《經合組織：2024數據可轉移性對用戶賦權創新和競爭的影響報告（英文版）（54頁）.pdf》由會員分享，可在線閱讀，更多相關《經合組織：2024數據可轉移性對用戶賦權創新和競爭的影響報告（英文版）（54頁）.pdf（54頁珍藏版）》請在三個皮匠報告上搜索。

1、Restricted Use-usage restreint The impact of data portability on user empowerment,innovation,and competition 2 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 This Toolkit note was written by Christian Reimsbach-Kounatze and Andras Molnar.It was reviewed by th

2、e OECD Digital Policy Committee(DPC)and the OECD Working Party on Data Governance and Privacy(DGP).This paper was approved and declassified by written procedure by the OECD Digital Policy Committee on 22 February 2024 and prepared for publication by the OECD Secretariat.This Toolkit note is a contri

3、bution to the OECD Going Digital project,which aims to provide policy makers with the tools they need to help their economies and societies thrive in an increasingly digital and data-driven world.For more information,visit www.oecd.org/going-digital.#GoingDigital Please cite this publication as:Reim

4、sbach-Going Digital Toolkit Note,No.25 Note to Delegations:This document is also available on O.N.E.under the reference code:DSTI/CDEP/DGP(2022)12/FINAL.This document,as well as any data and map included herein,are without prejudice to the status of or sovereignty over any territory,to the delimitat

5、ion of international frontiers and boundaries and to the name of any territory,city or area.OECD 2024 The use of this work,whether digital or print,is governed by the Terms and Conditions to be found at http:/www.oecd.org/termsandconditions 3 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVA

6、TION,AND COMPETITION OECD 2024 The impact of data portability on user empowerment,innovation,and competition.5 Mapping approaches to data portability.7 Sectoral scope.8 Beneficiaries.10 Data subject to data portability arrangements.11 Legal obligation and enforcement action.14 Operational modality.1

7、5 Data portability opportunities and challenges.18 Increasing competition and consumer choice.18 Facilitating personal data flows and enabling informational self-determination.20 Adoption and technical implementation challenges.22 Annex.Selection of data portability initiatives in the private and pu

8、blic sector.27 Data Portability 1.0:Ad hoc data downloads.27 The midata initiative of the United Kingdom.27 Private sector initiatives.28 Data Portability 2.0:Ad hoc direct transfers of data to another data holder.29 Health Insurance Portability and Accountability Act(HIPPA)in the United States.29 T

9、he California Consumer Privacy Act(CCPA)and the California Privacy Rights Act(CPRA).30 .31 The regulation for the free flow of non-personal data of the European Union.32 .33 Quebec Private Sector Act.34 The Regulation of Electronic Commerce and Efforts Regarding Competition in the Republic of Trkiye

10、.35 Lei Geral de Proteo de Dados Pessoais 35 .36 Selected private sector initiatives.37 Data Portability 3.0:Real-time continuous data transfers enabling interoperability.39 Early sectoral developments in the United States:From data portability 1.0 to 3.0.39 .40 Payment Service Directive for Payment

11、 Businesses in the European Union(PSD2).41 4 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 The Digital Markets Act of the European Union.42 The Data Act of the European Union.44 Interoperability in Estonia X-Road.45 The Australian Consumer Data Right.45 .47

12、Private sector initiatives.47 Bibliography.49 Tables Table 1.EU legal frameworks for data portability and sharing.9 Figures Figure 1.Data products and the different ways data originate.13 Boxes Box 1.Data portability as(ex post)competition enforcement remedy.7 5 THE IMPACT OF DATA PORTABILITY ON USE

13、R EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Data portability has become a tool for enhancing access to and sharing of data across digital services and platforms.It can empower users to play a more active role in the re-use of their data and can help stimulate competition and innovation by fos

14、tering interoperability while reducing switching costs and lock-in effects.However,the effectiveness of data portability in enhancing competition depends on the terms and conditions of data transfer and the extent to which competitors can make use of the data effectively.Additionally,there are poten

15、tial downsides:Data portability measures may unintentionally stifle competition in fast-evolving markets where interoperability requirements may disproportionately burden SMEs and start-ups.And by enabling data transfers to multiple destinations,data portability can also increase digital security an

16、d privacy risks.The latter underlines the importance of trust in the providers of digital services or platforms for the adoption of data portability.This Toolkit note presents the following five dimensions essential for designing and implementing data portability frameworks:1)sectoral scope;2)benefi

17、ciaries;3)type of data;4)legal obligations;and,5)operational modality,and provides an overview of ongoing government and private sector initiatives in this domain.6 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Data portability is the ability of users both n

18、atural or legal persons to request that a data holder1 transfer,to them or a specific third party,data2 concerning that person in a structured,commonly used and machine-readable format on an ad hoc or continuous basis(OECD,20211).This capability can empower users to actively manage and re-use their

19、data across various digital services and platforms.3 Data portability can also enable interoperability that in turn can facilitate communication between systems,typically through interoperable technical specifications including standards and application program interfaces(APIs)the software specifica

20、tions used for data transfers between digital services.As data portability provisions become increasingly common in legal frameworks,significant implementation challenges remain:In the right circumstances,data portability has the potential to boost competition,foster data-driven innovation,and broad

21、en consumer choice.However,it also poses the risk of creating unintended disincentives for investments in data and adversely affecting market structures in specific scenarios.Additionally,transferring data to third-party entities that are beyond the control and purview of the original data holder in

22、troduces new layers of risk in terms of privacy,intellectual property rights(IPR),unethical uses of data and digital security.The intensifying complexity of the landscape,coupled with implementation challenges,can exacerbate legal uncertainties,especially concerning liabilities.This can also fuel tr

23、ust issues and reluctance among users to embrace data portability initiatives.1 This toolkit note adheres to the definitions of the OECD(202119)Recommendation on Enhancing an(OECD,201358)Recommendation concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data(h

24、ereafteindividuals who,according to applicable laws or regulations,are competent to decide on granting access to or sharing data under their control,regardless of whether or not such data are managed (OECD,202119)2 i(OECD,202119)3 Data portability aligns well with the individual participation princi

25、ple of the OECD Privacy controller,or otherwise,confirmation of whether the controller has data relating to them and to have communicated to them,data relating to them within a reasonable time;at a charge,if any,that (OECD,201358).7 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND C

26、OMPETITION OECD 2024 Mapping approaches to data portability Data portability initiatives vary significantly across jurisdictions in terms of their nature,purpose,scope(i.e.who has the right to have data ported and what data can be ported),technical and legal requirements,and implementation.While the

27、re are significant differences,some data portability arrangements and initiatives share some commonalities that reflect common approaches to data portability.The following five key dimensions(identified in OECD,20211)can be used to categorise data portability arrangements and initiatives.Combined,th

28、ey provide a taxonomy that can be used for mapping and analysing data portability initiatives in the private and public sectors(see Annex):Sectoral scope,including whether they are sector-specific or horizontal and thus directed potentially at all data holders across all sectors.Beneficiaries,includ

29、ing whether only natural persons(i.e.individuals)or also legal persons(i.e.businesses)have a right to data portability.Type of data that is subject to data portability arrangements,including whether data portability is limited to personal data and whether it includes volunteered,observed or derived

30、data.Legal obligations,especially the extent to which data portability is voluntary or mandatory and if the latter,whether data portability consists of an ex ante regulatory measure or an ex post enforcement action.Operational modality,or modalities of data transfer reflecting the extent to which da

31、ta transfers are limited to or include ad hoc(one-time)downloads of data in machine-time(continuous)data transfers between data holders that enables Other dimensions could be used to categorise data portability arrangements,which,although pertinent,are not the central focus of the initiatives presen

32、ted in the Annex.For example,data portability initiatives could also be classified based on whether data portability consists of an ex ante or an ex post regulatory measure.Contrary to the ex ante measures outlined in the Annex,ex post measures are typically specific to competition enforcement,and a

33、re typically invoked by a regulator or the relevant court as a remedy once a breach of antitrust laws is identified.(Box 1;see also OECD,20212)Box 1.Data portability as(ex post)competition enforcement remedy 8 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Da

34、ta portability is often considered one of the ex ante regulatory measures that complement competition law remedies in policy discussions on competition issues(CMA,20202)(ACCC,20203)(HDMC,20204).Data portability can also be considered as an ex ante measure in merger reviews.However,the large majority

35、 of such cases tend to focus on requiring merging firms to license(bulk)data access instead of data portability as defined in this report(FTC,20145).Generally,ex post competition remedies have several advantages over ex ante regulatory measures.These include minimal compliance costs due to targeted

36、enforcement,greater flexibility,and coverage over all types of data when used for facilitating data sharing(OECD,20206).The unpredictability inherent in the development of digital markets and the potential benefits of digital innovations amplify the significance of these advantages.Against this back

37、drop,ex ante regulation that applies to all market participants can impose overbroad restrictions or costs on markets that ultimately do not exhibit competition concerns,potentially stifling innovation unnecessarily(JFTC,METI,MIC,20197)However,when faced with systemic competition issues common in th

38、e digital economy,governments have begun to consider complementary ex ante regulatory measures.Fast moving markets in the digital economy can generate adverse competition effects that may cause large-scale harms before competition law investigations and interventions are completed.In addition,effort

39、s to investigate may be hampered if potential competitors also rely on services offered by the dominant platform and are reluctant to co-operate with investigators.This situation is compounded by the intricate networks of value chains and digital transactions which may challenge the ability to demon

