Opinion
Computing Applications Economic and business dimensions

‘In Situ’ Data Rights

Improving on data portability.
Posted
  1. Article
  2. References
  3. Authors
  4. Footnotes
columns of blocks, illustration

If we are to hold platforms accountable for our digital welfare, what data rights should individuals and firms exercise? Platforms' central power stems from their use of our data so what would we want to know about what they know about us? Perhaps a reallocation of rights will rebalance the right allocation. To date, the General Data Privacy Regulation (GDPR in the E.U.) and California Consumer Protection Act (CCPA in the U.S.) grant privacy rights to individuals, including the right to know what others know about them and to control data gathering, deletion, and third-p arty use. Legislation also includes data portability rights, an individual right to download copies from and upload copies to destinations of one's choosing as protections for individuals. Neither yet covers businesses. The proposed Digital Markets Act (DMA) takes a step in that direction. The theory is that privacy empowers individuals to control what is gathered and who sees it; portability permits analysis and creates competition. By moving our data to portals that would share more value in return, we might capture more of our data value. After all, that data concerns us.

Data portability sounds good in theory—number portability improved telephony9—but this theory has its flaws.

  • Context: The value of data depends on context. Removing data from that context removes value. A portability exercise by experts at the ProgrammableWeb succeeded in downloading basic Facebook data but failed on a re-upload.1 Individual posts shed the prompts that preceded them and the replies that followed them. After all, that data concerns others.
  • Stagnation: Without a flow of updates, a captured stock depreciates. Data must be refreshed to stay current, and potential users must see those data updates to stay informed.
  • Impotence: Facts removed from their place of residence become less actionable. We cannot use them to make a purchase when removed from their markets or reach a friend when they are removed from their social networks. Data must be reconnected to be reanimated.
  • Market Failure. Innovation is slowed. Consider how markets for business analytics and B2B services develop. Lacking complete context, third parties can only offer incomplete benchmarking and analysis. Platforms that do offer market overview services can charge monopoly prices because they have context that partners and competitors do not.
  • Moral Hazard: Proposed laws seek to give merchants data portability rights but these entail a problem that competition authorities have not anticipated. Regulators seek to help merchants "multihome," to affiliate with more than one platform. Merchants can take their earned ratings from one platform to another and foster competition. But, when a merchant gains control over its ratings data, magically, low reviews can disappear! Consumers fraudulently edited their personal records under early U.K. open banking rules.12 With data editing capability, either side can increase fraud, surely not the goal of data portability.

Evidence suggests that following GDPR, E.U. ad effectiveness fell,7 E.U. Web revenues fell,5 investment in E.U. startups fell,6 the stock and flow of apps available in the E.U. fell,8 while Google and Facebook, who already had user data, gained rather than lost market share8 as small firms faced new hurdles the incumbents managed to avoid. To date, the results are far from regulators' intentions.

We propose a new in situ data right for individuals and firms, and a new theory of benefits. Rather than take data from the platform, or ex situ as portability implies, let us grant users the right to use their data in the location where it resides. Bring the algorithms to the data instead of bringing the data to the algorithms. Users determine when and under what conditions third parties access their in situ data in exchange for new kinds of benefits. Users can revoke access at any time and third parties must respect that. This patches and repairs the portability problems.

First, all data retains context. Prompts and replies provided by friends and family, sellers and strangers, remain intact. Yet, privacy could even improve relative to portability if data never leaves the system. Third parties need not receive anyone's personal data. By moving the algorithm to the data, not the data to the algorithm, analysis can proceed on masked data that shields identities and details. Encryption can capture context benefits without incurring privacy costs. Second, data retains freshness. All data—all stocks and all flows—is present and current. Third, data retains potency. We can use in situ data to make a purchase, place a post, or receive a benefit. We do not need to reconnect to reanimate. Fourth, merchants can pool their in situ data and context as they wish, facilitating benchmarking and analytics. Context sharing reduces monopoly hold up of business services. Fifth, merchants and consumers cannot selectively edit unflattering facts and raise the risk for others.

