Research on the Personal Data Portability Based on the Perspective of Property Rights Theory in the Context of Enterprise Digital Transformation

: This study examines the right to data portability under the industrial economics theory, and addresses the problems of ambiguous boundaries, inconsistent formats, and data sharing. Based on the relational transactions in China, this study analyses the right to data portability from three aspects: transaction boundaries, transaction frequency, and exclusive nature. From the viewpoint of transaction uncertainty, it is necessary to clarify the content of transaction data and define the property rights boundary. From the view of transaction frequency, more detailed regulation of data processing mode is needed to reduce transaction costs in the future. The data processing mode needs to find a balance between security and rapidness. The data processing mode should imitate distributed data transfer protocol or decentralized recommendation system. From the perspective of asset exclusivity, data sharing should be classified for different users. The relationship between user privacy and data sharing should be properly balanced to prevent a "one-size-fits-all" data management model. This study applies property rights theory to address the issue of data portability, focuses on the economic benefits brought by data portability, and expands the perspective of the data portability’s nature. Based on relational transactions in China, this study enriches the research of personal data protection in developing countries. In addition, the results provide a theoretical basis for government management, help define the boundary of digital assets, promote the digital transformation of cities, and facilitate sustainable economic development.


Introduction
The problems of privacy proliferation and big data price discrimination become increasingly severe in the era of digital economy.Merchants collect or leak user-private information to make profits.Platforms collect consumer information without obtaining user consent to obtain consumer preferences (Tolmie & Crabtree, 2018).Collaborative recommender systems recommend preferred products to users by big data, but the systems expose more user data to the attackable environment, giving rise to the problem of privacy proliferation (Polatidis et al., 2017;Wu et al., 2018).Even though some platforms offer users the option to avoid tracking, the specific information usage is still vague (Chen et al., 2017).
appropriately expand the scope of the right to data portability based on the relational transactions in China.In terms of transaction frequency, more detailed specifications for the data processing mode are needed in the future to reduce transaction costs.The data processing mode needs to find a balance between security and speed, and the data processing mode should imitate distributed data transfer protocols or decentralized recommendation systems.From the viewpoint of asset exclusivity, data sharing classifications should be made for different users and different data heterogeneous ranges should be specified according to different customer categories to encourage certain boundaries of data sharing.
This study has the following contributions.Firstly, most existing studies examine the right to data portability from the legal and rights perspectives (Borgogno & Colangelo, 2019;De Hert et al., 2018;Ding, 2020;Esr, 2017;Kolasa et al., 2020;Stalla-Bourdillon et al., 2018;Urquhart et al., 2018).This paper uses industrial economics theory to address the issue of the right to data portability, focusing on the economic benefits brought by the right to data portability and expanding the perspective of portability.Secondly, the existing literature focuses on the functions of the right to data portability under the GDPR framework, with less attention to the application of the right to data portability in developing countries (Borgogno & Colangelo, 2019;Colangelo & Maggiolino, 2019;De Hert et al., 2018;Hesse & Teubner, 2020;Ramos & Blind, 2020).Relational transactions are common in Chinese companies (Fang & Zhang, 2016;Li, 2017).This study focuses the right to data portability based on relational transactions in China, which enriches the research results on personal data protection in developing countries.Finally, the results of this study have certain practical significance, which providing a theoretical basis for government management, helping to define the boundary of digital assets, promoting digital transformation of cities, and facilitating sustainable economic development.

