What are consumers intuitively expecting compliance with this law to look like?
Data from one service may be in an entirely different schema than the service you want to import it too - let alone format. Service A may summarize your data and throw away the granular stuff, but service B runs on the granular data.
Are consumers going to implement ETL pipelines to achieve portability? Are they expecting to hook up streaming mechanisms for enormous swathes of data?
Just as an example, if I wanted to get a list of every song I liked on Spotify and import it into Apple Music, how would that even work? The songId of Spotify is undoubtedly different than the one Apple uses. Are Apple and Spotify supposed to agree on a common file format?
I agree with the intent of the law but I'm not surprised most services do not offer an automated way to take out data. It's a rare case, often a heavy workload, and there's really no way to guarantee the data you receive is actually portable.
> Just as an example, if I wanted to get a list of every song I liked on Spotify and import it into Apple Music, how would that even work? The songId of Spotify is undoubtedly different than the one Apple uses. Are Apple and Spotify supposed to agree on a common file format?
Why wouldn't it work? Desktop apps had m3u playlist formats which could be read by multiple players - from Winamp on desktop, iTunes on a Mac or even car headunits. It's now kinda wierd to say that rockstar engineers of Apple/Spotify can't find a way to export playlists and liked songs (a global singletons essentially) they got from the SAME publishers and probably ingest from the SAME content owner data sources.
m3u (or really anything that relies on file names to reference media assets) would be a potential disaster... all kinds of weird stuff makes it into your parser when you're dealing with a large enough catalog. I used to work in streaming media, including with some m3u-based legacy systems, and dealt with a pile of edge cases a mile high.
But thankfully, the industry solved this problem themselves: ISRC (International Standard Recording Code) is already used all over the royalty reporting side of the industry because it specifically solves the problem of referencing an individual recording of a work.
DDEX is a content delivery manifest format the industry also uses for this kind of purpose (sharing complex metadata about recordings in a standardized way), but its an 800lb gorilla of a format and not super consumer-friendly.
These are things that are all over the back offices of your favorite streaming service, but mostly transparent to the consumer.
I was thinking the other day about that, sort of. Apple in the early 2000s was really into things like CalDAV and WebDAV. Safari had integrated RSS reading at one point. They embraced standardization and interoperability for many things, at least where important user data was concerned. Then something happened after the iPhone took off and iCloud became a thing, and they became all about vendor lock-in. I assume it comes from being a market leader instead of only having a relatively unpopular computing platform.
> Just as an example, if I wanted to get a list of every song I liked on Spotify and import it into Apple Music, how would that even work? The songId of Spotify is undoubtedly different than the one Apple uses. Are Apple and Spotify supposed to agree on a common file format?
I understand your point but FYI music is a poor example as there is solutions to port metadata in that case. MusicBrainz aims to standardize music metadata and it is pretty commonly used. An example I know is the lastfm service, their APIs accept an optional mbid: https://www.last.fm/api/show/track.updateNowPlaying.
Should music streaming services be compelled to support MusicBrainz to support this GDPR case simply because it is commonly used? Who decides that mbid is the GDPR-accepted track identifier?
> Just as an example, if I wanted to get a list of every song I liked on Spotify and import it into Apple Music, how would that even work? The songId of Spotify is undoubtedly different than the one Apple uses.
Artist + Song Title (+ Album and track number, if it's from an album) should be enough to disambiguate in enough cases for someone to consider this "portable".
Beyond that, we have music fingerprint IDs that a service could output in the data dump along with their own service-specific ID.
> Are Apple and Spotify supposed to agree on a common file format?
For something as simple as this, yes, absolutely they should. It's bonkers that they don't and wouldn't, aside from garbage anti-competitive lock-in reasons.
> Just as an example, if I wanted to get a list of every song I liked on Spotify and import it into Apple Music, how would that even work? The songId of Spotify is undoubtedly different than the one Apple uses. Are Apple and Spotify supposed to agree on a common file format?
If I was Spotify I would export that as an SQLite DB. Maybe the metadata catalog as a standalone DB too.
