to understand the experience of the customer and improve the product. It demonstrates confidence in your product and helps you empathize with your customers. If you do this & are confident in your product, then a portability feature (to allow your customers to try out your competitors) should not be a threat.
Assuming you can convey to your customers why your product is superior, they won't have need of the porting tool. If one day they think, "Hmm, I wonder if the competitor is better", and try to use the porting tool to use the competitor, and find out it's a huge pain because the competitor's product isn't as good (or doesn't work the way yours does), they may decide they just don't feel like switching. People might also use your product just because they can switch if they ever need to.
Pandora is a great example of a shitty company that does not believe in its own product. If you use the free version, you are constantly bombarded with dark patterns and direct advertisements to get you to upgrade to their paid account. It's annoyware. If you eventually pay for the product, the only value add is fewer ads. There's no improved functionality, there's no easier experience, no better algorithm. Just slightly less pain. It's like upgrading from dogfood that tastes like shit, to dogfood that only smells like shit. If Pandora created a data portability tool, they would be screwing themselves, because they know their product is shit. If they had a great product, portability wouldn't be a threat to their business.
Data from one service may be in an entirely different schema than the service you want to import it too - let alone format. Service A may summarize your data and throw away the granular stuff, but service B runs on the granular data.
Are consumers going to implement ETL pipelines to achieve portability? Are they expecting to hook up streaming mechanisms for enormous swathes of data?
Just as an example, if I wanted to get a list of every song I liked on Spotify and import it into Apple Music, how would that even work? The songId of Spotify is undoubtedly different than the one Apple uses. Are Apple and Spotify supposed to agree on a common file format?
I agree with the intent of the law but I'm not surprised most services do not offer an automated way to take out data. It's a rare case, often a heavy workload, and there's really no way to guarantee the data you receive is actually portable.
Why wouldn't it work? Desktop apps had m3u playlist formats which could be read by multiple players - from Winamp on desktop, iTunes on a Mac or even car headunits. It's now kinda wierd to say that rockstar engineers of Apple/Spotify can't find a way to export playlists and liked songs (a global singletons essentially) they got from the SAME publishers and probably ingest from the SAME content owner data sources.
But thankfully, the industry solved this problem themselves: ISRC (International Standard Recording Code) is already used all over the royalty reporting side of the industry because it specifically solves the problem of referencing an individual recording of a work.
DDEX is a content delivery manifest format the industry also uses for this kind of purpose (sharing complex metadata about recordings in a standardized way), but its an 800lb gorilla of a format and not super consumer-friendly.
These are things that are all over the back offices of your favorite streaming service, but mostly transparent to the consumer.
There's no incentive other than the law for Twitter or Facebook to make that data exportable.
There’s generally no incentive to not kill someone except going to jail.
I understand your point but FYI music is a poor example as there is solutions to port metadata in that case. MusicBrainz aims to standardize music metadata and it is pretty commonly used. An example I know is the lastfm service, their APIs accept an optional mbid: https://www.last.fm/api/show/track.updateNowPlaying.
Artist + Song Title (+ Album and track number, if it's from an album) should be enough to disambiguate in enough cases for someone to consider this "portable".
Beyond that, we have music fingerprint IDs that a service could output in the data dump along with their own service-specific ID.
> Are Apple and Spotify supposed to agree on a common file format?
For something as simple as this, yes, absolutely they should. It's bonkers that they don't and wouldn't, aside from garbage anti-competitive lock-in reasons.
If I was Spotify I would export that as an SQLite DB. Maybe the metadata catalog as a standalone DB too.
Apple Music has an API[0] so it's already mostly possible to import a list of songs in it.
> I agree with the intent of the law but I'm not surprised most services do not offer an automated way to take out data. It's a rare case, often a heavy workload, and there's really no way to guarantee the data you receive is actually portable.
"Data Portability" is so vaguely defined that I can't help but see it as yet another law that EU bureaucrats will use to fleece (American) "Evil Tech Giants".
Similarly, it is up to industry -- either via standardization bodies or courts -- to clarify what exactly is "data portability".
As a dev I hate the fact that something like Zapier apparently has to exist in this messy world, but non-technical people like my wife tend to find it intuitive and relatively easy to use so that's one option.