Legal framework and literature review 2.1 Comparison of legal frameworks for the right to data portability
Many countries rely on the GDPR to introduce bills related to the right to data portability.Developed countries have an early start on data protection laws, such as the US, which passed the Privacy Act in 1974 and issued the CCPA in 2018; the UK passed the Data Protection Act in 1984; Australia published the Privacy Act in 1988 and the Australian Consumer Data Right (CDR) came into force in 2019; Japan published the Personal Information Protection Act in 2005.Developing countries started late with data protection bills, such as China's Personal Information Protection Law coming into force in 2021, India's Personal Data Protection Bill in 2018, Pakistan's Personal Data Protection Bill in 2020, Brazil's General Data Protection Law (LGPD) in 2020, and Russia's Federal Personal Data Law in 2006.Some developing countries, such as India and Pakistan, have many provisions borrowed from the GDPR with fewer changes (Javed et al., 2020); other developing countries, such as China and Russia, develop bylaw provisions according to national conditions (Wang & Ding, 2021;Zharova & Elin, 2017).
China issued the Cyber Security Law of the People's Republic of China (Cyber Security Law) on November 7, 2016, which sets out the scope of protection for information infrastructure, establishes the principle of sovereignty in cyberspace, and protects consumer interests (Wang, 2017;Zhang, 2016).The Data Security Law of the People's Republic of China (Data Security Law), which came into force on September 1, 2020, is the first law on data security management in China, promoting data utilization and establishing a hierarchical data management system (Deng, 2020).On November 1, 2021, the Personal Information Protection Law came into effect, which is the first law for personal information protection in China, mentioning the right to data portability for the first time and legislating clearly that data controllers shall not over-collect personal information.So far, the Network Security Law, Data Security Law, and Personal Information Protection Law have become the three major regulations of network data security in China.The advantages of the Personal Information Protection Law are: firstly, it elevates the legal status of personal information rights by extending the protection of personal information to the Constitution.Secondly, it focuses on vulnerable groups and provides a higher degree of protection for minors.Thirdly, it establishes special provisions to regulate the problems reflected by society, such as big data price discrimination.It reflects the people-oriented concept by protecting the right of individuals to use their data.However, there are still some problems with the description of the right to data portability.First, the concept is not clear and the relevant principles and technical conditions are still vague.When the right to data portability conflicts with the rights owned by the enterprise itself, it is not clear how to arbitrate.Second, the feasibility of the right to data portability is not strong.The introduction of the right to data portability is not equal to effective implementation.China lacks experience in data transfer, and it is unclear how to effectively enforce the right to data portability and regulate the enterprises.Compared to developed countries, developing countries tend to exclude government agencies because of the different economic systems and strong government intervention in developing countries.However, all countries generally lack specific descriptions of the scope of the right to data portability.Even if the GDPR and other laws state "conditionally permitted", the definition of "condition" itself is not clear.Therefore, this paper will study the scope of the right to data portability to provide a theoretical basis for the government to add specific descriptions.

Literature Review of the Attribute of the Right to Data Portability
There is no unanimous academic opinion on whether the attribute of the right to data portability is a human right or a property right (Balsari et al., 2018;Borgogno & Colangelo, 2019;De Hert et al., 2018;Li, 2018).Supporting the right to data portability as a human right is mainly reflected in the following aspects: First, the right to data portability guarantees the basic human rights of individuals.By giving data subjects greater control over their personal data, the right to data portability can safeguard personal privacy and maintain personal dignity (Zhuo, 2019).Second, the right to data portability takes precedence over respect for the rights of people.India's Personal Data Protection Bill, for example, provides that when the data providing subject is unable to provide consent due to illiteracy, medical condition, etc., the choice should be in the interest of the data subject (Balsari et al., 2018).Finally, property rights should be widely available, but data portability rights are too limited in scope and not widely available (Borgogno & Colangelo, 2019).
Supporting the right to data portability as a property right is mainly reflected in the following aspects: first, users have the bargaining power, which brings property rights.The right to data portability gives users the right to allow platforms to transmit data to third parties, making the online market a "user market", which gives users bargaining power among platforms (Zhuo, 2019).Second, the right to data portability has the economic benefits of property rights.User data allows companies to make accurate recommendations, have precise marketing, and increase user stickiness and satisfaction (De Hert et al., 2018;Li, 2018;Van der Auwermeulen, 2017).Finally, the right to data portability is closely related to the intellectual property law.Therefore, it has property rights as intellectual property law does (Van der Auwermeulen, 2017).