Apple Music has an API[0] so it's already mostly possible to import a list of songs in it.
> I agree with the intent of the law but I'm not surprised most services do not offer an automated way to take out data. It's a rare case, often a heavy workload, and there's really no way to guarantee the data you receive is actually portable.
"Data Portability" is so vaguely defined that I can't help but see it as yet another law that EU bureaucrats will use to fleece (American) "Evil Tech Giants".
"Data portability" is vague so that the law is stable and flexible. As a comparison, "drivers need to adapt driving speed to weather conditions" is equally vague. It would simply be infeasible to publish an hourly speed limit chart based on rain, fog, snow, etc. It is the responsibility of driving instructors to raise awareness on reasons to adapt the speed. Drivers need to then interpret that clause to their situation.
Similarly, it is up to industry -- either via standardization bodies or courts -- to clarify what exactly is "data portability".
> Are consumers going to implement ETL pipelines to achieve portability? Are they expecting to hook up streaming mechanisms for enormous swathes of data?
As a dev I hate the fact that something like Zapier apparently has to exist in this messy world, but non-technical people like my wife tend to find it intuitive and relatively easy to use so that's one option.
Though for your example I'd argue that the ingester (Apple) has a vested interest in allowing import from many formats to poach customers. Much like how Apple went to the effort of creating the Move to iOS app on android. I wonder whether having the data exported with just a song id would be sufficient under the law, because you could just normalise all useful data away and export a list of IDs to the customer which seems clearly against the purpose of the law. Showing just IDs is not my data which would mean the actual songs I like.
> Just as an example, if I wanted to get a list of every song I liked on Spotify and import it into Apple Music, how would that even work? The songId of Spotify is undoubtedly different than the one Apple uses. Are Apple and Spotify supposed to agree on a common file format?
Yeah, that'd be great! We didn't get the web as we know it today until bunch of people and companies got together and created standards for everyone to rely on. Why can't we do that same for SaaS businesses?
I think the test is something like: If the concept is the same, you should be able to import/export it. For example, you have a SaaS having photo upload + being able to put the photos into a custom gallery. Then you should be able to export that gallery in a format that you can recreate the same gallery in another SaaS that also has photo upload + custom galleries.
The article itself is clear that it's not always technically feasible to offer this import/export. For example, it doesn't make sense to be able to export Facebook posts and import them into Twitter, because those are two different formats with different restrictions.
This is from the actual article:
> In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
I agree, most SaaS concepts are similar and have large overlaps in feature and functionality. Just for Social Media, we've written a common data structure format (lbsn.vgiscience.org) where it is possible to import/export from all services (this one is specifically tailored for visual analytics and exploration of research/privacy questions). When working on the structure, it became clear that most Social Media concepts exist in a similar form on multiple sites. There is very little functionality that is unique to a single SaaS.
The emportant part that this law should achieve is to get the data out of the service. This at least allows competing services to provide importers, which is in their interest.
I agree. I could develop my own ETL and wasn't sure what to do with this right. Where would I import my Klarna Checkout history and for what purpose?
I guess this law is there to ensure your images can be transferred from Dropbox to Google Drive to Apple Cloud, without any of them being tempted to pull the plug.
This is so sad. That we have already forgotten how easy this is. And that we do not see that data integration is an obvious case for open standards and development.
Back in the "bad" (aka glorious) days of p2p file sharing we had no problems keeping things straight. Even Windows XP natively knows how media libraries work. Any service that makes this hard will be at a disadvantage to ones that make it easy, and maybe get roasted in court on GDPR grounds.
The only reason services do not offer you data export in an easily digestible format is that they want you to stay in the app.
I'll re-phrase. Imagine I'm a startup. If government force me to to delete some data, it makes my life easier, no data - no privacy issues. if someone tells me , I want to port my data to competitor, because my UI better then theirs, but they still prefer competitor, why should I care about this requests, why should i spent a single second of my engineers time to implement that?
> if someone tells me , I want to port my data to competitor, because my UI better then theirs, but they still prefer competitor, why should I care about this requests, why should i spent a single second of my engineers time to implement that?