In situ data rights empower users to invite competition on top of the infrastructures where they already have relationships. Amazon might compete on top of Facebook to recommend books based on one's friends. Facebook might compete on top of Amazon to recommend friend groups based on one's readings. A startup could offer new apps and services of benefit to users without the threat of monopoly hold up by the platform itself. Competition to create value follows in a manner that other data rights have yet to enable. Open banking legislation has implemented one small step toward an in situ data right. Laws such as the E.U. Payment Services Directive II (PSD2) and the U.K.'s Open Banking Implementation Entity (OBIE) oblige banks to open access to their competitors for payment initiation services. Rather than an obligation of firms in only one sector, this should be a right of persons and firms across all sectors. This seems to work. Innovation and entry rose while fees fell in the financial sector in the E.U. and U.K. after open banking.13 With in situ rights, gains could happen in other sectors too.


By moving our data to portals that would share more value in return, we might capture more of our data value.


A startup's ability to offer new apps and services not approved by the platform opens critical benefits like rebalancing oversight. In situ rights would enable price and quality comparisons, and foster competition that platforms have tried to prevent.a Why should platforms know everything about us, but refuse us basic knowledge about them? Have they influenced elections?11 Reduced vaccinations?3 Aided insurrection? Abetted balkanization?10 Research teams received user permission to track exposure to ads, misinformation and inducements to share photos with more skin.2 Facebook shut down access, claiming this exposed advertisers' data. Facebook persisted in denying users insights from third-party access the users had themselves invited, despite a scolding from the Federal Trade Commission. Social media platforms disseminate false statements of politicians on the basis that "users should decide," yet refuse to share the context within which those decisions are to be made. Third-party certification services could now identify fake news the platforms continue to spread. Should we not have the right to analyze data platforms push upon us? In situ data rights would give us that capability.

    1. Berlind, D. How Facebook makes it nearly impossible for you to quit. (2017); https://bit.ly/3BEe2xM

    2. Dwoskin, E., Zakrzewski, C. and Pager, T. Only Facebook knows the extent of its misinformation problem. And it's not sharing, even with the White House. Washington Post. (Aug. 19, 2021); https://wapo.st/3v6PB9N

    3. Ghaffary, S. and Heilweil, R. A new bill would hold Facebook responsible for Covid-19 vaccine misinformation. Vox. (July 22, 2021); https://bit.ly/3oTi3Lv

    4. Goldberg, S., Johnson, G. and Shriver, S. Regulating privacy online: The early impact of the GDPR on European Web traffic and e-commerce outcomes (2019); SSRN 3421731.

    5. Janssen, R. et al. GDPR and the Lost Generation of Innovative Apps. NBER Conference on the Economics of Digitization (2021); https://bit.ly/3oWKNTF

    6. Jia, J., Jin, G.Z. and Wagman, L. The short-run effects of the general data protection regulation on technology venture investment. Marketing Science. (2021).

    7. Lefrere, V. et al. The impact of the GDPR on content providers. In The 2020 Workshop on the Economics of Information Security. (Dec. 2020).

    8. Prasad, A. and Perez, D.R. The Effects of GDPR on the Digital Economy: Evidence from the Literature. Informatization Policy 27, 3 (2020), 3–18.

    9. Shin, D.H. A study of mobile number portability effects in the United States. Telematics and Informatics 24, 1 (2007), 1–14.

    10. Van Alstyne, M. and Brynjolfsson, E. Electronic communities: Global village or cyberbalkans? In Proceedings of the International Conference on Information Systems (1996), 80–98.

    11. Ward, A. 4 main takeaways from new reports on Russia's 2016 election interference. Vox. (Dec. 17, 2018).

    12. Zachariadis, M. Data-sharing frameworks in financial services. Global Risk Institute (Aug. 2020).

    13. Zachariadis, M. and Ozcan, P. The API economy and digital transformation in financial services: The case of open banking. SWIFT Institute Working Paper 2016-001. (2017); https://bit.ly/3lAJmId

    a. See https://bit.ly/3FFjRh4

    The authors express their gratitude for useful feedback provided by Guntram Wolff and the Communications Viewpoints editorial board.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More