The Cambridge Analytica downfall shows the importance of platforms limiting access of third parties to the personal data they hold. However, such limitations cannot be absolute. As a matter of fact, one of the biggest innovations of the GDPR is the introduction of data portability as a new right of the data subject. Data portability presupposes that new players on the market, from a small gaming app to an ambitious new platform facilitating exchange of information, should have access to personal data of an individual collected and amassed by their competitors or by any other player in a different market, if the individual so wishes.
• How should organizations implement portability to maximize individual rights?
• What is the relationship between ensuring portability and platforms exercising responsible oversight of the activity of apps?
• Is portability a right that advances competition to support diverse options for individuals, or an individual data protection right that incidentally supports competition and does it matter?
• In addition to data protection authorities, what role will codes, independent watchdogs, self-regulation, civil society, media or other efforts play to ensure third party access to data via portability is not abused?