Because you're a good person and care about providing value to your users, and not just extracting value from them.
But since in practice, we can't rely on every business to be run by good citizens, this needs to be made a legal requirement, to remove the competitive advantage from being predatory and locking users down.
While I agree 100% with this response, let's for the sake of argument assume OP is not a good person, and doesn't actually care about providing value to users.
An answer to "why" that does not depend on voluntary goodness is: Enough people is the world generally think representative democracy is a good thing. We stand by that system for making the rules. Enough people in part of the world think there is enough of a problem to the point where a rule was made. If you want to do business in that part of the world, you need to be bound by that rule. That's why you should spend time on it. As incomprehensible as it might be, it's important enough to those citizens that they are willing to levy a penalty on you if you don't.
...and so far, at least three people actually took time out of their day to go find the "down" arrow on this obviously raving insane viewpoint :) I love you guys!
the spirit of such a law is great, but there's a huge problem - what does the implementation even look like? Are we going to have regulatory committees oversee which types of data should be portable and when? Who writes the protocols?
The implementation of such a law is impossible as far as I can tell and opens up huge vulnerabilities to smaller companies.
Just imagine when large companies can hire lobbyists that can force a data protocol on the smaller businesses.
The spirit of many laws is great, the implementation is unfortunately, what actually matters and I don't see solutions to these hard problems.
Allow me to go on a soapbox here, but far too many laws are created with good intentions that are destroying competition and hurting the end users.
> Because you're a good person and care about providing value to your users, and not just extracting value from them.
That's a false dichotomy that is also misrepresents the nature of a typical business transaction.
If you're a good person and a business owner, you're looking to make mutually beneficial business transactions. If someone is looking to move away from using your business, then it's them who's trying to extract value from you, without giving anything in return.
Of course, sometimes, as just a good person, you want to do good for other people without anything in return — but you can do it as a private person, putting your profits into charity funds. Separation of concerns is a good thing that make things clear. Also, from any moral point of view, money spent on engineer salary that allows some food app user to migrate to a competitor is probably not spent as well as feeding hungry or providing health care to sick anyway.
If you are a startup, then such a law directly benefits you because you might want to convince users to migrate to your services. If the big established competitor of yours has to offer data exports, such a migration is made easier for you, enabling your startup to grow faster, and giving users the ability to enjoy more innovation in the market.
Because removing an exit barrier means removing lock-in.
Not holding customers data hostage can increase your service adoption.
E.g. many companies would not pay for a web-only email service where you cannot download and backup emails.
E.g. A lot of people pay for non-locked books (epubs) that can be carried over across different devices.
Governments across the world broke lock-in mechanisms for decades (e.g. carrying phone numbers, being able to buy gas/car oil/car tires/PC components/ from independent vendors)
You don't write an API to port stuff to your competitor. You write a JSON or CSV export and competitors can then make an import tool for your data format (and vice versa).
Is this really an effort? It's basically a JOIN over a bunch of tables or maybe the JSON state tree of your SPA and that's about it.
Chances are, your startup works with all data of a user and has a way to request all data from the DB anyways.
A company that builds houses would very much avoid building those pointless and expensive security features. Why would they spend a second of their architects' time on that?
I'll re-phrase: why should I care about the requests of my users?
Now you know why they prefer your competitor over your better UI.
Your UI may be better, but your UX sucks.
That will make a whole lot of business models out there not feasible. The result will be fewer free services (to put it differently, fewer services and fewer choices). If you don't pay for stuff with your data, you can't have it for free. Are we sure we want to use government regulations to impose this on consumers of services, from the top down? Instead of, say, letting them decide?
(Yes, of course it's an industry talking point. The best kind - one that's true and valid, and so far not effectively refuted).
Isn’t engineering time cheaper than legal counsel time when your customers file complaints with the government against your org for not adhering to the law?
> engineering time cheaper than legal counsel time
For a Silicon Valley based company hiring EU lawyers, no. Engineers are more expensive. Also, for a Silicon Valley company with limited or no EU presence, the time value of money may make incurring that deferred cost worth the saves near-term engineering time.