Though for your example I'd argue that the ingester (Apple) has a vested interest in allowing import from many formats to poach customers. Much like how Apple went to the effort of creating the Move to iOS app on android. I wonder whether having the data exported with just a song id would be sufficient under the law, because you could just normalise all useful data away and export a list of IDs to the customer which seems clearly against the purpose of the law. Showing just IDs is not my data which would mean the actual songs I like.
Yeah, that'd be great! We didn't get the web as we know it today until bunch of people and companies got together and created standards for everyone to rely on. Why can't we do that same for SaaS businesses?
I think the test is something like: If the concept is the same, you should be able to import/export it. For example, you have a SaaS having photo upload + being able to put the photos into a custom gallery. Then you should be able to export that gallery in a format that you can recreate the same gallery in another SaaS that also has photo upload + custom galleries.
The article itself is clear that it's not always technically feasible to offer this import/export. For example, it doesn't make sense to be able to export Facebook posts and import them into Twitter, because those are two different formats with different restrictions.
This is from the actual article:
> In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The full article of "Data Portability" is not that long, you can read it here: https://gdpr-info.eu/art-20-gdpr/
I guess this law is there to ensure your images can be transferred from Dropbox to Google Drive to Apple Cloud, without any of them being tempted to pull the plug.
Back in the "bad" (aka glorious) days of p2p file sharing we had no problems keeping things straight. Even Windows XP natively knows how media libraries work. Any service that makes this hard will be at a disadvantage to ones that make it easy, and maybe get roasted in court on GDPR grounds.
The only reason services do not offer you data export in an easily digestible format is that they want you to stay in the app.
However, they do respond to privacy requests, see:
There's https://gdpr.eu/companies-outside-of-europe/ :
> Article 3.2 goes even further and applies the law to organizations that are not in the EU if two conditions are met: the organization offers goods or services to people in the EU, or the organization monitors their online behavior.
Recital 23 clarifies what is meant by the organization offers goods or services to people in the EU: https://gdpr.eu/Recital-23-Applicable-to-processors-not-esta...
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, [..] the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
Profiling is clarified in recital 24: https://gdpr.eu/Recital-24-Applicable-to-processors-not-esta...
> it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
So, I'd say no. The mere fact that HN is accessible to people in the EU does not show intent. HN is an English forum, which is the native language of the country where it is established, and does not offer its services in additional European languages, and does not advertise products in the Euro currency. I'm unable to know for sure, but I don't believe HN is using my posts here to predict or analyse my personal preferences either.
https://github.com/HackerNews/API
Does it count like ability to download your data?
GDPR is an EU law that applies to sites that market directly to EU citizens. How and whether it applies to sites outside the EU has been debated. GDPR can prevent a site from operating in the EU. But GDPR does not apply to a US citizen using a US-run web site.
https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
https://gdpr-info.eu/art-3-gdpr/
Edit: speaking of personally identifiable information, GDPR defines the information that is subject to download as “personal” information, only when it can be identified. Do you have data on HN servers that is subject to GDPR even if you live in the EU? (I don’t think I do.)
See 4.1: https://gdpr-info.eu/art-4-gdpr/
Note that it also includes indirect identification, which means that if combined with other data it would identify you. Recital 30 might be of use here too;
>Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
That is wrong. The GDPR does not make reference to citizenship.
It explicitly notes that it applies when either when the data subject is physically in the EU/EEA, or when the data controller/processor is based in the EU/EEA.
Suppose I exported all of my posts, photos, contacts, and a bunch of metadata from social network A. Perhaps I could view the contacts in Excel and browse the photos in my favorite gallery app. But unless I can upload it all to social network B and continue as if I've been using B all along, the data is not really "portable". It's just a backup, a frozen snapshot that can't be unpacked anywhere else.
I'm not even sure if it makes any sense to import one's Twitter feed into Instagram or one's Facebook profile into Reddit. Edit: I'm not saying this is because of anti-competitive behavior on anyone's part. The services simply are so drastically different.
What's important is that a Twitter, or Facebook, or Reddit alternative should be able to implement data import from their respective competitor, without facing intentional anti-competitive difficulties. Let "the market" decide which services want to implement the import of which kind of data.
Since the incentives for the service providers line up with the users, I don't see a need for the government to regulate importing data.