40、strate adverse impacts on competition and consumer welfare(CMA,20202)(HDMC,20204)(HDMC,20208).In response to competition concerns stemming from the unique characteristics of digital platforms,governments are considering ex ante measures focusing on the governance of platform operators and data-relat

41、ed remedies such as data portability.As these measures can fundamentally impact competition,careful consultation with stakeholders and long-term analysis and monitoring are needed(CMA,20202).Additionally,enhancing data portability is being explored to increase consumer control over data and reduce b

42、arriers to entry and expansion.Source:(OECD,20219)Sectoral scope There is a major distinction between general cross-sectoral data portability approaches(sometimes also referred to as horizontal approach)and sectoral or sector-specific approaches.General cross-sectoral approaches include privacy and

43、data protection frameworks such as the European Unions General Data Protection Regulation(GDPR),the GDPR of the United Kingdom,the California Consumer Privacy Act(CCPA)and the California Privacy Rights Act(CPRA)as well as other cross-sectoral data governance frameworks such as the Digital Markets Ac

44、t(DMA)and the EU Data 9 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Act,(see further details about data portability initiatives in the Annex).Conversely,sectoral approaches are most frequently used for critical infrastructure and cover e.g.financial servic

45、es(open banking and the EU Second Payment Service Directive of November 2015 PSD2),transportation and mobility(the EU Regulation on Motor Vehicles of May 2018),energy(e.g.EU Electricity Directive of 2019)and health care(e.g.HIPAA).r Data Right(CDR)is also mainly used for critical infrastructures,alt

46、hough it can be best classified as a hybrid approach in this respect.The CDR is implemented at a sectoral level based on requirements defined with market participants(primarily in infrastructural sectors such as energy,banking and telecommunications).However,it is a horizontal framework that ensures

47、 a common(Australian Government,202210).The strategic Open finance is anticipated to include datasets from across sectors,including general insurance,superannuation,merchant acquiring and non-bank lending service providers.Horizontal data portability initiatives in the past have focussed on a specif

48、ic type of data,mainly personal data.In an analysis of the legal framework on data portability in the European Union(EU),CERRE(Streel,Kramer and Senellart,202011)shows that horizontal data portability initiatives focus either on personal data or non-personal data with competition law being the excep

49、tion in many respects.On the other hand,sector-specific data portability initiatives usually cover a range of data types.This has changed with the introduction of the EU DMA as well as the EU Data Act which incorporate data portability provisions that complement Art.20 GDPR on the right to data port

50、ability(Table 1).Table 1.EU legal frameworks for data portability and sharing Personal data Non-personal data All data Horizontal Art.20 GDPR Right to data portability Art.16 Digital Content Directive Obligations in the event of termination Art.6(9-11)DMA Obligations for gatekeepers to provide data

51、portability Art.6 Free Flow of Non-personal Data Regulation Porting of data Chapter II Data Act B2C and B2B data sharing with a focus on the Internet of Things Sector-specific Art.66(4)and 67(3)Second Payment Service Directive(PSD2)Art.61 Regulation on Motor Vehicles(2018)Access to vehicle diagnosti

52、c,repair and maintenance data Art.23(2)New Electricity Directive 10 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 It is important to recognise that both,horizontal and sectoral approaches to data portability,can co-exist,although there are compelling reasons

53、 to adopt one over the other.For instance,sector-specific approaches can better address the specific legal,organisational and technical requirements of individual sectors,given that requirements for data transfers may vary by both data type and sector.Cross-sectoral approaches may on the other hand

54、facilitate data sharing across sectors more effectively.This becomes possible as certain industries may not have sufficient incentives to develop a sector-specific data-sharing framework on their own.Furthermore,sector-specific approaches may create asymmetries.In these cases,certain businesses may

55、act as data share their data.As an illustration,the revised PSD2 enables non-banks to access-party providers.However,banks are not given similar access to the comparable data sets,which could lead to unfair competition(de la Mano and Padilla,201812;Di Porto and Ghidini,202013;Kerber,202114).Given th

56、e difference in their sectoral scope,combined with their various objectives,such as privacy and data protection,consumer empowerment,innovation and competition support and enforcement,data portability measures may require cross-agency co-operation among different regulators and policymakers.This inc

57、ludes in particular co-operation between enforcement authorities in charge of competition,privacy and consumer protection.Other regulatory domains may also be concerned where data portability is implemented at a sectoral level(e.g.open banking).Co-operation across policy perspectives will be particu

58、larly valuable in terms of avoiding unintended consequences of data portability measures and developing the most suitable oversight approach.Further,given experience with these measures is limited,the sharing of lessons learned across regulators and jurisdictions will prove particularly and Australi

59、as Digital Platform Regulators Forum are noteworthy in this context,serving as platforms to enhance coordination and collaborative efforts among regulatory entities,addressing the multifaceted challenges and opportunities presented by digital platforms.That said,governments still need to plan which

60、regulator will have primary oversight of respective initiatives to ensure efficiency,streamlined processes and beneficial outcomes.Beneficiaries Most data portability initiatives tend to focus on individuals as the only beneficiary of the right to data portability.This reflects the common rationale

61、of most data portability initiatives,specifically the desire to empower individuals,notably consumers.It is especially the case with privacy and data protection frameworks that include a data portability right,such as the GDPR and the CCPA/CPRA.However,more recent initiatives also allow users more b

62、roadly(including organisations)to request that a data controller transfer their data to the user or to a ertain businesses.More 11 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 rights to access data held by data holders(the other category of actor)and direct

63、 that data be shared with accredited data recipients(the third category of actor).Similarly,the EU Free Flow of Non-Personal Data Regulation,promotes data portability of non-personal data in business-to-he Regulation instructs the Commission to contribute to the development of EU Codes of conduct to

64、 facilitate the porting of(non-personal)data in a structured,commonly used and machine-(Streel,Kramer and Senellart,202011).The regulation aims,among other goals,to enable easier switching between cloud service providers for professional users.The European-regulation in this area,encouraging provide

65、rs to develop codes of conduct regarding the conditions under which users can move data between cloud service providers and back into their(European Union,201815).To address apparent shortcomings in data portability and interoperability following the EU Free Flow of Non-Personal Data Regulation,the

66、European Commission(202216)proposed the Data Act(issued on 23 February 2022 and adopted on 27 November 2023).These shortcomings include both the limited efficacy of the self-regulatory frameworks and the general unavailability of open standards and interfaces,as well as the need to adopt a set of mi

67、nimum regulatory obligations on providers of data processing services.(European Commission,202216)The Data Act has several relevant provisions on data portability,e.g.,provision to further enable the switching between cloud and edge services and address existing lock-in effects(most notably Article

68、29).Significantly,the Act broadens the data portability rights to include not only individuals but also legal entities.It also aims to improve interoperability with regard to the building of common European data spaces,where necessary(European Commission,202216).The Data Act is complemented by the D

69、igital Markets Act(DMA)(adopted on 19 July 2022),which also includes data portability obligations in Article 6(9-11).Besides individuals covered under Article 6(9)DMA,Article 6(10)DMA mandates access by-party online search reasonable and non-discriminatory(FRAND)terms.Data subject to data portabilit

70、y arrangements When data are subject to data portability arrangements it is commonly required that-readable respect to which data is deemed portable,beyond potential needs for further 12 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 clarification on what qua

71、lifies as a structured,commonly used,and machine-readable format.4 OECD work on data governance stresses the need to differentiate between the different types(OECD,201517;OECD,201918;OECD,202119)which is imperative in the context of data portability and for addressing various stakeholder interests.I

72、n the context of data portability,the OECD(201918)distinguishes between:Volunteered(or surrendered,contributed or provided)data are data provided by individuals when they explicitly share information about themselves or others.Examples include entering credit card information for online purchases or

73、 creating a social network profile.Observed data are created where activities capture and record data.In contrast to volunteered data,where the data subject is actively and purposefully sharing its data,the role of the data subject in the case of observed data is passive;the data controller plays th

74、e active role.Examples of observed data include location data of cellular mobile phones and data on web usage behaviour.Derived(or inferred or imputed)data are created by data analytics processes,and bas(OECD,201420).In this case,the data processor plays the active role.Data subjects typically have

75、little awareness over what is inferred about them.Examples of derived data include Acquired(or purchased or licensed)data are obtained from third parties based on commercial contracts or licences(e.g.when data are acquired from data brokers)or other non-commercial means(e.g.when data are acquired vi

76、a open government initiatives).As a result,contractual and other legal obligations may affect the access,use and sharing of the data.The above categories are not exclusive to one another,and other categorisations may be also pertinent depending on the context.This categorisation reflects the extent

77、to which different stakeholders are involved in the creation of data and acknowledges that stakeholder involvement might take place at different times,including when 4 See for example the Netherlands where the individuals invoked Article 20 EU GDPR,asking for their data to be received either via an

78、API or a CSV file.However,the court,referring to Directive 2013/37/EU on the re-use of public sector information,ruled that machine-readable does not obligate the provision of data through these specific means.The court rejected the requests as the claimants did not justify why they needed additiona

79、l(machine-specify what additional data they required.(IAPP,202225 citing Rechtbank Amsterdam,202158 and Rechtbank Amsterdam,202159).See also Wong and Henderson(201955)who made 230 real-world data portability requests based on Article 20 EU GDPR across a wide range of data controllers,showing that on

80、ly 75%of data portability requests were successfully completed with some file formats not meeting the GDPR requirements.13 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 users(consumers and businesses)interact with a data product(good or service)such as a soc

