This chapter considers EU data protection law, most notably Regulation 2016/679, the General Data Protection Regulation (GDPR). The GDPR governs the processing of data that identifies an individual or makes her identifiable. It sets out circumstances when the process is lawful. The most notable of these is that the individual consented to it; processing is necessary to perform a task in the public interest or in the exercise of official authority; or the data is required for the pursuit of a party’s legitimate interests unless the fundamental rights of the individual overrides these interests. Individuals have a number of rights in respect of their personal data. These include the right to information about it and to access it, and to rectify inaccurate or incomplete personal data. Arguably, most contentiously, the individual can have the data erased if she withdraws her consent or the data is no longer necessary for the purposes for which it was processed. This right must be balanced against other interests, most notably the freedom of others to expression and information.

The chapter explores the concept of data portability in a data-driven world. In the first part, it maps out the journey data takes in a data economy and investigates the valuation and cost of data. It posits that, because of data analytics, machine learning, and artificial intelligence models, “generated” data, as data that has been derived or inferred from “raw” data, is of higher value in the data market, and carries a higher cost of production. In the second part, building on this taxonomy, the requirements for the free flow of data in competitive data-centric markets are discussed: regulations on data tradability and portability. The analysis leads to doubt that the newly introduced and widely debated rules regarding portability of data under European Union law will adequately provide these prerequisites. The chapter concludes by suggesting an alternative model for data portability: rather than distinguishing between personal and non-personal data, the legal concept of data portability should be based on the allocation of value; that is, whether the value of data provides cost compensation to the service provider. Raw data should always be portable, while generated data may require a more refined regime depending on whether it is compensating costs.

In 2015, the US Senate passed a resolution recommending the adoption of a national strategy for IoT development (IoT Resolution).1 Currently, the proposed Developing Innovation and Growing the Internet of Things Act (DIGIT) would establish a federal working group and a steering committee within the Department of Commerce.2 If the act is adopted, the working group, under the guidance of the steering committee, would be charged with evaluating and providing a report containing recommendations to Congress on multiple IoT aspects.3 These areas include identifying federal statutes and regulations that could inhibit IoT growth and impact consumer privacy and security.4