Laws should be followed. But laws must be enforced. OP’s point is valid. The EU passed a law and delegated enforcement to its various members, each of whom have varying levels (and interpretations) of enforcement around different parts of the text.
Until that changes, GDPR compliance will remain a courtesy. Not a right.
Is any legal counsel time actually being spent on this? It seems like all the disability legislation. In theory it applies to websites. In practice, few give it a 2nd thought.
I have yet to hear of a company significantly harmed by failing to consider accessibility.
Why should your company be allowed to lock in other people's data in your company's computers and then refuse to give it back? This is obviously abusive. Why should your company be allowed to abuse its customers? Why should an abusive company even be allowed to exist?
Erm... because you need to follow laws. Your company would file tax records, right? And follow fire and building regulations in the office, correct? So why would it not follow GDPR?
It's not your responsibility to help your customers use a competitor's service, so you definitely don't have to care about that. However, you might care if you practice "dogfooding".
The idea of eating one's own dog food is to understand the experience of the customer and improve the product. It demonstrates confidence in your product and helps you empathize with your customers. If you do this & are confident in your product, then a portability feature (to allow your customers to try out your competitors) should not be a threat.
Assuming you can convey to your customers why your product is superior, they won't have need of the porting tool. If one day they think, "Hmm, I wonder if the competitor is better", and try to use the porting tool to use the competitor, and find out it's a huge pain because the competitor's product isn't as good (or doesn't work the way yours does), they may decide they just don't feel like switching. People might also use your product just because they can switch if they ever need to.
Pandora is a great example of a shitty company that does not believe in its own product. If you use the free version, you are constantly bombarded with dark patterns and direct advertisements to get you to upgrade to their paid account. It's annoyware. If you eventually pay for the product, the only value add is fewer ads. There's no improved functionality, there's no easier experience, no better algorithm. Just slightly less pain. It's like upgrading from dogfood that tastes like shit, to dogfood that only smells like shit. If Pandora created a data portability tool, they would be screwing themselves, because they know their product is shit. If they had a great product, portability wouldn't be a threat to their business.
Absolutely! I remember asking to export my data from one of the services and the support pretty much ignored me (they replied in general but “forgot” to mention anything related to that question).
I wanted to get my data out of ask.fm because I answered quite a lot of questions there back when it was fun. The GDPR export option was nowhere to be found. Opened a support ticket, they asked me for a EU ID... Well, yeah, I don't have one, I'm not a EU resident, I wanted to piggyback on the laws of countries that actually care about their people. But it just struck me that they hate their users this much. Even Facebook didn't go this low.
On an absolutely unrelated note, I reverse engineered ask.fm's client API back when I was actually using it.
Companies think that the data that is portable is your email address, profile picture, address, IP addresses - but other things like posts, comments are not. It is actually not well defined in GDPR and if portability means transferring your profile (e.g. username, email and some details about you only), then GDPR is pretty much useless in that regard.
Have you tried emailing hn@ycombinator.com and it got denied? Or what you mean there is no easy way to request the data deletion? AFAIK they don't scrub the comments but if you request it, your username will be replaced with [deleted] for all your comments.
Hn has no EU presence so doesn't have to follow EU laws, no? Or do they have to ip block Europeans? What would the EU actually do to hn if they did decide to enforce the rules here?
GDPR is about data, not companies. It applies to all entities regardless of where they are established as long as they're doing business in the EU or processing data of EU citizens.
> Article 3.2 goes even further and applies the law to organizations that are not in the EU if two conditions are met: the organization offers goods or services to people in the EU, or the organization monitors their online behavior.
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, [..] the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
> it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
So, I'd say no. The mere fact that HN is accessible to people in the EU does not show intent. HN is an English forum, which is the native language of the country where it is established, and does not offer its services in additional European languages, and does not advertise products in the Euro currency. I'm unable to know for sure, but I don't believe HN is using my posts here to predict or analyse my personal preferences either.
