UCL Department of Science, Technology, Engineering and Public Policy


New peer-reviewed article highlights the need to improve data portability

13 July 2020

Former UCL STEaPP students publish results of their dissertation project in the high-impact journal New Media & Society. The group delivers the first empirical analysis on the exercisability of the right to data portability in the consumer Internet of Things environment

MPA group

From left to right: Javier Ruiz Diaz, Simon Turner, July Galindo Quintero, Jessica Lis, Sarah Turner, Leonie Tanczer

The research, published in the journal New Media & Society, found that many users find it challenging to access meaningful information about the right to data portability and subsequently to transmit personal data from one Internet of Things (IoT) device manufacturer to another. The right to data portability is a data subject right within the General Data Protection Regulation (GDPR, Article 20). It gives users the right to transfer personal data from one data controller to another. This transferability of data is specifically of interest in the emerging  IoTenvironment, in which smart, Internet-connected devices are rapidly increasing in number.

The researchers, former Master’s of Public Administration (MPA) students - Sarah Turner, July Galindo Quintero, Simon Turner and Jessica Lis, working under the supervision of Dr Leonie Tanczer, evaluated the current status of the right to data portability in collaboration with the Open Rights Group and in conjunction with PETRAS National Centre of Excellence for IoT Systems Cybersecurity.

The research consists of a two-part analysis. The first study reviewed 160 privacy policies of IoT producers whose products were available for purchase in the UK. Focusing on the availability, content, and information on the right to data portability, the researchers determined that there was very little substantive detail as to how a user may exercise their right and in particular, the potential for direct transmission of data was not typically referenced. None of the policies examined explained how to approach a data controller to import their data. The policies that provided details about the circumstances in which the right to data portability could be exercised had often copied language directly from the GDPR, so were written in a legal, intricate way that it is incomprehensible to many lay readers.

The second study tested a user’s ability to exercise the right to data portability with four widely available IoT devices – two wearable fitness trackers and two home assistants. It found that it is relatively straightforward to request receipt of data under Article 20(1), with three out of four of the IoT providers providing the user’s personal data when requested. However, it was not possible to transfer the data into any of the four tested devices, nor was it possible to request a direct transmission of data between providers (Article 20(2)).

MPA data flyer
Data portability flyer produced by the MPA group.


Sarah Turner said: Article 20 recognises that it may not be technically feasible to ingest data - and so data subjects are likely to meet a dead end when trying to move data from controller A to B. Not being able to achieve a seamless data flow when we change a device when it breaks or simply stops being supported is really problematic for the long-term adoption of IoT.”

Jessica Lis said: “Our findings show that the industry needs to take more accountability in effectively implementing the right to data portability and the GDPR as a whole. It is exciting to be in conversation about how policy can be converged with business strategy to address this. I think this paper, in combination with our Twitter and GitHub activity, really highlights the exciting research we undertaken to demonstrate the level at which the IoT industry adopts the right to data portability and what consumers should be entitled to.” 

Simon Turner explained why their research has substantial significance: “Our work vividly showcases the importance of the right to data portability and the need for its development to ensure that the rights granted to data subjects by the GDPR can actually be fully realised.”

July Galindo further explained how their work fits within larger policy developments: “The European Commission’s recently published two-year review of the GDPR highlights how the right to data portability is one of the Commission’s priorities, particularly given the increasing use of IoT devices. As IoT devices become more prevalent in the daily lives of consumers, the team predicts the inconsistencies their research found will only grow.”

The MPA project team and their supervisor are delighted that this research has culminated in the publication of a peer-reviewed article in such a highly-regarded journal. The team trusts this work will contribute to the conversation in the data portability and IoT field and is continuing their work to produce further outputs based on their research.