Export is the exact opposite. The incentives for the service providers go directly against a user. After all, if the provider export a use's data, then then that user can just leave!
If we're wishing for things, I'd like to add the ability to have "live" exports/imports. By that I mean two services with comparable data types should be able to keep your accounts in synch, such that a change made on one service is reflected (after only a short delay) on the other service.
You would still have to visit Facebook if you wanted to see what your friends there were saying, but they would be able to see what you were posting on Mastodon, for example, without needing to create a Fediverse account.
The incompatibility is by design.
Additionally, if a service is missing import functionality, you can choose to not use it. While you'd often only realize you need export functionality while you've already used a service for years.
Maybe the case of porting data between social media services doesn't make much practical sense, but there are many other services where it does. Fitness tracking apps as an example - you'd likely want to take your history with if you switch services.
And usually these services would not be using the exact same data format for import vs export. But that's not as big an issue in practice - you'd often find third-party scripts or services that can do the conversion for you.
Other social networks would implement import functions in a day.
Placing the same regulatory burdens on start-ups as on big tech is a drag on innovation, and it's frustrating that there is no minimal cap on users before GDPR comes into effect, given how the EU has constant exception for artisanal food and goods manufacturers.
Lawyers and third parties want to get a piece of the pie, so they'll present themselves as indispensable. It's almost as if this is the EU version of TurboTax.
In its current state GDPR has effectively just littered the website with popups that don't let you disable "functional" cookies in the popup. Functional my ass. The pages work fine without them. I disable all cookies except on a short list of sites I need to log in. Unfortunate side effect is the goddamn GDPR popups keep popping up on all those news sites.
But now every web page (at least in the EU) makes some kind of ugly popover and many of them try to convince you to accept all tracking with some kind of dark patterns of UI design.
I don't understand why we won't stop all this nonsense and build this stuff into web browsers as opt-in or opt-out (let the user decide) and therefore ensure that the UI is always the same without any dark patterns.
Here we go again.
The GDPR has no problem AT ALL with cookies. Use as many as you like with no need for popups. However, if you are using cookies to track or personally identify me (advertisers take a bow), then you need to ask my permission to do so. And so you should.
I am unaware of how a browser may possibly be used to block only personally identifying cookies, and besides, putting the onus to do so onto the data owner is against the principle of the GDPR; that personal data is MINE and you must ask my permission to use it.
Go back and read GDPR again because it doesn't. There are exemptions for smaller business. I don't remember exactly what they are, but I remember reading some of the provisions are excluded for companies under 250 employees or something like that.
Privacy (including the right to protection of one's personal data) is a human right. Creating artisanal food is not.
On an absolutely unrelated note, I reverse engineered ask.fm's client API back when I was actually using it.
Which ones have you tried exporting your data from?
I think that, as long as the ID is there, and that data is therefore linkable, that data IS personal.
IANAL, but that company's reply is bullshit and could be easily brought to court.
Nobody has money and time for that unfortunately and if you are using a platform that you like or need, then it is impossible, because you'll risk getting your account deleted.
Wait, is there anything well defined in GDPR?
EDIT: k, so for the downvoters: I mean it. GDPR is muddy at best. Think IP addresses: in most cases, they are _not_ PII, especially when it's a dynamic IP from an ISP, yet nearly everything insists on hiding IPs or converting them into geo information.
In other words: they can be PII, and you can't easily determine which of them aren't - the way they're being assigned is out of your control.
(Even in cases people think IPs aren't PII, they become so when combined with other datasets - dynamic IPs can be quite stable.)
> Wait, is there anything well defined in GDPR?
In terms of singling out particular technologies? No. In terms of defining principles and criteria? Very much yes. If GDPR went the other way, it would be trivial to work around by subtly changing the technologies or data involved.
Basically, companies thought it more profitable to not put any effort into letting users escape their service (or keep chat federated, etc.)
Various threads are still around though.
Sue them. It should be faster than 30 days according to GDPR.
> a lot of companies tried giving me semi obfuscated pdfs or html without classes or classes that were random strings
Giving you obfuscated data is also against GDPR as the data needs to be clearly machine-readable. Again, sue them as you now have two points against them.
I see a lot of (mostly non-EU) commenters thinking that the GDPR is grounds for any individual to sue any company for practically anything because privacy is hard, (which is probably why everyone was so hyped to hate on the GDPR) but that's just not how it works.