Question: are you an EU citizen, and is there any way for HN to know whether you are an EU citizen? (Your public profile page has no personally identifiable information.)
GDPR is an EU law that applies to sites that market directly to EU citizens. How and whether it applies to sites outside the EU has been debated. GDPR can prevent a site from operating in the EU. But GDPR does not apply to a US citizen using a US-run web site.
Edit: speaking of personally identifiable information, GDPR defines the information that is subject to download as “personal” information, only when it can be identified. Do you have data on HN servers that is subject to GDPR even if you live in the EU? (I don’t think I do.)
Note that it also includes indirect identification, which means that if combined with other data it would identify you. Recital 30 might be of use here too;
>Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
My HN username (Rygian) is PII because it can be used to identify me indirectly (HN has a log of my username connecting from IP x.y.z.w, and my IP address is PII).
Most people have an email address on their profile, that's PII. One could post one's name, that's definitely PII and AIUI that affects all the data then on the site, as it's now associated.
>GDPR is an EU law that applies to sites that market directly to EU citizens.
That is wrong. The GDPR does not make reference to citizenship.
It explicitly notes that it applies when either when the data subject is physically in the EU/EEA, or when the data controller/processor is based in the EU/EEA.
There are still some issues with it (incomplete data, manually triggered data exports), but it's a notable improvement nonetheless.
It's particularly valuable when it lets you export instant messaging conversations and shared photo albums. It means that companies cannot hold your data hostage to keep you on their platform.
I use GDPR exports for a personal data thing I'm building [0][1]. It simply wouldn't work without GDPR, because public APIs are increasingly rare. Most of your personal data is locked and GDPR data exports are usually the only way to access it on your own terms.
it took me fighting 6 months with viacom support to get my song plays for last.fm . spotify improved from 2 weeks to 2 days but its still ridiculous to call something true data portability that is not automatic and not instant. a lot of companies tried giving me semi obfuscated pdfs or html without classes or classes that were random strings, we need to improve the law to enforce instant availability and an industry standard format like json or xml. also this needs to be completely automatable without having to do it myself.
> it took me fighting 6 months with viacom support to get my song plays for last.fm
Sue them. It should be faster than 30 days according to GDPR.
> a lot of companies tried giving me semi obfuscated pdfs or html without classes or classes that were random strings
Giving you obfuscated data is also against GDPR as the data needs to be clearly machine-readable. Again, sue them as you now have two points against them.
The GDPR does not give you any way to sue them directly. You can report the company to your country's DPA, which should look into the issue and might take it with the offending party in a court of law. That is assuming that the parent is actually an EU citizen or a foreign citizen living in the EU; if they aren't, the GDPR doesn't apply to them.
I see a lot of (mostly non-EU) commenters thinking that the GDPR is grounds for any individual to sue any company for practically anything because privacy is hard, (which is probably why everyone was so hyped to hate on the GDPR) but that's just not how it works.
As much as I value data portability, I'd much rather see a DPA sue the hell out of the companies that make those ridiculous, illegal cookie walls and popovers filled with dark patterns instead.
For what it's worth Facebook and Instagram (also owned by FB, but is fairly separate product-wise) have pretty good export tools. You make a request in the web UI and a short time later, can download a zip with a bunch of JSON files. I was pleasantly surprised by how much they included.
I think, but I'm not sure how accessible it has to be. I was mostly commenting on how approachable the data format was. Formatted json with descriptive keys.
I have no idea what the law requires about the data format, so they could be doing the absolute minimum.
Readit News
Data from one service may be in an entirely different schema than the service you want to import it too - let alone format. Service A may summarize your data and throw away the granular stuff, but service B runs on the granular data.
Are consumers going to implement ETL pipelines to achieve portability? Are they expecting to hook up streaming mechanisms for enormous swathes of data?
Just as an example, if I wanted to get a list of every song I liked on Spotify and import it into Apple Music, how would that even work? The songId of Spotify is undoubtedly different than the one Apple uses. Are Apple and Spotify supposed to agree on a common file format?
