In principle vs in practice: User, expert and policymaker attitudes towards the right to data portability in the internet of things

Abstract

The right to data portability (RtDP) was enshrined in law with the introduction of the EU's General Data Orotection Regulation (GDPR, Article 20) in 2018. RtDP gives a user the right to obtain and transfer their data to a different service, and the data controller the obligation to facilitate this transfer. Since GDPR's implementation, RtDP has been highlighted in the Digital Markets Act (DMA; 2022) and the proposed Data Act. Despite these reinforcements, there are gaps in understanding of RtDP amongst digital service users. Additionally, many organisations struggle to facilitate data transfer, particularly when it comes to the Internet of Things (IoT). This study examines the attitudes towards IoT data portability by conducting semi-structured interviews with users of consumer IoT devices (n = 28), academics/industry experts (n = 11) and policymakers (n = 8). Results indicate that whilst policymakers and consumers value this right in principle, it is rendered meaningless without a data subject's ability to exercise it in practice. A lack of guidance for data controllers and consumers has created an atmosphere of uncertainty which urgently needs to be addressed.