The Portability and Other Required Transfers Impact Assessment (PORT-IA): Assessing Competition, Privacy, Cybersecurity, and Other Considerations

Article Source:
Publication Date:
Time to Read: 3 minute read
Written By:



One key legal question is whether data should move from A to B, or be prevented from moving from A to B. Requiring the transfer of data can be harmful in some ways and beneficial in others.


Policy Relevance:

Mandating data portability can increase competition. Mandating portability can increase privacy and security risks.


Key Takeaways:
  • Regulators often must address whether the transfer of data from one entity to another should be required, or prohibited; “portability” refers to transfers of an individual’s data from one entity to another, also called “data sharing.”
  • Transfers of commercially valuable data to private firms can reduce monopoly power and spur innovation, but serious privacy and cybersecurity issues arise if portability is too easy.
  • An individual “right to data portability” took effect in the European Union (EU) in 2018 and in California in 2020; individual “data subjects” have the right to receive a copy of their personal data from an entity, and to transmit those data to another entity.
  • A “Portability and Other Required Transfers Impact Assessment” (PORT-IA) would help regulators decide whether to mandate portability, and would help firms develop data sharing systems: key questions include the following:
    • How would portability affect competition?
    • How would portability affect innovation?
    • What security and privacy risks would arise from portability?
    • What other public benefits would data sharing foster?
  • Specialized regulators may benefit from recognizing policy considerations from other disciplines; for example, privacy regulators might consider whether consumers or employees would benefit from information sharing in some contexts.
  • Mandated portability may be a good remedy for abuse by a dominant firm, as the ability to gain access to data can encourage new competitors; both U.S. antitrust authorities and European competition law authorities are considering portability as a remedy for competition concerns.
  • Portability rules in the EU and the United States will prevent consumers from being locked in to one bank by enabling the export of customers’ transaction history to competing banks, or to new financial apps and firms.
    • Access to data by nonbanks might increase security concerns.
    • EU regulators noted that a portability proposal that at first excluded nonbank firms from data sharing raised antitrust concerns.
  • A health information portability mandate issued by the U.S. Department of Health and Human Services (HHS) is meant to reduce barriers to entry for smartphone apps and other nontraditional health providers.
    • Health data might move from an entity covered by strict medical privacy laws to a less-regulated entity, raising privacy concerns.
    • Providers may sometimes refuse to transfer data to safeguard security or privacy.
    • The original HHS proposal required sharing of price information, but critics noted that this could harm competition.



Peter Swire

About Peter Swire

Peter P. Swire is Professor of Law and Ethics and the Elizabeth and Thomas Holder Chair at the Scheller College of Business at the Georgia Institute of Technology. Professor Swire is Associate Director for Policy of the Georgia Tech Institute for Information Security and Privacy. He has appointments by courtesy with the College of Computing and School of Public Policy. He is also Senior Counsel with Alston & Bird, LLP. Professor Swire has been a leading privacy and cyberlaw scholar, government leader, and practitioner since the rise of the Internet in the 1990’s.