Study on the Attributes of the Right to Data Portability Based on Property Rights Theory
A property right is a bundle of rights that includes three aspects: the right to use, the right to benefit, and the right to transfer.Among them, the right to transfer is the key to the contract, because only transferable property rights can achieve the matching of benefits and costs and ensure the professionalism of property rights usage (Alchian, 1965).The subject of data portability is users, and the prerequisite for the realization of the freedom of data transfer is that users must know and agree to the re-transaction and processing of data.Otherwise, it will inevitably lead to the problem of privacy leakage.Faced with the outstanding problems of personal information protection, it is necessary to regulate the boundary of the right to data portability and ensure the exclusivity of data.Any transaction is an exchange of property rights, and transaction costs are incurred due to the measurement and enforcement of property rights and are minimized within the transaction method (Lakatos, 1978).The factors influencing transaction costs can be examined from the characteristics of the transaction, including uncertainty, frequency of transactions, and asset exclusivity (Mathur et al., 1979).Whether state-owned or private, Chinese firms are more likely to choose relational transactions which are significantly different from the market-based transactions commonly used in developed countries (Li, 2017).Therefore, based on China's relational transactions, this paper will analyze the governance of data portability from three aspects: transaction boundary, transaction frequency, and asset exclusivity.The research framework is shown in Figure 1 below.First of all, from the perspective of the uncertainty of the transaction, as China currently does not have a clear attribute of the right to data portability, the boundary of the right to data portability is vague and the scope of the transaction is unclear.The problems of generalization of rights and personal data trafficking are serious.In China, relational transactions mean that both sides of the transaction have significant personality characteristics, bound after investment, and market competition cannot automatically eliminate immoral behavior (Chen et al., 2010;Li, 2017).If the right to data portability is extended to the transferable data, it will potentially induce enterprises to buy and sell personal data for relational transactions, thus causing personal privacy leakage.From the perspective of commercial credit, to compensate for the adverse effects of commercial credit, enterprises may buy and sell personal data in the case of unclear regulations on the right to data portability.Therefore, it is necessary to clarify the scope of traded data and define the boundary of property rights based on the context of relational transactions in China.The right to data portability is a manifestation of the conflict between access to information and personal privacy.As a result, the scope of the right to data portability transactions needs to be clarified to balance the conflict between digital economy development and personal privacy (Li, 2018).Article 20(1) of the GDPR limits the scope of the right to data portability to "the personal data concerning him or her, which he or she has provided to a controller".However, the GDPR's provisions on data portability itself are somewhat contradictory, emphasizing the non-mandatory obligations of platforms while regulating "machine-readable".Platforms are encouraged but not obligated to build interactive data transfer formats, giving them the possibility to refuse to enforce the right to data portability (Wong & Henderson, 2019).
Article 27 of China's Personal Information Protection Law defines the scope of data portability as "the processor of personal information may, within a reasonable range, process personal information that the The core is to maintain the trust relationship between the two parties individual has disclosed on his own or has otherwise legally disclosed, except when the individual expressly refuses to do so".This definition excludes anonymized data or data unrelated to the data subject, i.e. data processed by the platform (De Hert et al., 2018).This definition is legally supported by the 2011 case of Dianping.comagainst AiHelp.comand the 2016 case of Dianping.comagainst Baidu Maps for unfair competition.The court held that the online data of Dianping.comwas the result of its operation of a huge cost.AiHelp and Baidu Map's obtaining the data directly from Dianping.comconstituted unfair competition.From the perspective of data portability, the information of user reports and reviews produced by the platform are not related to the data subject, not within the scope of protection of the right to data portability.However, the "within a reasonable range" in the article makes the boundary of data portability blur again.Article 27 of the Personal Information Protection Act states that the scope of the right to data portability shall include data involving multiple persons, such as telephone calls, interpersonal interactions, or network communication records, provided that the rights and freedom of third parties are not adversely affected.However, the definition of third-party rights and freedom is again a blurred line.The ultimate right to transmit group photos of multiple people (Urquhart et al., 2018) and whether users' friend information data is allowed to be transmitted together (Tolmie & Crabtree, 2018;Van der Auwermeulen, 2017) are both at the fuzzy boundary.
In determining the boundaries of the right to data portability, the differences between the draft GDPR and the official document, viewed from international legal experience, show that the right to data portability under GDPR is restrictive.The scope of the right to data portability is defined in the draft as "data being processed", while in the official document it is limited to "the personal data concerning him or her, which he or she has provided to a controller".As for the data format, it is "electronic, structured and commonly used format" in the draft, but reduced to "machine-readable" in the official document.These points limit the scope of GDPR data portability (De Hert et al., 2018).China's data portability law can appropriately expand the scope of the right to data portability by removing the limitation that data should only be provided by the data subject.That is, if user B wants to transfer data related to user A, he can do so with user A's consent.The government can require that users' consent as a third-party data subject should be sought before using the platform.If user A consents for his/her data to be transferred before using the platform, then when his/her friend B requests exercise of the right to data portability to transfer friends list, user A's data can be transferred directly without the need to ask for consent again.If user A does not consent, any of user A's friends will not include user A's data when transferring their friends list.Certainly, the right to data portability should not infringe upon a person's legal rights.In case of suspected infringement, the individual has the right to request the platform to delete the data.
Secondly, from the perspective of transaction frequency, due to urbanization transformation, enterprises have accelerated the process of digital transformation, and the frequency for data transactions has increased significantly.The lack of data transfer norms results in the excessive use of personal data.The big data model also makes data storage control more complicated (Ellis & Leek, 2018;Peisert et al., 2018;Van der Auwermeulen, 2017).In the context of relational transactions in China, there is a strong relationship of trust and more channels of information communication between the parties.Relational transactions allow China to have more frequent transactions than developed countries, because it is only profitable to establish relational transactions if the frequency of transactions is high enough (Li, 2017).However, the data processing mode has not been gradually standardized as the frequency of transactions increases, making data transmission extremely difficult.In the future, a more detailed specification of the data processing mode is needed to reduce transaction costs.GDPR gives three different rights to data subjects: receiving the personal data concerning him or her, which he or she has provided to a controller, having the personal data transmitted directly from one controller to another and receiving machine-readable data.The first two have small technical requirements, but the third right relies on technical operability (Borgogno & Colangelo, 2019).Chapter 5 Articles 44-46 of China's Personal Information Protection Law gives data subjects three different rights: individuals have the right to know and decide on the processing of their personal information and the right to restrict or refuse the processing of their personal information by others; individuals have the right to access and copy their personal information from the personal information processor and the transfer route shall be provided when individuals request the transfer of their personal information to the designated processor; individuals have the right to request the deletion of information that has not been deleted by the information processor.In order to make data transfer possible, data format specifications are needed to reduce exchange costs (Haile & Altmann, 2018).The data processing mode needs to ensure both security and efficient data transfer.If the data processing mode is too complex, there will be too many formats conversion steps, severely reducing the efficiency of data transmission (Courbier et al., 2019).If the data processing mode is too simple, it is vulnerable to successful theft by hackers, resulting in large data leakage.GDPR requires the data format to be "structured, commonly used and machine-readable".The Personal Information Protection Act does not explicitly mention format requirements, stating only that "processors of personal information shall provide a means of transfer".The GDPR defines "machine-readable" as "a format that enables software applications to easily identify, recognize and extract specific data" (Ding, 2020).It means that the platform should develop software with an "import-export" module, but this requires more data connect points, making it easier for third-party platforms to access user data and a greater possibility of exposing user data (Zhuo, 2019).
The data processing mode needs to find a balance between security and speed.First, platforms of the same data type should develop their own industry specifications.For example, image type data and location type data each have their own internal compatible specifications.Second, different data types use common open format data between platforms and unify the format of data output.The format depends on the specific scenario and technical level, enabling the circulation of data between platforms.Finally, a decentralized data processing system should be established by imitating the decentralized recommendation system (Casino & Patsakis, 2020;Urquhart et al., 2018).Compared to collaborative recommender systems, decentralized data processing systems decentralize the placement of data and reduce data exposure, thus better protecting data.Data transfer guidelines can also be established based on Distributed Data Transfer Protocol (DDTP) and blockchain technology.Data security can be ensured through verifiable digital credentials "digital fingerprints", thus better facilitating highfrequency data transactions.
Finally, from the perspective of asset exclusivity, data sharing should be carried out accordingly for different users, balancing the relationship between user privacy and data sharing.If personal privacy is overly protected, it is not conducive to the economic utility of personal data.If sharing is overly encouraged, it brings an impact on personal privacy (Guo et al., 2018;Wang, 2019).The core of relational transactions in China is the asset exclusivity that maintains the trust between the parties, because its counterparty identity is derived from exclusive investments made in the transaction, and the value of this exclusive asset is sufficient to guarantee automatic compliance by both parties (Li, 2017).Relational transactions exclusive assets can correspond to data portability asset exclusivity, and simplify the data portability classification by classifying the existing exclusive assets.The right to data portability should allow a certain range of data sharing, promote trust between users and data controllers, and achieve a win-win situation for both users and data controllers (Urquhart et al., 2018).In fact, under the premise of privacy protection, users are often willing to authorize part of their personal data to reduce the transfer cost in exchange for more convenient services.The transfer cost refers to the fact that when users switch between platforms, the corresponding personal data, such as friends list, search history, etc., cannot be transferred, which brings great inconvenience to users (Ramos & Blind, 2020).
The right to data portability can be classified by exclusivity.On the one hand, the "one-size-fits-all" model of data licensing should be eliminated and categorical licensing should be used (Waithira et al., 2019).Currently, there are only two models, full authorization and no authorization which are too extreme and will bring economic losses.Hence, partial authorization options are needed.China's Notice on Information and Communication Service Perception Enhancement Action stipulates that "embedded SDKs shall not start themselves or start associated with each other when they are not necessary for the service or have no reasonable application scenarios".SDKs cannot obtain any data when unnecessary, so the collaborative recommender systems cannot work and the platform cannot make accurate recommendations.The user purchase rate decreases, leading to the decline of enterprise revenue and the national economic downturn.Therefore, classification authorization should be used to set three types of data: unconditionally open, conditionally open, and non-open.For different categories of data, users can be given different levels of protection, and different levels of identity verification can be stipulated to ensure data security.For transmission of high privacy data containing ID information, users can be required to provide ID photos or face recognition to confirm their identity; for transmission of medium privacy data such as frequently visited web pages and frequently visited locations, users can be required to answer pre-set secret security questions; for transmission of low privacy data such as personalized signatures, users can merely provide account numbers and passwords.For the boundary determination of high, medium, and low sensitivity data, the platform can collect the user's priority for the sensitivity level of different data.When users request wielding the right to data portability, different levels of identity verification are conducted according to the pre-collected sensitive data table to ensure that no others impersonate the user's identity for data transmission and therefore guarantee information security.On the other hand, the platform data processing mode possesses exclusivity.For different platforms, data information is important in different degrees.For map navigation software, the user geolocation information is more important than the age information (Ramos & Blind, 2020).Platforms can set up the exclusive data processing mode based on high, medium, and low privacy data, using the complex processing mode for high privacy data and the simple processing mode for low privacy data.When there is inconsistency in privacy classification between platforms like when the private part of one platform is released as public by another platform (Urquhart et al., 2018), platforms can complete the interconversion of high privacy and low privacy data through transcoding to achieve accessible data transmission.