81、ial networking service or a portable smart health device(OECD,201918).Data portability initiatives tend to focus primarily on volunteered data and to some extent on observed data.Some uncertainties remain on whether observed data should be subject to portability rights.The European Data Protection B

82、oard(EDPB),which endorsed an opinion by the Article 29 Working Party(adopted on 27 October 2017),includes both and(ii)data provided by the individual by virtue of the use of the service or the.However,it should not include personal data that are inferred or derived,which include personal data that a

83、re created by a service provider(for example,algorithmic results).The right to data portability enshrined in Article 20 of the GDPR,for instance,only the data subject under two specific legal bases for lawfulness of processing(i.e.data collected with consent,or where the processing is necessary for

84、the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract).Figure 1.Data products and the different ways data originate Note:Arrows represent potential data flows between the different actors and a

85、data product(good or service).The type of data is highlighted in bold to indicate the moment at which the data are created.Source:(OECD,201918).The Data Act of the EU broadens the scope of data portability to include a much wider range of data,offering a more comprehensive reach than Article 20 of t

86、he GDPR,which 14 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 focuses only on personal data.Not only does the Data Act cover both personal and non-personal data generated by the use of a product or service.The Act also specifies portability rights.Furthermo

87、re,it removes the limitation of scope based on the legal basis for data processing from just consent or contract as in the case of the GDPR,making the right applicable irrespective of the legal grounds for data processing.Moreover,the Act mandates the technical feasibility for third-party access to

88、all types of data,going beyond the limited technical requirements set out in previous regulations.available for data sharing in a specific sector,should the consumer wish to do so.Only Depending on the industry,the type of data made available to consumers can differ significantly,reflecting sector-s

89、pecific risks and requirements.For instance,in the banking sector data holders are required to share data on financial products such as credit and debit cards,deposit and transaction accounts,and data on mortgages.Data holders are able to share additional data on a voluntary basis.Legal obligation a

90、nd enforcement action The legal obligations surrounding data portability vary widely across jurisdictions and sectors,encompassing a range of approaches from voluntary frameworks to mandatory requirements.And when mandated,the mechanisms for enforcement can also differ considerably.For example,the U

91、nited Kingdoms midata initiative introduced in 2011 as voluntary frameworks granted authority under the Enterprise and Regulatory Reform Act 2013 to enforce compulsory regulations if voluntary measures proved insufficient.A similar approach to self-regulation is taken by the EUs Free Flow of Non-Per

92、sonal Data-monitored by the European Commission.Acknowledging the limitations of this self-regulatory framework,the European Commission later proposed the Data Act with mandatory portability provisions.Data portability provisions in most cases carry a mandatory obligation,especially in privacy and d

93、ata protection as well as sector-specific regulations,and these are typically backed by varying levels of oversight and enforcement.For instance,both the GDPR and the CCPA/CPRA establish obligatory data portability measures for entities under their jurisdiction.Singapores Personal Data Protection Ac

94、t(PDPA)was amended to include a new data portability obligation,which will come into effect with the issuance of forthcoming regulations.In Australia,the Consumer Data Right(CDR)requires data holders to share consumer data,but it gives consumers the discretion to opt in.The EUs Revised Payment Servi

95、ces Directive(PSD2)mandates third-party access to both account and payment transaction data.On the other hand,Japans 15 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Banking Act amendment leans towards a voluntary data portability arrangement,though(as of 20

96、20)more than 70%of banks have chosen to adopt its open APIs.Data portability regimes can also be classified based on whether data portability consists of an ex ante regulatory measure or an ex post enforcement action.Data portability measures tend to be of the former type,which the exception of thos

97、e implemented in the context of competition enforcement mechanisms(OECD,202121).In the latter case,data portability may emerge as the subject of,or remedy to,a competition enforcement theory of harm.For this to occur,several conditions must be met,including the importance of the data or platform acc

98、ess,the lack of technically and legally feasible workarounds(such as data scraping),and the ability of firms with market power to benefit from the alleged misconduct.Degrading data portability(or interoperability)could be anticompetitive,and could thus be considered an abuse of dominance.However,it

99、may be challenging to assess the related theories of harm in cases in which there were no pre-existing portability or interoperability arrangements.Collusive arrangements among market participants to deter entry through selective interoperability may also arise.More broadly,data portability and inte

100、roperability may be considered as remedies in abuse of dominance cases or in merger proceedings to address fundamental market conditions giving rise to competition concerns.Competition authorities in some jurisdictions have also imposed or recommended portability and interoperability measures throug

101、h market studies,market investigations and advocacy activities.The benefit of addressing interoperability and portability through competition enforcement and market studies or investigations is the resulting focus on competition harms,and the source of those harms,such as a dominant firm.In addition

102、,competition law remedies can be flexibly designed according to the situation of a given market,and adapted as the market evolves.However,these remedies will require substantial oversight,which may be a significant challenge for authorities to design and monitor.Given these challenges,ex ante regula

103、tion may be a possible alternative approach,particularly when the regulation is tailored to a specific sector,and there is a sector regulator in place to provide surveillance and dispute adjudication.This approach may also be faster or more preventative than competition enforcement.Examples of a reg

104、ulatory approach include data protection regulation,open banking(which has been used to enable multi-homing,shopping around,and mixing and matching),and proposed new measures focused on gatekeeper digital platforms.Operational modality Data portability is commonly characterised by the provision of d

105、ata in a structured,commonly used and machine-readable format.Nevertheless,the structured and machine-readable data can be provided to the user in several different ways.This typically includes(i)(ad hoc)downloads,whereby the data are stored(in a commonly 16 THE IMPACT OF DATA PORTABILITY ON USER EM

106、POWERMENT,INNOVATION,AND COMPETITION OECD 2024 used machine-readable format)and made available online(e.g.via a website)5;as well as APIs,which enable service providers to make their digital resources(e.g.data and software)available over the Internet.Contrary to ad hoc downloads,APIs can enable cont

107、inuous real-time data portability and thus the smooth interoperability of the different actors,their technologies and services.In addition,data holders can implement several restrictions via APIs to better control the use of their data,including by enabling access based on the identity of API users,

108、and the scale and scope of the data used.Last,but not least,a dedicated API from the online interface and,in some cases,to execute transactions on the of third parties.Data portability regimes that take advantage of APIs may in this way increase the security of,and trust underpinning,data transfers,

109、while minimizing the risk of copyright violations.6 through which data portability initiatives can be distinguished.For example,Article 12(3)of the GDPR requires that the original data holder provides the data subject with-month period can be extended to a maximum of three months for complex cases w

110、here the data subject has been informed about the reasons for such delay within one month of the original request.In contrast,the CCPA requires that businesses that receive a verifiable request from a consumer must:promptly take steps to disclose and deliver,free of charge to the electronically,and

111、if provided electronically,the information shall be in a portable and,to the extent technically feasible,readily useable format that allows the consumer to transmit this information to another entity without hindrance.(California Civil Code Section 1798.100d)As another example,PSD2 provides that:(t)

112、he account servicing payment service primmediately after receipt of the payment order from a payment initiation 5 to a target system using data formats that can be decoded on the target s(OECD,201918).target such that the meaning of the data model is understood within the context of a subject area b

113、y 6 Data scraping can lead to copyright concerns as the scraped data may include copyright protected material,which when republished or used in a different context,may violate copyright laws.(Teresa Scassa,201956;CNIL,202057)17 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPET

114、ITION OECD 2024 service provider,provide or make available all information on the initiation of the payment transaction and all information accessible to the account servicing payment service provider regarding the execution of the payment transaction to the payment initiation service provider.Data

115、portability arrangements may also distinguish the types of data recipients,in particular whether third-party data recipients need to be accredited to receive data.data holders must have demonstrated the implementation of particular digital security standards(OAIC,202122).To be able to receive consum

116、er data directly from data holders,third-party data recipients must be accredited by the Australian Competition and Consumer Commission(ACCC).Once accredited,they are referred to brand mark to help consumers recognise that the business is able to receive their data(OAIC,n.d.23).While common APIs can

117、 help address data portability challenges,their development and implementation typically requires coordination between market participants.The private sector obviously plays a pivotal role in shaping and implementing standards essential for effective data portability,including the development of API

118、s.Notably,in 2018,a consortium of tech companies such as Google,Meta,Microsoft,Apple,and Twitter(now X)proactively collaborated to launch the Data Transfer Project(DTP).This initiative aimed to develop a shared approach to data portability,a necessity in order to fully and effectually implement and

119、effectuate the goals driven by regulations.Building on the work of the DTP,in 2022,a subset of its contributors Google,Apple,and Meta-established the Data Transfer Initiative(DTI),a non-profit focused on furthering the same goals.Both these initiatives use existing APIs and develop service-specific

120、adapters to streamline data transfers,encouraging a wider array of service providers to support portability and thereby fostering innovation and interoperability.Some governments and regulators have leveraged this pivotal role of the private ipation.For instance,the Competition and Markets Authority

121、(CMA)in the United Kingdom collaborated with the nine largest banking institutions to establish the Open Banking Implementation Entity(OBIE).The OBIE has been instrumental in developing the API standards that guide the countrys Open Banking initiative and that commentators CDR,the government establi

122、shed the Data Standards Body(DSB)to deliver open standards with the support of multistakeholder working groups for designing and testing these open standards.Similarly,the European Data Innovation Board(EDIB),as set out in Article 29 of the EUs Data Governance Act,works in tandem with the Data Space

123、s Support Centre(DSSC)and industry partners to foster the adoption of best practices and cross-sectoral data sharing standards.18 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Data portability opportunities and challenges Increasing competition and consumer