As much as I value data portability, I'd much rather see a DPA sue the hell out of the companies that make those ridiculous, illegal cookie walls and popovers filled with dark patterns instead.
I have no idea what the law requires about the data format, so they could be doing the absolute minimum.
Long story short, Confiks takes Spotify to task for removing the API that SongKick used to retrieve playlist data; a short time and several factual emails later they restore API access.
To summarize, Spotify can of course terminate any API they so wish, and there is absolutely nothing in GDPR that compels them to keep it up. As long as they of course still follow the requirements by GDPR. As annoying as a workaround would be for Confiks, emailing the data within those 30 days to SongShift is acceptable and in compliance. There is nothing in GDPR that says "data transfer options once enabled cannot be removed and/or changed".
Quoting the clause "the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.", always seemed off with what is being demanded, because, they would be complying with that requirement by compiling and archive of the data, a big dump, and send it to SongShift. "I demand that you re-enable the API", on the other hand has no basis whatsoever in GDPR. The quote follows with "... or allow for some other method to allow me to exercise my rights under the GDPR", which is exactly right.
Spotify re-enabled the API because they chose to, not because they had to.
To clarify: I think it was great that Confiks convinced Spotify to re-enable the API. But, the arguments presented were not particularly convincing, and I took this as a case of Spotify doing the right thing, rather than a "David vs Goliath".
Spotify re-enabled the API because:
• they already had the API, so they couldn't claim it was an undue development burden to re-enable it;
• it was cheaper than setting up another system based on manually emailing large chunks of the database; and
• it was good press.
> the data within those 30 days
This is a common misconception. The requirement is
> GDPR information must be provided without undue delay but at latest within one month. Only in reasoned cases may this one-month deadline be exceptionally exceeded.
The operative requirement is without undue delay, one month is a maximum on the definition of undue delay, not a minimum. Intentionally delaying compliance for the better part of a month after you have demonstrated the ability to send the data within seconds would undoubtedly constitute undue delay... (Some exceptions apply)
Partly joking, but partly serious. Maybe we could use something like this.
1. There is no format defined in which the data must be given
2. There is no feasible way of defining such format anyway
3. Thanks to 1 and 2, there is no feasible way of importing this data into another service.
AFAIK, a consumer has the right of requesting the export in any chosen format, but it says nowhere in the GDPR that the data controller must supply this for free [0]. As a business you are allowed to charge a fee to cover the cost of exporting the data, as long as this fee is considered 'reasonable'.
[0] Note: IANAL, a befriended paralegal told me this.
Presumably, someone wanting to build a service that encourages people to migrate from Google services could build an import tool to their platform with it.
From there, a specific parser/converter needs to be built by the competing service for imports.
It's particularly valuable when it lets you export instant messaging conversations and shared photo albums. It means that companies cannot hold your data hostage to keep you on their platform.
I use GDPR exports for a personal data thing I'm building [0][1]. It simply wouldn't work without GDPR, because public APIs are increasingly rare. Most of your personal data is locked and GDPR data exports are usually the only way to access it on your own terms.
[0] Intro: https://nicolasbouliane.com/projects/timeline
[1] Code: https://github.com/nicbou/timeline
Also, the fact that you don't know what to do with you data dump in JSON is a blocker. With APIs, integrations by 3rd parties are simpler and more user oriented.
Last point, with API neutrality, no need of maximizing "interoperablity" (even is is always useful and makes things simpler, we have seen that with DataTransferProject it does not work really as companies don't work with the same data model) Developers will do the matching work between the original app and the destination app, no worries, when incentive is here, middleware glue will come. The problem these days is that the source of data is useless, has no value, so no incentive. You can look at this study with GDPR Facebook data value for developers https://www.law.nyu.edu/centers/engelberg/pubs/2019-11-06-Da... The main question is : Why a Facebook GDPR Data dump/takeout has no value for developers where Facebook API has value for millions of applications developers and businesses? With API neutrality it will have maximum value for users (as it has already value for partners) and minimizing fatigue to implement portability (an API is lot more developer friendly than a JSON dump that you receive in 30 days via email and that the user need to upload somewhere)
Link bait by a company making their profit of GDPR confusion.