Exploring the path of smart city development from a data portability perspective 4.1 Government
First, the government should strengthen the training of legal knowledge for the public and enhance their awareness of the law.After introducing relevant regulations, the government should publish an explanatory document that converts legal language into everyday language and uses everyday examples for explanations when necessary.The government should also provide community outreach services for people who have difficulty using the Internet (Lytras & Serban, 2020).Next, the government should build the transmission platform regularly, requiring the platform to send monthly data transmission reports to users to address the public's concerns about data leakage of data portability (Urquhart et al., 2018).The report should state the number of data transfer requests, the number of successes, and the object of the transfer platform, so that users can grasp the flow of their personal data.Next, the government should provide policy support to the technology related to data portability.International data portability is basically non-mandatory.For example, the law states that "where technically feasible", i.e., it is not mandatory for corporate data to be machine-readable, and companies are encouraged instead of obliged to use interactivity formats (De Hert et al., 2018).These statements give companies the possibility to delay and not cooperate with the right to data portability.The government needs to introduce policies to encourage companies to develop appropriate technologies.Given that large companies have more time and money to develop relevant technologies (Borgogno & Colangelo, 2019), the government can start with large companies and promote the development of related technologies through financial subsidies, tax reduction, and other policies to better realize the right to data portability.Finally, the government should focus on the boundary issue of the right to data portability.The exclusive classification does not mean indulging in data sharing.The government still needs to restrict profile authorization, and the platform needs to obtain another user's authorization when sharing data again to ensure that the platform uses the data within the scope of authorization (Wang, 2019).