I agree with the intent of the law but I'm not surprised most services do not offer an automated way to take out data. It's a rare case, often a heavy workload, and there's really no way to guarantee the data you receive is actually portable.
Why wouldn't it work? Desktop apps had m3u playlist formats which could be read by multiple players - from Winamp on desktop, iTunes on a Mac or even car headunits. It's now kinda wierd to say that rockstar engineers of Apple/Spotify can't find a way to export playlists and liked songs (a global singletons essentially) they got from the SAME publishers and probably ingest from the SAME content owner data sources.
But thankfully, the industry solved this problem themselves: ISRC (International Standard Recording Code) is already used all over the royalty reporting side of the industry because it specifically solves the problem of referencing an individual recording of a work.
DDEX is a content delivery manifest format the industry also uses for this kind of purpose (sharing complex metadata about recordings in a standardized way), but its an 800lb gorilla of a format and not super consumer-friendly.
These are things that are all over the back offices of your favorite streaming service, but mostly transparent to the consumer.
There's no incentive other than the law for Twitter or Facebook to make that data exportable.
There’s generally no incentive to not kill someone except going to jail.
Deleted Comment
I understand your point but FYI music is a poor example as there is solutions to port metadata in that case. MusicBrainz aims to standardize music metadata and it is pretty commonly used. An example I know is the lastfm service, their APIs accept an optional mbid: https://www.last.fm/api/show/track.updateNowPlaying.
Artist + Song Title (+ Album and track number, if it's from an album) should be enough to disambiguate in enough cases for someone to consider this "portable".
Beyond that, we have music fingerprint IDs that a service could output in the data dump along with their own service-specific ID.
> Are Apple and Spotify supposed to agree on a common file format?
For something as simple as this, yes, absolutely they should. It's bonkers that they don't and wouldn't, aside from garbage anti-competitive lock-in reasons.
If I was Spotify I would export that as an SQLite DB. Maybe the metadata catalog as a standalone DB too.
Apple Music has an API[0] so it's already mostly possible to import a list of songs in it.
> I agree with the intent of the law but I'm not surprised most services do not offer an automated way to take out data. It's a rare case, often a heavy workload, and there's really no way to guarantee the data you receive is actually portable.
"Data Portability" is so vaguely defined that I can't help but see it as yet another law that EU bureaucrats will use to fleece (American) "Evil Tech Giants".
[0] https://developer.apple.com/documentation/applemusicapi
Similarly, it is up to industry -- either via standardization bodies or courts -- to clarify what exactly is "data portability".
As a dev I hate the fact that something like Zapier apparently has to exist in this messy world, but non-technical people like my wife tend to find it intuitive and relatively easy to use so that's one option.
Though for your example I'd argue that the ingester (Apple) has a vested interest in allowing import from many formats to poach customers. Much like how Apple went to the effort of creating the Move to iOS app on android. I wonder whether having the data exported with just a song id would be sufficient under the law, because you could just normalise all useful data away and export a list of IDs to the customer which seems clearly against the purpose of the law. Showing just IDs is not my data which would mean the actual songs I like.
Yeah, that'd be great! We didn't get the web as we know it today until bunch of people and companies got together and created standards for everyone to rely on. Why can't we do that same for SaaS businesses?
I think the test is something like: If the concept is the same, you should be able to import/export it. For example, you have a SaaS having photo upload + being able to put the photos into a custom gallery. Then you should be able to export that gallery in a format that you can recreate the same gallery in another SaaS that also has photo upload + custom galleries.
The article itself is clear that it's not always technically feasible to offer this import/export. For example, it doesn't make sense to be able to export Facebook posts and import them into Twitter, because those are two different formats with different restrictions.
This is from the actual article:
> In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The full article of "Data Portability" is not that long, you can read it here: https://gdpr-info.eu/art-20-gdpr/
I guess this law is there to ensure your images can be transferred from Dropbox to Google Drive to Apple Cloud, without any of them being tempted to pull the plug.
Deleted Comment
Back in the "bad" (aka glorious) days of p2p file sharing we had no problems keeping things straight. Even Windows XP natively knows how media libraries work. Any service that makes this hard will be at a disadvantage to ones that make it easy, and maybe get roasted in court on GDPR grounds.
