Data portability? Not for EU, Sunny Jim

Next Story

Virtual Banking Banned in Second Life

The European Union is very likely to rain on the whole data portability parade. Data privacy laws around the world do not uniformly fall into line when it comes to the likes of Google and Facebook. For instance, as ZDNet enterprise blogger Dennis Howlett cogently points out, article 8 of the UK Data Protection Act states:

8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.

In other words, just porting your data around – even if it amounts to your social graph on Facebook (which is more than just email addresses as it could include anything from birth dates to work history) – is legally very problematic. Just telling a lawmaker in Brussels that you signed up to a workgroup somewhere will not wash. Things get worse when you head to Germany, a fierce protector of privacy (and famous for imprisoning an AOL executive for 24 hours in the mid-1990s because at the time there was no legal definition of the privacy afforded by browser cookies). German law has hindered the development of several local social networks there, especially as regards accessing them in the workplace à la Facebook (although the six different clones of Twitter are clearly pushing the envelope on what’s possible there).

Ultimately, the EU Data Protection Directive, which ended up inserted into the national law of all EU countries, could also be a legal block on data portability. If Robert Scoble had pulled his stunt in Europe, the entire ‘scraping Facebook’ issue may have ended in a serious court case. (And by the way, just to be clear my ‘Ché Scoble‘ crack was a meant to be a joke which turns out to have been taken a tad too seriously by some who seemed to have had an irony bypass). In fact Facebook is still under investigation by the UK’s Information Commissioner, which oversees the implementation of the UK’s Data Protection Act, after a complaint from someone who found he could not remove his account or any of the data.

So, as useful as it may be, porting your data around between social networks has yet to be tested in law. And European law is amongst the toughest of all to crack.

  • The privacy manifesto « ‘Cross The Breeze

    […] [Update: Mike Butcher at Techcrunch UK also links EU laws to data portability] […]

  • Dennis Howlett

    Thanks for the props on tis Mike. The real credit goes to Thomas Otter for digging out all the law but what amazes me is that Scoble exhibits a cavalier attitude towards these issues. It’s as though they’re irrelevant to his personal crusade against data lockup. What he doesn’t appreciate is the world is a bit more than the US.

  • alan p

    I think even some US people were worried about the implications of the Scoblescrape.

  • Damien Mulley

    1. Dennis ought to have his name as co-author of this.

    2. Have you chatted to ORG about this or DRI from Ireland or the EU guys. Your analysis is shoddy to say the least.

  • Ben Metcalfe

    Hmmmm does depend on where your business is located though.

    If you are an EU registered company, or have a EU subsidery then juristiction could apply.

    However, and frankly, a US originated company with no local office in EU doesn’t to comply with any EU rules.

    Also, it does depend on what is considered ‘personal’. Unique ID’s that represet a friend, and friend meta data may not constitute personal data. There’s a court case in here to be had.

    More long term, there’s also some debate to be had on whether person-to-person tranfer of data, facilitated by a 3rd party could be relaxed, etc.

    I don’t think EU law is a blocker to all this myself.

  • Damien Mulley » Blog Archive » Fluffy Links - Wednesday January 9th 2008

    […] Mike thinks Data Portability is a problem in the EU. Legal scholars, can you give some constructive feedback? Oh and check out this comment from Scoble. […]

  • Dan Field

    Personal transfer of data should be permitted. I think the EU rules are really aimed at companies moving the data aroud themselves… surely if I (As a consumer of a service) want to move my data to other services I should be allowed to.

    If not, then why isn’t this EU rule being applied to our address books and other personal information that we may have stored on other online services.

    It does need some clarification though, and perhaps a court case as Ben says. EU privacy laws are complex and not very easily understood when applied to Internet services and data.

  • indie

    Mike ask Clive at Olswang to write a piece on this. He is a top internet lawyer and also a sponsor of TC.

    I go back to the question just because I give Scoble permission to be my friend in Facebook does not imply he is my friend in another social context. So why should he have the right to move his social graph.