124、choice From a competition perspective,data portability measures seek to address a broad range of concerns prevalent in online markets.These include consumer lock-in associated with network effects,anticompetitive conduct enabled by vertically integrated business models and conglomerate enterprises,d

125、emand-side concerns such 7 in reducing market contestability.Additionally,data portability can also leverage digital technologies to promote competition in specific sectors such as banking,energy and transportation to name a few.(OECD,202324)Data portability measures aimed at enhancing competition s

126、trive to lower user switching costs and reduce friction when adopting new services.Such measures could,in turn,stimulate competition by facilitating market entry for newcomers,especially in markets where individual-level data holds significant value and is needed for providing services.Further,the c

127、ompetition benefits of data portability may extend beyond the original market as the same data set can in theory fuel multiple applications beyond the markets in which the data were originally collected.Over the medium to long term,this may allow the development of firms outside a market to eventual

128、ly challenge incumbents within the initial market.(OECD,202121)Data portability can enable the concurrent use of multiple services that might offer similar,complementary,or competitive functionalities(multi-homing).This may (OECD,20219)However,even in scenarios where multi-homing diminishes the incl

129、ination of customers to switch services,the enhancement of interoperability achieved through real-time data exchanges between various online services,can still enhance competition.(OECD,202121)This enhancement can occur in two distinct manners:externally,among digital platforms(or ecosystems),by all

130、owing users to preserve network effects on new services;and internally,within the same digital platforms(or ecosystems),by allowing users to mix and match different complementary services from different providers.However,the effectiveness of data portability measures on competition could be constrai

131、ned by several other factors,including those unrelated to data that nonetheless significantly impact the competitive capabilities of firms in data-driven markets.Limitations may arise,for instance,if the scope of the data is too narrow,if 7 Data feedback loops refer to the self-reinforcing mechanism

132、s in data-driven,multi-sided markets where the collection and reuse of data lead to improved services.These enhanced services attract more users,generating even more data and thereby further improving the service in a virtuous cycle.Such loops can significantly strengthen one side of a multi-sided m

133、arket,reinforcing its market dominance(OECD,201559).19 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 user-initiated data portability requests are not sufficient to generate economies of scale,if there are no existing or prospective firms that stand to benefi

134、t from the data,or if prevailing network effects limit the value of new digital services regardless of data sharing.(OECD,202121)These challenges may be compounded by consumer doubts or lack of understanding about the benefits from data portability(see section Additionally,when portability measures

135、include data that required significant investments to obtain and use,including investments in complementary intangible assets such as skills and competences as well as organisational change,they may discourage or render inefficient the implementation of these measures,adversely affecting the develop

136、ment of a market.(OECD,20219)This could be in terms of data collection or deriving value from raw data through analysis and insights.This is inline with evidence suggesting that larger entities are more equipped than SMEs to undertake the essential investments for transforming data into productivity

137、 gains,thereby securing larger market shares.(OECD,202225)All this underscores that access to data,through mechanisms such as data portability,is a necessary but not sufficient condition for fostering competition in data-driven markets.Further,data portability could create risks in terms of market t

138、ransparency more personal data(both from rivals and consumers),since consumers may be more inclined to share data if they know they can be ported elsewhere.In cases where a dominant digital platform lacks substantial competition,including from potential new entrants,data portability measures may be

139、more effective in stimulating competition in adjacent and complementary markets rather than in challenging the platforms dominance.(OECD,20219;OECD,202121)Consequently,when implemented solely to advance competition objectives,data portability measures may be most effective and appropriate in markets

140、 where(according to OECD,202112):Access to personal data provides tangible competitive advantages to recipient firms.A degree of competition is already present or is expected so that network effects and data-driven economies of scale do not completely preclude effective competition.The data in quest

141、ion are applicable to well-defined uses and available in a standardised format.The data do not entail substantial IPR or other ownership complexities;and/or Consumers are fully informed about their rights and about of the nature of the data to ported,and they are comfortable with and have trust in s

142、haring the data in question between platforms.20 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Measures aimed at enhancing interoperability,for instance by enabling continuous data transfers can improve data utility for recipients and help consumers preserve

143、 network effects when switching services.(OECD,20219;OECD,202121)This can address some of the limitations associated with one-off(static)data portability arrangements.However,these measures are not without risks to competition and innovation.Without adequate oversight and careful design,they may ent

144、rench incumbent technologies,disincentivise data-related investments and innovation,and heighten risks for exclusionary conduct or tacit collusion.For example,universal requirements to interoperate with all other services could be expensive with uncertain benefits including for small and medium-size

145、d enterprises(SMEs)and start-ups.Such companies may bear a disproportionate burden,being mandated to ensure compatibility with every existing system in the market upon entry.(OECD,20219)Conversely,dominant market participants would be more likely to have the capital to invest in necessary systems,as

146、 well as to play a role in determining standards.Therefore,asymmetric approaches for example through either competition enforcement or regulation may be necessary to concentrate the obligations and burdens of data portability on large incumbents while avoiding the creation of entry barriers for new

147、firms.(OECD,202121)Facilitating personal data flows and enabling informational self-determination The portability of personal data more specifically gives data subjects(i.e.the individuals that are identified or identifiable through personal data)the ability to exercise more control over their data.

148、(OECD,20219)By allowing them to request data downloads or transfers,data portability can be a means to implement individual participation principles such as articulated in the OECD Privacy Guidelines.For individuals to effectively exercise this right,a prerequisite is an existing level of transparen

149、cy;they to know what data is available about them,the nature of the data being transferred,the entities they are being transferred to,and eventually the duration for which the transfer will persist.This knowledge is crucial as it provides the basis for individuals to make informed decisions regardin

150、g what to download and whether to initiate data transfers.All these processes are that distinguish data portability from other data sharing approaches,where data transfer is typically initiated by the data holder or recipient instead of the data subject(or individual).As a positive consequence of th

151、e competition benefits highlighted above,data portability can help address the power imbalance between consumers and digital service providers(OECD,20219).Specifically:The option to download their personal data from a data controller can contribute to more transparency and allow data subjects to det

152、ermine whether they wish to take further action(such as correction or,to the extent granted by law,deletion).21 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 The option to transfer allows individuals to switch from a data controller with subpar privacy polic

153、ies and practices and poor data management capabilities to one that is more trustworthy and better aligned with their privacy and data governance preferences.(See Luzsa et al.,202216)This capability also serves as a safeguard against data loss or unavailability,for example,if a provider ceases opera

154、tions.Instead of losing their customer history,individuals could simply transfer their data to a new provider.These-determination.8 While data portability holds promise for enhancing informational self-determination,its benefits are still not guaranteed.(Syrmoudis et al.,202126;IAPP,202227;Kranz et

155、al.,202328).Success depends on the effective and secure implementation of the data request and transfer processes in line with privacy and data protection obligations and best practices.For example,the digital security protocols of the data recipient may be inadequate,or individuals may lack clear i

156、nformation about how their personal data and privacy will be safeguarded.Therefore,there must be clarity on the circumstances under which the data holder or the data recipient may be held liable for digital security and privacy breaches stemming from data portability transfers.(Clarity about respons

157、ibility and liability is crucial for data holders,recipients,and data subjects alike.(OECD,20219)Liability concerns span not only digital security breaches,privacy and IPR violations,but other risks such as poor data quality.These risks can also vary based on the data portability model,industry cont

158、ext,and whether data is transferred on a one-off basis or via a continuous feed.Once data are transferred,the original data controllers liability generally is expected to cease,shifting to the recipient.However,if the original data controller transfers incorrect or insecure data,they could still be

159、held liable.Issues may also arise when third party information may be concerned.Enforcement mechanisms,which can include private lawsuits or regulatory penalties,therefore play a key role although they may vary based on the nature of the breach and the regulatory frameworks involved,making it essent

160、ial for all parties to understand their responsibilities and potential liabilities.That said,risks exist that extend beyond legal liabilities.For example,data portability could result in the excessive collection and sharing of personal data even when privacy and data protection requirements are met.

161、Service providers and other relevant actors may gain additional abilities to process and analyse previously inaccessible personal data,thereby enhancing their profiling capabilities which could adversely affect fundamental rights and freedoms.(Van der Auwermeulen,201729)This may exacerbated by highe

162、r risk that these actors may be incentivised to take advantage of vulnerable consumers,such as the elderly and very young consumers,who in turn 8 For example,when Googles social networking service,Google+,was shut down in 2019 due to low usage and data privacy issues,users had a grace period to down

163、load their data,after which they lost access to their posts,images,and other shared content.22 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 may feel pressured to provide more data than is beneficial for them(BEUC,202230;OECD,202331).For instance,an insuranc

164、e company could demand access to a consumers social media data through a data portability regime as a precondition for service.Or a company may sell a fitness tracker at a discount if consumers agree to share health data in return,leading to consumers in economically challenging situations being at

165、risk of giving away privacy protection due to economic considerations.Such practices might lead to a resurgence of excessive data collection practices.Therefore,it is crucial to collection limitation and purpose specification to name just a few,and the need for data practices that support these prin

166、ciples,including through e.g.the use of privacy-enhancing technologies.(OECD,202332)Lastly,the right to data portability has data.By granting individuals(and legal persons)a right of data portability,the original data holders ability to exclusively monetise or otherwise commercially exploit the data

167、 that is subject to data portability is typically limited,potentially opening it up for use by competitors.While the intent is to reduce lock-in and increase competition regulations,implementing this presents its own set of challenges as discussed in the next section.Adoption and technical implement