The only reason services do not offer you data export in an easily digestible format is that they want you to stay in the app.
Because you're a good person and care about providing value to your users, and not just extracting value from them.
But since in practice, we can't rely on every business to be run by good citizens, this needs to be made a legal requirement, to remove the competitive advantage from being predatory and locking users down.
An answer to "why" that does not depend on voluntary goodness is: Enough people is the world generally think representative democracy is a good thing. We stand by that system for making the rules. Enough people in part of the world think there is enough of a problem to the point where a rule was made. If you want to do business in that part of the world, you need to be bound by that rule. That's why you should spend time on it. As incomprehensible as it might be, it's important enough to those citizens that they are willing to levy a penalty on you if you don't.
...and so far, at least three people actually took time out of their day to go find the "down" arrow on this obviously raving insane viewpoint :) I love you guys!
The implementation of such a law is impossible as far as I can tell and opens up huge vulnerabilities to smaller companies.
Just imagine when large companies can hire lobbyists that can force a data protocol on the smaller businesses.
The spirit of many laws is great, the implementation is unfortunately, what actually matters and I don't see solutions to these hard problems.
Allow me to go on a soapbox here, but far too many laws are created with good intentions that are destroying competition and hurting the end users.
Dead Comment
That's a false dichotomy that is also misrepresents the nature of a typical business transaction.
If you're a good person and a business owner, you're looking to make mutually beneficial business transactions. If someone is looking to move away from using your business, then it's them who's trying to extract value from you, without giving anything in return.
Of course, sometimes, as just a good person, you want to do good for other people without anything in return — but you can do it as a private person, putting your profits into charity funds. Separation of concerns is a good thing that make things clear. Also, from any moral point of view, money spent on engineer salary that allows some food app user to migrate to a competitor is probably not spent as well as feeding hungry or providing health care to sick anyway.
Not holding customers data hostage can increase your service adoption.
E.g. many companies would not pay for a web-only email service where you cannot download and backup emails.
E.g. A lot of people pay for non-locked books (epubs) that can be carried over across different devices.
Governments across the world broke lock-in mechanisms for decades (e.g. carrying phone numbers, being able to buy gas/car oil/car tires/PC components/ from independent vendors)
Is this really an effort? It's basically a JOIN over a bunch of tables or maybe the JSON state tree of your SPA and that's about it.
Chances are, your startup works with all data of a user and has a way to request all data from the DB anyways.
Deleted Comment
The answer should be obvious, it's their data just like it's their savings.
(Yes, of course it's an industry talking point. The best kind - one that's true and valid, and so far not effectively refuted).
For a Silicon Valley based company hiring EU lawyers, no. Engineers are more expensive. Also, for a Silicon Valley company with limited or no EU presence, the time value of money may make incurring that deferred cost worth the saves near-term engineering time.
Laws should be followed. But laws must be enforced. OP’s point is valid. The EU passed a law and delegated enforcement to its various members, each of whom have varying levels (and interpretations) of enforcement around different parts of the text.
Until that changes, GDPR compliance will remain a courtesy. Not a right.
I have yet to hear of a company significantly harmed by failing to consider accessibility.
And it's true - there are a number of services for work that we've never tried because there's no easy way "back".
Deleted Comment
Deleted Comment
That is the opinion that GDPR encodes into law
Deleted Comment
The idea of eating one's own dog food is to understand the experience of the customer and improve the product. It demonstrates confidence in your product and helps you empathize with your customers. If you do this & are confident in your product, then a portability feature (to allow your customers to try out your competitors) should not be a threat.
Assuming you can convey to your customers why your product is superior, they won't have need of the porting tool. If one day they think, "Hmm, I wonder if the competitor is better", and try to use the porting tool to use the competitor, and find out it's a huge pain because the competitor's product isn't as good (or doesn't work the way yours does), they may decide they just don't feel like switching. People might also use your product just because they can switch if they ever need to.