    The data he has access to is his own lifesteam/attention data (APML and or attention.xml). If FB (beacon) gathers that for Scoble, he then should have the right to move his APML file.

    Attention is the key value that commercial vendors want to trade with advertisers. They don’t care about you or your friends.

    In the future your attention + your credit rating (plus buying history) will be key pieces of info that advertisers want in order to determine if you can afford their product.

    In the future marketeers won’t waste their advertising budget on widescale marketing campaigns. They will target 1:1 people in real-time who have show interest in their product (or their competitors) based on their attention and then they will see if they can afford it. Just because you look at the Aston Martin site does not mean you can afford it.

    Advertiser Servers like OpenAds, Wunderloop and Adify are already looking to combine these pieces.

  • Rick Curran

    I agree with Dan Field’s comment above, I think there’s a difference between companies holding your data and moving it around with/without your consent and you choosing to move your own data around. I’m not quite sure how this is seen in the light of EU Law but I think there is definitely a difference.

  • Jack

    @ Dan and @ Rick, surely this isn’t just about moving your data around, but that of your friends/contacts etc as well?

    The UK data protection act covers data that a company holds on other people. Surely in this case there isn’t a huge difference between the scenario where it is a company holding that data on people, and, say, Scoble holding that data on people, in the form of contact information etc?

    Sure, it’s a different legal entity, but the principle isn’t wildly different.

  • Dan Field


    It does really depend on how much information we can transfer between the different sites and networks.

    If it is just contact info then I see no difference to me moving my address book from my PC to an online webmail service, or even me re-keying in the data that I already have.

    If it is more information that contains information on actions my contacts have made on Facebook (For example) then it becomes a more tricky as that probably does need permission of each contact.

    I’m no expert on EU privacy law but I do know it can be a very grey area and is difficult to interpret when it comes to situations like this. The whole privacy thing is a big subject and one that does need rethinking, quickly as the Internet is moving fast in this area!

  • Thomas Otter

    okay, you were funny. sort of. Watch out Ricky Gervais.

    My original post was v high level, and definitely not a detailed legal analysis.

    There is a lot more to Section 8, you can transfer info to the US, provided that you have certain protections in place, one option being membership of the Safe Harbo(u)r. Both Plaxo and Facebook are members of this. At the risk of oversimplification, it places obligations on Facebook etc to treat the data in the same way as if they were based in Europe. In the late 90s there was a lot of discussion about the dataflow question, and it has recently flared up with the airline data reservation system PNR.

    Ben, a US company processing data about EU citizens does have obligations under EU law, policing it though, is another challenge.

    The law is not there to mess around private citizens who maintain personal data for their own use, but the line between private and non-private use is rather blurred. This law is rather complex, and the interpretations of the directive differ markedly between EU countries, Spain being particularly fond of fines. The Lindqvist case is also worth a look, as it involves what most of us would consider to be a harmless parish website, something out of the vicar of Dibley.

    I believe that it is possible to architect effective sharing and privacy control. Microsoft and IBM have some promising research, and there is a lot going on in academic circles too. It is arguably the most interesting area of research, because it brings together so many technical, legal and social issues. I welcome the efforts of facebook, google etc look at these issues. It will require a mix of legal and technical know how.

    The UK Information Commissioner’s website is greatly improved, and well worth a visit. I’m glad to see them paying attention to social media. But the law is not well enforced.

    I know a couple of privacy experts in the UK, and I’d be happy to connect you with them, just drop me a note or a tweet.

    As part of my own academic work, I’m looking at how law is architected into technology, so I can bore for england on this.

  • Tamlyn Rhodes

    @Dan I think the key difference is that in the case of an online address book, you supplied all the data so your contacts are ‘your data’. On facebook your contacts supplied their data (apart from their numeric user id) so even their name and email address info is legally theirs. That’s why the fb terms have those ominous sounding clauses about giving facebook the rights to ‘publish’ your information. Without those rights, fb couldn’t show your info to anyone.