168、ation challenges Data portability initiatives have seen mixed success in terms of adoption,and this success often hinges on the distinctive approaches in their implementation,particularly with respect to their operational modality but also related practical aspects such as user experience,and the av

169、ailability of third-party service providers that can leverage data portability.There is empirical evidence to suggest that the varying degrees of success of data portability initiatives are also closely tied to user capabilities.More specifically,users possessing proficient technical abilities,espec

170、ially those who value privacy,are more inclined to exercise their right to data portability.(IAPP,202227;Kranz et al.,202328)This challenge is particular pertinent situations where users are expected to navigate and manage the data transfer process,typically through web interfaces or APIs,or where s

171、ome data are presented in formats that are incomprehensible to the average person.In the latter,this can lead to lack of sufficient understanding of the nature of the data to be transferred,and of the implicaof third parties.Despite growing legislative support for data portability in certain privacy

172、 and data protection frameworks,for instance,adoption by individuals is still facing significant challenges,primarily due to the lack of awareness and understanding.The European Commission acknowledged this challenge in its assessment of two years of application 23 THE IMPACT OF DATA PORTABILITY ON

173、USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 data portability has a cl(European Commission,202033)This is in line with findings from Luzsa et al.(202234)according to which only 26%of respondents surveyed in Germany in 2020 were aware of their right to data portability,with not even 7%indica

174、ting to have exercised this right.Approximately 25%of respondents indicated that,despite their intentions to switch providers due to concerns related to trust,privacy,and security,they ultimately did not transfer their data to a new service.The main barriers identified encompass concerns over loss o

175、f social contacts,loss of data and content,and lack of knowledge or experience with service switching.This contrasts with initiatives such as open banking,where substantial advancements and adoption have been demonstrated.(OECD,202324;OECD,202335)In the United Kingdom,for instance,more than 4 millio

176、n users consumed open banking services in 2022 with a noticeable rapid increase in the number of payments and API requests were made via the initiative.In December 2023,1.3 billion requests were successfully made via open banking APIs,30%more compared to December 2022,and up to 70%more compared to D

177、ecember 2021.In April 2024,the number of requests increased further to 1.4 billion(up to 26%more compared to April 2023).9 The relative success of open banking initiatives can be attributed to several factors.In these frameworks,consumers mostly engage with organisations providing value-mechanisms.C

178、onsequently,the intricate processes of data transfer are conducted behind the scenes by the organisations,requiring consumers mainly to provide access credentials to the original data holder and consent for the data transfer,thereby minimising technical complexities for the consumers.Moreover,the de

179、velopment and promotion of standardised APIs for interoperability (OECD,202324;OECD,202335)banking institutions,facilitated smoother interactions among various stakeholders,reduced integration and interoperability challenges,and enabled innovations by third parties.Such innovations have enriched use

180、r experience including by alleviating technical burdens on consumers and streamlining their interaction with financial services as highlighted above.That said,the moderate complexity and structured nature of the financial data being handled has been a contributing factor as well.The data involved in

181、 open banking,such as transaction details,account balances,and other financial particulars,are generally well-structured,and thus conducive to be shared securely and seamlessly across platforms via standardised APIs.This stands in contrast to the broader scope of personal data that can be transferre

182、d based on the right to data portability of privacy and data protection frameworks and that can range from tabulated data and 9 See www.openbanking.org.uk/api-performance/(last accessed 19 June 2024)24 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 text to pi

183、ctures,videos and other multimedia content.10 It can be challenging to successfully write software that applies general frameworks to a broad range of data types,as demonstrated by progress made so far by,e.g.,the Data Transfer Project(DTP),an open source platform for personal data portability.Concl

184、usion Data portability,as evidenced by the growing body of legislation,stands out as a promising instrument for enhancing access to and sharing of data across digital services and platforms.Data portability initiatives aim to empower users,enhance their self-determination,and/or foster competition a

185、nd innovation.However,prevailing legislation vary significantly in their emphasis on either user empowerment and self-determination or competition and innovation;and in their applicability,whether cross-sectoral or sector-specific.Furthermore,the current status quo,where data portability rights are

186、largely dormant,in particular within privacy and data protection frameworks,may necessitate further considerations by policy makers and regulators to bridge the gap between legislative intention and practical realisation.While privacy and data protection frameworks like the GDPR(including in the EU

187、and the United Kingdom)primarily focus on empowering individuals and enhancing informational self-determination through data portability provisions,other legal regimes such as Australias Consumer Data Right(CDR),the EUs Digital Markets Act(DMA),and Digital Services Act(DSA),along with sector-specifi

188、c regulations like open banking in the United Kingdom and the early place greater emphasis on using data portability to foster consumer choice,competition and innovation.These legislative nuances in the specific objectives of-faceted impact both on individual rights and market dynamics.However,the v

189、ariations between existing data portability initiatives,in particular within the same jurisdiction,can introduce legal uncertainties for market participants tasked with implementing these measures.These variations not only pertain to the specific including who has the right and can request data port

190、ing,under which legal basis,and what type of data can be ported,in particular in cases when third party data are involved.These complexities are exacerbated by uncertainties around liabilities,specifically the circumstances under which both the data holder and the data recipient may be held accounta

191、ble and liable for breaches of privacy or intellectual property rights(IPR).Coupled with the lack of awareness and competence of users in respect to their rights and how to exercise these rights,this can prevent the effective adoption of data portability.10 See Wong and Henderson(201955)highlighting

192、 the different types of data and their various formats involved in the context of their 230 real-world data portability requests made based on Article 20 EU GDPR.25 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Considering above challenges,data portability i

193、nitiatives may require complementary measures to achieve their policy objectives.These could include raising public awareness about the purpose and scope of these initiatives.Specific attention may also be required to clarify the circumstances under which data holders or data recipients may be held

194、liable for rights violations.Central to navigating these complexities and ensuring successful adoption of data portability is also the trust users place in digital service providers or platforms.This trust is the foundation for users willingness to share and transfer their data and is thus a pivotal

195、 element for the success of data portability initiatives.Thus,in efforts to raise awareness,measures put in place to enhance digital security and protect privacy and IPR need to be highlighted.Clear guidance on implementing data portability measures may also be needed.The observed dichotomy between

196、the uptake of the right to data portability under privacy and data protection frameworks and e.g.open banking initiatives yields crucial insights for the effective implementation of data portability frameworks.This discrepancy cannot be attributed to the differences between sector-specific and cross

197、-sectoral initiatives or the type of legal frameworks.Rather,it points to the importance of the operational modality of data portability initiatives.This includes,most notably,the role of standardised approaches to data transfers,whose development and adoption typically necessitate coordination and

198、advocacy.Other practical factors,including enhanced user experiences and the availability of third-party service providers that can leverage data portability,also appear to be crucial as they can alleviate potential skill barriers while delivering high value through good user experiences,thereby acc

199、elerating acceptance and adoption of data portability.However,to substantiate this perspective,more robust empirical evidence on consumer preferences regarding data portability is needed,specifically to better understand whether and what forms of portability are truly desired by users.Evidence based

200、 on the initiatives assessed so far suggests that coordinated efforts,facilitated by governments where appropriate,may also be required to ensure successful adoption of data portability.This could involve,the help of governments to specify interoperability requirements where appropriate,and to encou

201、rage the development and adoption of common APIs and standards.The establishment of e for promoting the development and/or adoption of these common standards together with best practices has been a well-noted practice among some governments to foster the adoption of data portability.This is exemplif

202、ied by the Open Banking Implementation Entity(OBIE)seen in open banking in the United Kingdom and the Data Standards Body(DSB)established in the context.In this context,strengthening cross-agency enforcement co-operation and coordination becomes another essential element for the success of data port

203、ability co-operation and coordination.This is illustrated by the EDIB,which consists of 26 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 representatives of national authorities designated under the EU DGA,including but not limited to the European Data Protec

204、tion Board and the European Data Protection Supervisor,but also other bodies and business representatives with specific sectoral expertise.Cross-agency co-operation is crucial given that data portability initiatives address issues at the intersection of competition,privacy and consumer protection at

205、 least.Other regulatory domains may also be concerned where data portability is implemented at a sectoral level(e.g.open banking).As data portability initiatives may span multiple regulatory domains,governments need to plan which regulator will have primary oversight of the initiative to ensure effi

206、ciency,streamlined processes and beneficial outcomes.Against this backdrop,the OECD work in reviewing and possible revising the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy is poised to be highly relevant and instructive in this context.Lastly,implem

207、entation costs should not be underestimated.These may be one-time expenses for setup rather than ongoing costs,covering areas like technical development,consent management,and legal fees.Nevertheless,even these one-time expenditures can prove to be substantial,posing considerable financial strains p

208、articularly for SMEs and start-ups,and potentially hindering their ability to integrate data portability effectively within their operational frameworks.Trusted data intermediaries(TDIs)can potentially lower these costs while also enabling compatibility,interoperability and providing enhanced user e

209、xperiences with high value-added services.Yet,the growing role of TDIs could centralise existing data schemes with negative effects on competition,privacy,and consumer protection.Future OECD work will provide more insights into the challenges and opportunities presented by these emerging intermediar

210、ies.In conclusion,data portability has evolved from its initial conceptual stages into a nuanced regulatory instrument,underpinned by the changing modalities of data transfer,which have remarkably affected its practical use.The annex outlines this progression:from Data Portability 1.0,which involves

211、 one-time data downloads,to Data Portability 2.0,focused on ad-hoc data transfers,to the most recent stage,Data Portability 3.0,which emphasises real-time transfers for interoperability.The diversity of these approaches across and within jurisdictions,as well as by the private sector,underscores not