Company
From the perspective of enterprises, first of all, competitive market enterprises should build a transparent transaction information network.Competitive market enterprises will strengthen data innovation to attract users or even third-party platform users to their end.They are more willing to make the data processing mode easy to read so that they can easily read user data.Competitive market enterprises can record and track transaction information within the scope of the right to data portability, constitute a transparent transaction information network, and achieve the equilibrium effect in the Stackelberg game to implement a win-win situation for both the data output and input enterprises, helping the construction of smart cities.Secondly, the winner-takes-all market should develop technological innovation.Companies in winner-take-all markets are inert to innovation because it increases the possibility of user abandonment (Ramos & Blind, 2020).Therefore, they do not want their own data to flow out and want to raise the market entry barrier and put obstacles in the way of the other party's access to information.As large companies, winner-takes-all type of companies can undertake technological innovation.According to the frequency of transactions, develop "machine-readable" data transmission technology to better promote high-frequency data transactions under the premise of ensuring data security (Bagloee et al., 2021;Guo et al., 2018).Finally, enterprises should be elastic in setting data portability boundary issues.According to asset exclusivity, different data carrying rights should be established for different users, and the scope of data sharing should be flexibly scaled.For users with a high trust level, the company should provide large-scale data sharing, and for users with a low trust level, small scale data sharing.

