Data Portability vs Transfer - Owning your data is a right
Dennis has a great Still Born post regarding Dataportability.org, he notes via information from Thomas, that the European Data Protection Act makes such data transfer between third parties legally dubious. The point here is that we would all like to be able to move ‘Our’ data between services, however in doing so through such third parties such as Facebook or Google (facilitated by datapotability.org standards) one could inadvertantly be treading on other individual’s Data Protection concerns.Ben Metcalfe comments on Mike Butcher’s post
'Hmmmm does depend on where your business is located though.
If you are an EU registered company, or have a EU subsidery then juristiction could apply.
However, and frankly, a US originated company with no local office in EU doesn’t to comply with any EU rules.
Also, it does depend on what is considered ‘personal’. Unique ID’s that represet a friend, and friend meta data may not constitute personal data. There’s a court case in here to be had.
More long term, there’s also some debate to be had on whether person-to-person tranfer of data, facilitated by a 3rd party could be relaxed, etc.
I don’t think EU law is a blocker to all this myself.'
Here transfer by individuals (say their personal desktop/phone address books) between themselves and colleagues could still be on a sticky wicket in my opinion as individuals are often businesses themselves or at least acting on behalf of them.
However the concept of data portability (as opposed to data transfer) does still hold water, the problem here is the third party and the third party tactic. I personally think that all such data should be the possession of the owner (or subject in these examples), access to parts of this information should be provided by the subject to the third party or other individual according to the subjects own rules. Note this is access not transfer, no right is given on duplication of the information. Here is a concrete example to explain what I mean:
As an individual I can open an AWS (Amazon web service account) as can any other individual or legitimate third party. I could them create a FOAF page that describes myself and personal information, it could also describe my colleagues anonymously (as ids/uris/references) that point to their own FOAF files/pages. They can grant me access to the information, as I can to them using the AWS access controls. If this was more granular using say other RDF pages of which FOAF is a subset I could control and share my personal information to my hearts content. What is more, as long as no third party actually stored copies of the information they were given access to, they would be operating within the the Data Protection Act.
In fact if this took place a whole ecosystem could grow up around tools for social networking etc..
P.S. This isn’t a post about promoting FOAF or RDF, I use these standards merely as examples, in reality the data could be any agreed standard.
I am sure this idea could work, and would be preferable to storing your information with a third party social network.
*Update - The data should also include a license, including modification/duplication/usage sections similar to GPL that spell out the exact usage/derivation terms of the data. These terms should support the basic premise behind data protection and privacy goals.
*Update 2 Prime has been around for a couple of years and they seem to have tackled a lot of this at the ontology and technology level, their work combined with OpenId/Auth and the licensing above could easily provide the basis of a solution (Thanks to Thomas for the heads up on Prime).
*Update 3 here is a good preso on Prime at W3