212、 only the complexity of implementing data portability but also indicates that a one-size-fits-all approach may not be suitable.This diversity,however,also provides a substantial opportunity for governments and regulators to engage in mutual learning and to pursue cross-jurisdictional and multi-disci

213、plinary co-operation and co-ordination.27 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Annex.Selection of data portability initiatives in the private and public sector The Annex provides a taxonomy that can be used for mapping and analysing data portability

214、 initiatives in the private and public sectors.Data Portability 1.0:Ad hoc data downloads The midata initiative of the United Kingdom Responsible entity:Government of the United Kingdom Description:(BIS,201136)globally there has been such a government-backed initiative to empower(OECD,201517).The pr

215、ogramme was initially rolled out in anticipation that release of transaction data would stimulate innovation and the expansion of third-party choice engines such as price comparison websites(BIS,201237).Beneficiaries and data types:midata seeks to give consumers access to the electronic information

216、that companies hold about their transactions in a machine-ng history and purchases when logged in to a particular website(BIS,201238).However,information about complaints or other such communications with service providers,would not constitute individual transaction data.Addressees and sectoral scop

217、e:The midata initiative focuses on businesses in three sectors:energy supply;the mobile phone sector;and the financial sector(current accounts and credit cards).Legal obligations:Rather than legislating to introduce this data portability Enterprise and Regulatory Reform Act 2013(Goverment of the Uni

218、ted Kingdom,201339).This allows the Secretary of State to introduce 28 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 regulations to make midata compulsory if the government is unsatisfied with progress in these sectors on a voluntary basis.11 Operational mod

219、ality:The midata initiative essentially allows consumers to download their current account transactions in a standardised format for easy comparison against accounts offered by other providers.Since then,the United Kingdom government has taken steps to implement midata in the energy sector(BEIS,2018

220、40).The United Kingdom has now adopted legislation mirroring the GDPR,including the right to data portability,and issued guidance to this end.Read more:https:/assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/294798/bis-11-749-better-choices-better-deals-consume

221、rs-powering-growth.pdf Private sector initiatives Responsible entity:Google Description:The private sector,including online platforms,has been investing and tools that allow its users to export a copy of their data from individual Google place for users to download a copy of their data and/or to sen

222、d a copy of their data directly to another service(see next section on data portability 2.0 on the DTP)(Willard,20 July 201841).Read more:https:/ Responsible entity:Facebook Description:In 2010,as another example,Facebook began allowing its users to download their personal data(including profile inf

223、ormation,photos,videos,wall posts,event information and a list of friends)(Tsotsis,201042).Read more:https:/ entity:Apple Description:Recently,Apple announced that customers in certain jurisdictions can request to transfer a copy of their photos to other services,including Google Photos(Apple,202243

224、).11 See Sections 89-91 of(Goverment of the United Kingdom,201339)29 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Read more:https:/ Data Portability 2.0:Ad hoc direct transfers of data to another data holder Health Insurance Portability and Accountability A

225、ct(HIPPA)in the United States Responsible entity:United States Government Description:HIPAA was introduced in the United States in 1996 to improve the flow and transfer of information related to health care.Among its major goals,HIPAA aimed to make it easier for patients to receive continuity in car

226、e if their health insurance coverage changed,such as when changing employer.In 2013,the HITECH Act significantly amended HIPAA to allow for better privacy protection in relation to electronic health records.More recently,the Department of Health and Human Services has proposed changes to the HIPAA p

227、rivacy rule(which restricts the use and transfer of protected health information)to enable individuals to directly share their patient health information among covered entities(HSS,202044).This includes requiring electronic patient health information to be provided to individuals at no cost(HSS,2020

228、44).These changes are under Type of data:The proposed amendments would allow for easier transfer for information maintained or transmitted by or on behalf of HIPAA covered entities(i.e.health care providers who conduct covered health care(HSS,202044).Beneficiary:Currently,under HIPAA,patients can ac

229、cess and obtain a copy of their PHI and provide it to third parties.The proposed rules contemplate parties.This right would require entities covered by HIPAA,including health to another health care provider and to receive back the requested electronic iding the need for the individual to be involved

230、 in the data porting.Addressees and sectoral scope:HIPAA is a sectoral regulation,as it only applies to certain health information and certain parties involved in providing health care and related services and thus covered by HIPAA.Mandatory or voluntary:The changes would create a mandatory data por

231、ting regime,where covered entities would be required to transfer data upon request by an individual.30 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Operational modality:The proposed rules contemplate one-off data also able to request access and receive and

232、deal with data themselves,the proposed regime allows for the user to provide the request to one entity and request the data be provided directly to another entity.The proposed rules would reduce the time in which covered entities are required to respond to an access request from 30 calendar days to

233、15 calendar days,with the opportunity of a further 15-day extension.The proposed rules also provide for circumstances in which the electronic PHI must be provided at no charge to the individual but allow for fees to be charged for direct transfer to another covered entity.Read more:www.hhs.gov/sites

234、/default/files/hhs-ocr-hipaa-nprm.pdf The California Consumer Privacy Act(CCPA)and the California Privacy Rights Act(CPRA)Responsible entity:State of California Description:The 2018 CCPA,which took effect on 1 January 2020 and started to be enforced from 1 July 2020,incorporates a quasi-data portabi

235、lity obligation.In November 2020,Californians voted to approve the CPRA of 2020,and it came into effect on 1 January 2023.It complements the CCPA by updating and extending certain rules and stipulations to enhance the privacy rights of Californian consumers or households,including their rights to da

236、ta portability.Addressees and sectoral scope:Pursuant to California Civil Code Section 1798.145(a)(6)and Section 1798.140(c)(1),all companies doing business in California have to comply with the CCPA.An exemption only applies if a company has an annual revenue of less than USD 25 million,collects da

237、ta from fewer than 50 000 Californians annually and earns less than 50%of its income from its data commerce(Specht-Riemenschneider,202145).The CPRA has a slightly narrower scope:only those companies with annual buys,sells or shares of the personal information of 100 000 or more Californian consumers

238、 or households fall under the scope of the CPRA.Nevertheless,the CPRA has a more extended scope:it includes companies with annual revenues derived from sharing personal data in addition to selling it(IAPP,202146;Gross,4 May 202147).Beneficiaries:California Civil Code Section 1798.100 provides that a

239、 consumer shall have the right to request that a business that collects a cand specific pieces of personal information the business has collected.Type of data:Until 1 January 2021,certain data,such as employee data and business communication data,were exempted from the scope of the CCPA 31 THE IMPAC

240、T OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 describes or can reasonably be associated with a particular consumer or household,or could reasonably be associated,directly or indirectly,with a particular consumer or household.The CPRA introduces a new category of prot

241、ected data:sensitive personal information(SPI),which can be compared to Article 9 of the EU GDPR.Relevant to data portability,and in requirements and restrictions on SPI,giving users expanded rights to control use of their (Gross,4 May 202147).Operational modality:Businesses that receive a verifiabl

242、e consumer request or electronically,and if provided electronically,the information shall be in a portable and,to the extent technically feasible,readily useable format that allows the consumer to transmit this information to another entity business may provide personal information to a consumer at

243、any time but shall not be required to provide personal information to a consumer more than twice in a 12-data to another controller was initially contemplated,there is no obligation under the CCPA for controller-to-controller data transfers.This is a major the extent technically feasible,in a struct

244、ured,commonly used,machine-(Gross,4 May 202147).Read more:https:/leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5 Responsible entity:Privacy enforcement authorities of the European Union member states Description:The entry into force of the GDPR i

245、n May 2018 formalised the right of data portability within the European Union.Whereas the directive that preceded the GDPR gave data subjects the right to access their data,12 the GDPR went a step further and granted data subjects a separate,distinct right of personal data portability.That right,in

246、Article 20 of the GDPR,provides that the data 12 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(OJ L 281,23.11.1995),Art.12.32 THE IMPACT OF DATA

247、 PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 personal data concerning him or her,which he or she has provided to a controller,in a structured,commonly used and machine-readable format and have the right to transmit those data to another ssing is based on consent or another l

248、egitimate category(Art 92),is necessary for the performance of a contract,or when the processing is carried out by automated means(Art.oblige controllers to adopt or maintain processing systems that are technically compatible.Type of data:The GDPR right only applies to personal data provided by the

249、data subject with consent or under contract that is electronically processed.The(former)Article 29 Working Party indicates in accompanying guidance that the definition of personal data should encapsulate data volunteered by the individual or observed by virtue of their use of the service or device b

250、ut not personal data that is inferred or derived(OECD,201517).Beneficiarynatural persons corporations cannot take advantage of the right to data portability Art.4(1).The GDPR also provides that the right to data ersonal data transmitted Addressees and sectoral scopeit applies beyond specific sectors

251、.Mandatory or voluntary:The GDPR provides a right to data portability;entities subject to the GDPR are obliged to respect it.Operational modality:The GDPR provides that the data controller provides month period can be extended to a maximum of three months for complex cases,provided that the data sub

252、ject has been informed about the reasons(OECD,201517).Read more:https:/eur-lex.europa.eu/eli/reg/2016/679/oj The regulation for the free flow of non-personal data of the European Union Responsible entity:European Commission Description:Shortly after the GDPR entered into force,the European Union int

253、roduced a regulation on a framework for the free flow of non-personal data in 33 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 the European Union.13 The regulation provides that the European Commission shall encourage the development of Union-practices for f

254、acilitating the switching of service providers and the porting of data in a structured,commonly used and machine-readable format including open standard formats where required or requested by the service provider receiving ance on the regulation in May 2019 with a particular focus on datasets compri

255、sed of personal and non-personal data.14 Type of data:The regulation for the free flow of data specifically relates to non-personal data.Together,these regulations create a comprehensive framework for the free movement of all types of data(personal and non-personal)within the European Union.Benefici

256、ary:The FFDRs contemplate data transfers between data holders to enable switching of service providers and the porting of data.Addressees and sectoral scope:Similar to the GDPR,the EU Free Flow of Non-Personal Data Regulation applies generally across all sectors.Mandatory or voluntary:The EU Free Fl

257、ow of Non-Personal Data Regulation proposes a framework of self-regulation to be developed by businesses.It-regulatory codes of the European Commission.Operational modality:The free flow of data regulation does not provide information and operational requirements for data porting should be defined b

258、y market players through self-regulation,encouraged,facilitated and monitored by the Commission,in the form of Union codes of conduct Read more:https:/eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018R1807 Responsible entity:Government of Canada Description:Currently,Canadian law does not co

259、ntain a general right to data portability.However,Canadians have the right to obtain access to their personal 13 Regulation(EU)2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union(OJ L 303,28.11.2018).

