As of 25 May 2018, EU citizens will have a new legal right that will help them switch digital services.

It is called the right to data portability.

Student or retired? Then this plan is for you.

Social media will be required to allow users to download the personal data users provided, like posts or comments (Photo: Kyra Preston)

The idea is that all personal data you provided to a certain service, for example posts on a social network like Facebook, should be available for you to download and transmit to a competing service.

The rationale behind the right to data portability – which is part of a much broader regulation on data protection – is that consumers will no longer feel that they have no choice but to remain a user of a service in which they have invested so much time.

Several digital services already offer portability, but one year before the new rules go into force, a lot is still unclear.

Dutch company TomTom says it already complies with the new rule, one year in advance.

“We have built, developed and delivered it to our community, this capability,” said Simon Hania, the company's data protection officer. As of next year, each company that handles personal data will be required to provide data portability.

TomTom sells navigation devices and related services, as well as watches that measure users' activities related to sports.

“In both cases, users are able to submit their navigation data or their fitness data to TomTom, what we call MyDrive and MySports, where we store the data on their behalf, and allow them to also extract it or transfer it to others [other platforms],” Hania told EUobserver.

He said that the company's decision to open up the data also had “a commercial reason”.

“We offer sport watches, and people may want to engage in teams with others who may not have a TomTom product,” he said.

Complying with the upcoming right to data portability made TomTom's product more attractive.

Evernote, a company that offers a service for note-taking, has had the option of data portability for several years.

"Our philosophy is that if you’re confident that you can leave Evernote at any time, then you’ll be confident enough to want to stay," the company said in its blog.

However, not every company will be as well prepared. This is in part because the data some companies collect is less straightforward than GPS locations, for which there have been long-existing standards.

A recent discussion in Brussels showed how much is still unclear about how to comply with the right to data portability.

It took place at the RightsCon conference, but was held under the so-called Chatham House rules, which means quotes may not be directly attributed to the speakers.

The session lasted for over an hour and was attended by some thirty digital privacy experts from civil society and businesses.

It's complicated

Some said that the task of complying with the rules is probably underestimated.

“This is a really huge thing, and we only have until May 2019,” said one speaker.

“It's really complicated,” said another.

As an example, there were differences of opinion on whether a reputation score, attained by users of apps such as ride-sharing service Uber, should be considered a part of the personal data available for portability.

Reputation scores are commonly used features in the digital economy, based on reviews by users.

If it should, it would mean that an Uber driver should have the right to take their reviews and transfer them to a competitive service – like Lyft, for example.

However, a great deal depends on whether the reputation score is so-called observed data, or inferred data.

Observed data is something that is measured, for example search history, traffic data or location data. Inferred data is instead calculated by the service itself, based on the observed data.

Inferred data is excluded from the right to data portability.

In one display of discontent, two speakers almost did not allow the other to finish their sentences.

“The reputation is inferred,” said one speaker.

“I think it's observed,” another interrupted.

“No, it's inferred,” the first one said.

A third speaker noted that the discussion showed how difficult the situation can be.

“Businesses and lawyers are scratching their head, which one is it?”

From banks to energy companies

It is difficult to say how many companies are ready for the right to data portability.

Facebook, Google, Instagram, and Spotify declined to comment on the record. Others, such as Twitter, Microsoft, LinkedIn, and Amazon, did not immediately reply.

But not only technology companies will be affected by the measures.

The rules will apply to all businesses and organisations that gather or observe personal data. Therefore, energy companies, banks, insurance companies, shops should also be able to offer data portability.

And as one of the RightsCon speakers noted, it is not only about being able to download data.

“That's easy-ish. But to be able to port it in a format that works in this new controller as well...” she noted.

The regulation said that EU citizens will “have the right to have the personal data transmitted directly from one controller to another, where technically feasible”.

So when is something technically feasible?

According to TomTom's Hania, technically feasible is if both services have enabled the data to be transferred.

“If you want it to transfer to someone else, than that someone else needs to be able to receive it,” said Hania. “We cannot be forced to transmit it to someone who can't receive it.”

“The transfer capability is optional, it's not mandatory,” he added.

The European Commission did not respond to a request to make someone available to explain how data portability would work in practice.

An EU working group that deals with data protection adopted guidelines on data portability last April. It lists some concrete examples of where the right to data portability would apply: raw data from smart meters; book titles purchased from an online store; songs listened to via a music streaming service.

However, the 20-page document is likely to leave some questions open.

For example, the EU guidelines do not clarify whether Hania is right about data portability being “optional”. They only say that the technical feasibility “should be assessed on a case by case basis”.

Potentially, there are an infinite number of cases that need to be assessed.

Moving your e-mails from one service, like Gmail, to another, like Hotmail, or vice versa, is relatively simple.

But what about social networks? Facebook collects different types of personal data than LinkedIn, Twitter, or Google+.

Sometimes they collect very similar things, like Facebook's likes and Twitter's favourites. But who will determine if these two are the same and should be compatible?

“You are talking about the reflection of an architecture of a platform, how are you going to port that to anything else?” one of the RightsCon speakers said.

It is indeed a possible cause of some big headaches.