Society
From a social perspective, on the one hand, the right to data portability needs individual consciousness to be truly implemented.Data subjects need to use the right to data portability actively and consciously in order to maximize the role of the right to data portability (Turner et al.).Although the right to data portability provides people with the right to access their own information, users often have no incentive to exercise the right to data portability because of data access cost, personal benefits, etc. (Graef & Prufer, 2021).On the other hand, individuals are also able to regulate whether companies are enforcing the right to data portability regulations.Relational transactions in China do not only exist between enterprises, but also between users and enterprises.Companies need to build their reputation and increase user trust.Users usually provide data to the companies they trust (Urquhart et al., 2018).Users choose regulated enterprises to provide data, pushing non-compliant enterprises to rectify, which implements the function of regulating enterprises.

Conclusion
This study focuses on the attributes of the right to data portability based on property rights theory.Firstly, the right to data portability is extended by using industrial economics theory.Based on relational transactions in Chin, this study enriches the results of personal information protection in developing countries.It provides a theoretical basis for the government to manage data, helps promote the definition of personal digital asset boundaries, and advances the digitalization process of cities and sustainable economic development.Secondly, this study elaborates on three aspects: transaction boundaries, transaction frequency, and asset exclusivity.From the perspective of transaction uncertainty, the scope of the right to data portability needs to be clarified in the future, and the property rights boundary needs to be defined.From the perspective of transaction frequency, a more standard data processing mode is needed in the future, imitating distributed data transfer protocols or decentralized recommendation systems to find a balance between security and speed.From the perspective of asset exclusivity, the future should establish a categorized data sharing database for different users, prevent a "one-size-fits-all" mode, and find a balance between user privacy and data sharing.Finally, the government, enterprises, and society should choose the path of smart city development.The government should introduce policies to encourage people to use the right to data portability and encourage enterprises to develop related technologies; enterprises should flexibly choose the boundaries of the right to data portability according to their own characteristics to promote data sharing; individuals in society should take the initiative to exercise the right to data portability and regulate the enterprises' protection of personal data.

Figure 1 .
Figure 1.Study of Data Portability Based on Property Rights Theory

Table 1 .
Comparison of the right to data portability provisions by country

Table 1
compares developed and developing countries' bills on the right to data portability in terms of four aspects: conditions of use, the definition of personal information, applicable objects, and special provisions.