260、14 Communication from the Commission to the European Parliament and the Council Guidance on the Regulation on a framework for the free flow of non-personal data in the European Union(COM/2019/250 final).34 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Act,th

261、e federal public sector privacy law,Canadians have a right of access to information held by government institutions.15 As of July 2022,this right of access was extended to any individual regardless of nationality or location.Under the Personal Information Protection and Electronic Documents Act(PIPE

262、DA),the federal private sector privacy law,Canadians have a right of access to information held by private sector organisations covered by the law.and digital eco2019).16 The Digital Charter Implementation Act,2022,tabled in June 2022,proposes to enact a new Consumer Privacy Protection Act to replac

263、e Part 1 of the existing PIPEDA.The CPPA includes a right to data mobility that would be enabled through regulations.Read more:https:/ised-isde.canada.ca/site/innovation-better-canada/en/consumer-privacy-protection-act Quebec Private Sector Act At the provincial level,Quebec has amended the Quebec P

264、rivate Sector Act,including by inserting a data portability right similar to article 20 of the GDPR which will come into force in 2024.17 Type of data ported:Once in force,the law relates to the porting of personal information only.Personal information held by the data holder would need computerised

265、 personal information in a structured,commonly used Beneficiary and addressee:The law allows for transfers of data to either the person who made the request and about whom the personal information relates.Further,the amendments would require that the business must,upon request,communicate the person

266、al informat 15 Privacy Act,Government of Canada,1985,https:/laws-lois.justice.gc.ca/ENG/ACTS/P-21/index.html.16 Government of Canada,Charter:Trust in a digital world,2021,https:/www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html.17 National Assembly of Quebec,Project de loi n 64,2020,http:/m.assnat.qc.c

267、a/en/travaux-parlementaires/projets-loi/projet-loi-64-42-1.html.35 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Sectoral or general:The law provides a general,cross-sector data portability right.Ex ante or ex post:The law is an ex ante regulatory model.Mand

268、atory or voluntary:The law provides a mandatory model as part of broader privacy and data protection regulation businesses must comply.Operational modality:The law does not provide details as to the velocity of the transfer or other details about the operational modality.Read more:https:/www.legisqu

269、ebec.gouv.qc.ca/en/document/cs/p-39.1 The Regulation of Electronic Commerce and Efforts Regarding Competition in the Republic of Trkiye Responsible entity:Government of the Republic of Trkiye(hereafter Trkiye)Description:Trkiye enacted the Law No.6563 on the Regulation of Electronic Commerce.Address

270、ees and sectoral scope:Law No.6563 is a sectoral regulation as it concerns electronic commerce service providers.Beneficiary:Electronic commerce service providers are allowed to transfer their sales data from electronic commerce marketplaces without any charge.They are also able to provide free and

271、effective access to this data and any processed data obtained from it.This approach seeks to fosters a dynamic environment that promotes collaboration and a shared understanding among all parties involved.The aim is to reduce the dependency of electronic commerce service providers on electronic comm

272、erce marketplaces,thereby reducing the lock-in effect,enabling multiple access and foster data portability.Data type:Non-personal data.Mandatory or voluntary:The data portability obligation is mandatory.Operational modality:Article 2/2(b),introduces a legal obligation for electronic commerce service

273、 providers to offer technical means for the free transfer of data obtained through their sales,as well as free and effective access to both the original and processed data.This obligation concerns data portability.Read more:https:/www.mevzuat.gov.tr/MevzuatMetin/1.5.6563.pdf Lei Geral de Proteo de D

274、ados Pessoais Responsibly entity:Government of Brazil 36 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Description:Brazil enacted a General Data Protection Law in 2018(LGPD,being the Portuguese acronym for Lei Geral de Proteo de Dados Pessoais).Beneficiary:O

275、ne of its greatest innovations is the broad right to data portability,which allows consumers to request an entire copy of their data in an interoperable format,which they can then take to competitors.According to Art.18(2)LGPD,the data subject has a right to access his or her data,which corresponds

276、to a right to be informed about such data.Art.18(5)LGPD grants a right to data portability,which is imported from Article 20 of the GDPR.Addressees and sectoral scope:The LGPD is a cross-sectoral privacy protection regulation and thus applies across sectors.Data type:Art.18(5)LGPD applies to both da

277、ta provided by the data subject and observed data.Operational modalityanother service or product provider,by means of an express request and subject to commercial and industrial secrecy,pursuant to the regulation of the controlling not establish a major threshold that requires the specific consent o

278、f the data subject.For the LGPD,the request to data portability does not have to be based on an existing contractual relation to request this right from a data controller,as long as this is technically feasible.Further,the LGPD does not establish an exemption to exercise this right when the processi

279、ng of personal data is necessary to perform a task carried out in the public interest or in the exercise of an official authority vested in the controller.Read more:https:/www.gov.br/cidadania/pt-br/acesso-a-informacao/lgpd Responsible entity:Description:The PDPC introduced a new data portability ob

280、ligation in the effect with the issuance of forthcoming regulations.Addressees and sectoral scope:The data portability obligation applies to porting organisations(i.e.,data controllers)that are prescribed under regulations.At the time of the data porting request,the porting organisation must have an

281、 ongoing relationship with the data subject concerned.Data type:The data portability obligation applies to personal data:(a)in the possession or under the control of the porting organisation;(b)that is,or belongs to a class of personal data that is prescribed under regulations;(c)that is held in ele

282、ctronic form on the date the porting organisation receives a data porting request;and(d)that was collected or created by the porting organisation within a prescribed period before the date the porting organisation receives the data porting request.Certain types of personal 37 THE IMPACT OF DATA PORT

283、ABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 data will be excluded from the data portability obligation,including opinion data kept solely for an evaluative purpose,and derived personal data.Operational modality:Only natural persons can avail themselves of the data portability ob

284、ligation.Porting organisations are not required to transmit data to the data subjects themselves and receiving organisations must have a presence in Singapore.In the future,the PDPC may extend data portability to like-minded jurisdictions with comparable protection and reciprocal arrangements.Mandat

285、ory or voluntary:The data portability obligation is mandatory,subject to certain conditions being fulfilled.The PDPC has the power to)refusal to port data;(b)failure to port data within a reasonable time;and(c)fees for porting data.Read more:https:/www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Pe

286、rsonal-Data-Protection-Act Selected private sector initiatives The Data Transfer Project(DTP)and the Data Transfer Initiative(DTI)Responsible entity:The Data Transfer Initiative(DTI)Description:In 2017,Google,Meta,Microsoft,Apple and Twitter(now X)joined forces to establish the DTP(DTP,n.d.48;Github

287、,n.d.49;Microsoft et al.,201950).The project was born from the recognition that data portability was not only a regulatory requirement but also an opportunity to improve user experience.By working together,these companies sought to build a shared set of tools for direct data transfers.This collabora

288、tion was intended to relieve users from the burdensome task of managing their data transfers,ensuring that their data portability needs were met more efficiently.DTP was launched in 2018 as an open-source,service-to-service data motivated by the recognition thaecosystem by reducing the infrastructur

289、e burden on both providers as well as users,with a goal to increase the number of services that provide portability.data.It then uses service-specific adapters to transfer those data into a ter38 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 transferred betw

290、een the providers.Overall,this includes data stored in a may not be necessarily limited to that specific type of data.Use cases for the trying out a To advance the work of the DTP,the Data Transfer Initiative(DTI)was established as a nonprofit organisation with the support of three of the five Apple

291、,Meta,and Google.Today,DTP is a project within DTI and no longer a standalone initiative and DTI works in collaboration with its partner companies with 18 thanks the development and deployment of open source data transfer tools.Since evolving into the independent DTI organisation,the work has grown

292、to include projects on trust building,mapping the portability landscape,collaborating with a broader set of stakeholders,and serving in various capacities as an expert resource to regulators.Read more:https:/dtinit.org/MyData Global Responsible entity:MyData Global Description:MyData Global is a non

293、-profit organisation with over 90 organisational members and over 600 individual members from over 40 right to self-determination regarding their personal(MyData Global,n.d.51)-centric paradigm is aimed at a fair,sustainable and prosperous digital society,where the sharing of personal data is based

294、on trust as well as balanced and fair relationship between a set of voluntary principles for data portability.Two points can be highlighted here:Type of data:The primary goal of MyData Global is to empower individuals to use their personal data to their own ends,and to securely share them under rega