Pandora is a great example of a shitty company that does not believe in its own product. If you use the free version, you are constantly bombarded with dark patterns and direct advertisements to get you to upgrade to their paid account. It's annoyware. If you eventually pay for the product, the only value add is fewer ads. There's no improved functionality, there's no easier experience, no better algorithm. Just slightly less pain. It's like upgrading from dogfood that tastes like shit, to dogfood that only smells like shit. If Pandora created a data portability tool, they would be screwing themselves, because they know their product is shit. If they had a great product, portability wouldn't be a threat to their business.
On an absolutely unrelated note, I reverse engineered ask.fm's client API back when I was actually using it.
Which ones have you tried exporting your data from?
https://github.com/google/data-transfer-project
https://datatransferproject.dev/
Basically, companies thought it more profitable to not put any effort into letting users escape their service (or keep chat federated, etc.)
Various threads are still around though.
However, they do respond to privacy requests, see:
https://news.ycombinator.com/item?id=26959559
https://news.ycombinator.com/item?id=26410165
Deleted Comment
There's https://gdpr.eu/companies-outside-of-europe/ :
> Article 3.2 goes even further and applies the law to organizations that are not in the EU if two conditions are met: the organization offers goods or services to people in the EU, or the organization monitors their online behavior.
Recital 23 clarifies what is meant by the organization offers goods or services to people in the EU: https://gdpr.eu/Recital-23-Applicable-to-processors-not-esta...
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, [..] the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
Profiling is clarified in recital 24: https://gdpr.eu/Recital-24-Applicable-to-processors-not-esta...
> it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
So, I'd say no. The mere fact that HN is accessible to people in the EU does not show intent. HN is an English forum, which is the native language of the country where it is established, and does not offer its services in additional European languages, and does not advertise products in the Euro currency. I'm unable to know for sure, but I don't believe HN is using my posts here to predict or analyse my personal preferences either.
https://github.com/HackerNews/API
Does it count like ability to download your data?
GDPR is an EU law that applies to sites that market directly to EU citizens. How and whether it applies to sites outside the EU has been debated. GDPR can prevent a site from operating in the EU. But GDPR does not apply to a US citizen using a US-run web site.
https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
https://gdpr-info.eu/art-3-gdpr/
Edit: speaking of personally identifiable information, GDPR defines the information that is subject to download as “personal” information, only when it can be identified. Do you have data on HN servers that is subject to GDPR even if you live in the EU? (I don’t think I do.)
See 4.1: https://gdpr-info.eu/art-4-gdpr/
Note that it also includes indirect identification, which means that if combined with other data it would identify you. Recital 30 might be of use here too;
>Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
That is wrong. The GDPR does not make reference to citizenship.
It explicitly notes that it applies when either when the data subject is physically in the EU/EEA, or when the data controller/processor is based in the EU/EEA.
Deleted Comment
It's particularly valuable when it lets you export instant messaging conversations and shared photo albums. It means that companies cannot hold your data hostage to keep you on their platform.
I use GDPR exports for a personal data thing I'm building [0][1]. It simply wouldn't work without GDPR, because public APIs are increasingly rare. Most of your personal data is locked and GDPR data exports are usually the only way to access it on your own terms.
[0] Intro: https://nicolasbouliane.com/projects/timeline
[1] Code: https://github.com/nicbou/timeline
Sue them. It should be faster than 30 days according to GDPR.
> a lot of companies tried giving me semi obfuscated pdfs or html without classes or classes that were random strings
Giving you obfuscated data is also against GDPR as the data needs to be clearly machine-readable. Again, sue them as you now have two points against them.
I see a lot of (mostly non-EU) commenters thinking that the GDPR is grounds for any individual to sue any company for practically anything because privacy is hard, (which is probably why everyone was so hyped to hate on the GDPR) but that's just not how it works.
As much as I value data portability, I'd much rather see a DPA sue the hell out of the companies that make those ridiculous, illegal cookie walls and popovers filled with dark patterns instead.
I have no idea what the law requires about the data format, so they could be doing the absolute minimum.