  • Al

    There is a pretty simple solution :
    Owning your own data and controlling access within the Data Protection Act it’s a basic public right i think.


  • Ian Betteridge

    I think the point that Rick and Dan are missing out above is that “my” list of contact data drawn from Facebook (etc) isn’t actually “mine”. The data belongs to the individuals who entered it themselves, and who – with their consent – form “my” social network, not to me.

    When Robert pulled out that data, he did so without explicit consent of the people who had given him that data. You can argue that, by marking him as a friend, they’d given him implied consent to take that data and move it elsewhere, but given that Facebook has a measure of protection against porting email addresses, and given that users know this, I think you’d have a hard time actually demonstrating there was implied consent.

  • Danny

    I don’t see the Data Protection laws as any obstacle to passing personal data around, assuming appropriate consent has been obtained. Right now the approach taken by the social network sites is pretty unsophisticated, but with improvements in data licensing and informed consent, there’s no reason the aims of the DataPortability group shouldn’t be achievable.

    See also:

    I am a UK citizen and I hereby grant my permission for you to pass the personal data associated with this post to any other agency you see fit. I’m pretty sure I can trust you not to exploit the data for nefarious ends, and that’s good enough for me :-)

  • Edmund Probert

    Great interchange. The bit some people were fishing for is section 36 of the Data Protection Act.
    “36. Personal data processed by an individual only for the purposes of that individuals personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III.”
    This means that you may transfer your collection of data as you like whether to the US or elsewhere. You can also use it as you like as long as that use remains within those 3 purposes. The consent or otherwise of the people whose data you collect is not relevant – unless they specifically told you not to do this.
    The more difficult area is when you use Facebook or similar for work purposes – this could be covered by the Act – it depends what you store!

  • Dan Field


    Does it matter that the data was passed to the “individual” by a commercial organisation (E.g. Facebook)?

  • Mike Butcher

    Very good point made above: “The more difficult area is when you use Facebook or similar for work purposes”

    Since tonnes of people are now using Facebook for both personal and work networking I see something of a legal minefield ahead (my original point). Anyone else agree/disagree?

  • Dan Field

    Minefield… yes, certainly.

    The problem is that any rules set are never going to be able to keep up with the pace of Internet developments. There are always going to be big issues when it comes to privacy.

  • Al

    These guys have done most of the technical groundwork to allow portable data within European regulations. They include principles, identity and the required ontologies very interesting, especially given that they have been at it since 2005.

    The minefield has a map with this information, add the appropriate licenses and storage services (AWS?) + tools voila


  • Andrew J Scott

    Interesting article – back to reality with a bump for all those getting the flags out. This is going to be a tougher nut to crack than many people think; EU Legals, corporate beasts all with hidden agendas and technical challenges…

    It will of course happen, it may just take a little while. I’ll go put the kettle on…

  • More bricks removed from the walled garden of Social Networks « Urban Horizon

    […] STOP PRESS: Good followup from Mike Butcher at TCUK here regards potential EU Legals… […]

  • Paul Walsh

    This is an area which I’ve conducted a lot of research on. Data Protection on the Web isn’t treated in the same way as say, how a bricks ‘n mortar company holds your private details on file.

    What you must include in a ‘Privacy Statements’ is grey at best in the UK, whilst it’s almost black and white in Ireland. Ireland goes to the extreme by expressing where on a Web page you should place the link to where the statement can be found.

    Placing a privacy statement on Web sites is a legal requirement, which many organisations continue to ignore.

    I will be *extremely* interested to hear from someone who has more information. I’ve been to various government departs, all of whom sent me a link to the ‘Business Link’ Web site – a joke to say the least.

  • Paul Walsh

    please ignore the word ‘almost’ in my previous comment as that would make it grey. It is in fact black and white :)

blog comments powered by Disqus