295、rdless of the legal basis(contract,consent,legitimate interest,etc.)of data collec Operational modalityeffectively port their personal data,both by downloading it to their personal rely and easily,in a structured,commonly used and machine-18 See https:/dtinit.org/39 THE IMPACT OF DATA PORTABILITY ON

296、 USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 Read more:https:/mydata.org/about/organisation/Data Portability 3.0:Real-time continuous data transfers enabling interoperability Early sectoral developments in the United States:From data portability 1.0 to 3.0 Responsible entity:United States

297、Government Description:from 2010 to give consumers more control over their personal health,energy,19 finance or education data.20 These started as data portability 1.0 initiatives as they were limited to enabling users to access and download or print their personal data launched in the context of th

298、e health care system.Beneficiaries and the type of dataallow patients to better access their medical records on line so they can track their health,correct errors and transfer information between health care providers.21 Americans can access their health data for free in a comprehensible form,in par

299、t due to financial incentives available from the federal government to encourage providers to adopt electronic health records.22 Addressees and sectoral scopetogether of public and private sector organisations on the health care system in the United States,including federal agencies(the Departments

300、19 Another My Data initiatusage information in a consumer-and machine-friendly format.Launched in January 2012,the initiative is designed to promote competition and innovation among industry players.Over 50 utilities and electricity providers have signed onto the initiative(with more having pledged

301、to join in time),allowing some 60 million homes and businesses to be able to download their usage data(see www.energy.gov/data/green-button).Both the Blue Button and Green Button initiatives focus more on providing data subjects with the right to access their data,rather than on their ability to req

302、uest a data controller to share it with another controller.Both initiatives are voluntary for organisations to join,which is a significant difference from enforceable regulations like the GDPR.20 See further,The White House,President Barack Obama,My Data:Empowering All Americans with Personal Data A

303、ccess(15 March 2016),https:/obamawhitehouse.archives.gov/blog/2016/03/15/my-data-empowering-all-americans-personal-data-access(accessed 3 October 2019).21 See further Health IT,Blue Button(8 April 2019),https:/www.healthit.gov/topic/health-it-initiatives/blue-button(accessed 3 October 2019).22 https

304、:/www.healthit.gov/topic/health-it-initiatives/blue-button/frequently-asked-questions and https:/www.healthit.gov/topic/health-it-initiatives/blue-button/logo-and-usage 40 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 of Defense,Health and Human Services,and

305、 Veterans Affairs).Over roughly five years,approximately 16 000 health care organisations and providers(a majority of those in the United States)signed up to the voluntary Blue Button programme.23 Operational modality:Blue Button was initially implemented to give veterans the ability to download or

306、print their personal health records with the Center for Medicare and Medicaid Services under the Department of Health and Human Services were the first to offer Blue Button downloads to veterans and to Medicare beneficiaries.Two years later,in 2012,the Automate Blue Button Initiative(which provided

307、the basis for Blue Button+)was introduced to standardise data formats and automate data transfer mechanism to enable data transfers between health data-holding organisations,patients and authorised third parties,effectively making Blue Button a data portability 2.0 initiative(Graham-Jones and Pancha

308、dsaram,5 February 201352).In 2018,the Blue Button 2.0 Implementation Guide was introduced.It defines an API standard for the type of Medicare coverage,drug prescriptions,primary care treatment and c(Center for Medicare and Medicaid Services,201853).This new standard enables developers to register a

309、beneficiary-facing application,a beneficiary to grant an application access to four years of their data and effectively makes Blue Button 2.0 a data portability 3.0 as defined in this note.Read more:https:/obamawhitehouse.archives.gov/blog/2016/03/15/my-data-empowering-all-americans-personal-data-ac

310、cess Responsible entity:Financial Services Agency of Japan Description:An amendment of the Banking Act in 2017 in Japan,which takes a voluntary approach,requires that banks disclose their terms and conditions to Electronic Payment Service Providers(EPSPs)and do not discriminate against certain EPSPs

311、.The Act also requires that third-party service providers that receive data.On the other hand,the amendment requires EPSPs to register with the regulatory authority and to make only relevant use and management of 23 See further,The White House,President Barack Obama,My Data:Empowering All Americans

312、with Personal Data Access(15 March 2016),https:/obamawhitehouse.archives.gov/blog/2016/03/15/my-data-empowering-all-americans-personal-data-access(accessed 3 October 2019).41 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 system for disputes between EPSPs and

313、 their customers.A co-regulatory approach was used to develop technical standards for the open banking APIs and the model contract between a bank and EPSPs.Types of data ported:At the request of users,the EPSPs transmit platform.Beneficiary and addressee:Considering the accelerated trend overseas th

314、at innovative services emerged from the combination of financial service and digital technologies,the amendment of the Banking Act in 2017 was introduced to create a regulatory environment where financial institutions can collaborate with fintech firms for innovation,while ensuring consumer protecti

315、on.Sectoral scope:The amendment applies to depositary financial institutions(banks)and fintech firms that need to be registered to the Japanese financial authorities as EPSPs.Ex ante or ex post:The regulation requires ex ante registrations and organisational and security measures for EPSPs and banks

316、,while the authority has the regulatory power to ask for a report,impose remedial measures etc.Mandatory or voluntary:The amendment does not require banks to use the open APIs.Despite its voluntary approach,72%of banks(100%for Japan domiciled banks)accepted the implementation.Operational modality:De

317、spite the voluntary nature of the initiative,at the time of September 2019,95%banks(100%for Japan domiciled banks)accepted the implementation of open API.24 Read more:https:/www.fsa.go.jp/singi/kessai_kanmin/siryou/20191223/05.pdf Payment Service Directive for Payment Businesses in the European Unio

318、n(PSD2)Responsible entity:European Commission Description:PSD2,established in November 2015,sets out the rules concerning strict security requirements for electronic payments and the protection of nd reducing the risk of fraud;the transparency of conditions and information requirements for payment s

319、ervices;and the rights and obligations of users and providers of payment services.It also requires payment service providers,including banks,to allow a third party(payment initiation service providers or account information 24 https:/www.fsa.go.jp/singi/kessai_kanmin/siryou/20191223/05.pdf 42 THE IM

320、PACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETITION OECD 2024 payment transactions subject to the explicit consent by the customers.25 26 Because of the nature of the EU directive,implementation depends on member countries.Types of data ported:PSD2 allows third parties to access

321、payment service Beyond this regulatory requirement,the directive triggered the commercial-based portability via APIs of other kinds of data such as identity authentication,credit scoring,trading of foreign exchange and data on loyalty programmes.Beneficiary and addressee:PSD2 aims to put in place co

322、mprehensive rules for payments services to open up payment markets to new entrants leading to more competition,greater choices and better prices for customers.Sectoral scope:The directive applies to payment service providers.Ex ante or ex post:Requirements of the directive for data access and transf

323、er,as well as other obligations,are ex ante,while the directive and enforcement power over payment service providers.Mandatory or voluntary:Third-party access to account data and the data used for payment transaction is mandatory.Operational modality:Real-time data transfer is enabled via open APIs.

324、Read more:https:/ec.europa.eu/commission/presscorner/detail/en/QANDA_19_5555 The Digital Markets Act of the European Union Responsible entity:European Commission Description:The Digital Markets Act(DMA)is an EU regulation aimed at fostering fair and contestable digital markets.Established in Septemb

325、er 2022,it targets large digital platforms,known as gatekeepers,that have a significant market presence in the EU.The DMA aims to prevent these companies from abusing their market power and to allow new entrants to compete effectively.It covers a wide range of obligations,including data portability,

326、interoperability,and prohibitions on certain business practices like combining data from different services owned by the same company.In particular,the DMA provides for an obligation on designated gatekeepers to ensure effective portability of data(see Article 6(9)of the DMA).Recital 59 of the DMA g

327、ives further details on the rationale for this obligation and on how it should 25 https:/eur-lex.europa.eu/legal-content/EN/LSU/?uri=CELEX:32015L2366 26 https:/eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L2366 43 THE IMPACT OF DATA PORTABILITY ON USER EMPOWERMENT,INNOVATION,AND COMPETIT

328、ION OECD 2024 be carried out to be effective.It also specifies that this obligation complements the right to data portability under the GDPR(European Commission,202216).Beneficiary:The DMA aims to benefit consumers and businesses by ensuring a higher degree of competition in European digital markets

329、.More specifically in terms of data portability,Art.6(9-11)DMA differentiates platform services)benefit from the ability to access and port data they have provided or generated through their activities on core platform platform services)gain access to both aggregated and non-aggregated data,includin

330、g personal data,that is generated in the context of their use-party online search,click,and view data generated by end users on online search engines.Type of data:The type of data covered by Art.6(9)DMA slightly varies depending on the beneficiary.For end and business users it includes data provided

331、 by the users or generated through their activities on the core platform service.In the case of business users,more specifically this can tinuous and real-time access to,and use of,aggregated and non-generated in the context of their use of the core platform.(Art.6(10)DMA).-party online search engin

332、egranted access to ranking,query,click,and view data generated by end users on online search engines.Addressees and sectoral scope:Similar to the GDPR,the DMA applies generally across all sectors.However,it specifically targets large digital platforms operating in the EU(gatekeepers as defined in Ar

333、t 3 DMA).As of September 2023,the European Commission has identified 22 services provided by six companies-Alphabet,Amazon,Apple,ByteDance,Meta,and Microsoft-27 These services range from operating systems,number-independent interpersonal communication services to online social networking services and online intermediation services.Mandatory or voluntary:Art.6(9-11)DMA provides mandatory obligation