Unlocking personal data from online services: user studies on data export experiences and data transfer scenarios

ABSTRACT

In recent years, online services have started to make personal data of users more accessible by offering dedicated ways of exporting data. The introduction of download portals is associated with increasing demands by privacy regulations regarding the rights of users, such as the Right of Access (Art. 15) and the Right to Data Portability (Art. 20) of the European Union’s General Data Protection Regulation (GDPR). These rights aim to empower users by increasing their control over the personal data that online services hold about them. They allow users to export their personal data and thereby gain insights on the scope of personal data held by the services and to transfer this data to other services. However, until now, little is known about how users experience and evaluate the process of accessing and exporting their data and how it impacts individual-level factors such as privacy-related attitudes (i.e. attitudes regarding sharing personal data, perceived control over data, and using privacy-protective strategies). In this paper, we report the results of an online survey with an experimental condition (N = 728) and a second online survey (N = 817) where participants from two university courses were asked to request real data exports from online services and inspect the exported data afterward. We find that inspecting exported personal data has a statistically significant positive effect on users’ privacy-related attitudes. However, users perceive limited usefulness in switching scenarios where personal data is transferred to a new substitutional service and rather prefer to use the data at multiple complementary services.

KEYWORDS:

• data export
• data transfer
• data import
• data portability
• General Data Protection Regulation (GDPR)
• user survey

1. Introduction

Online services with data-driven business models have become prevalent since the rise of Web 2.0. As accumulating data allows services both to be more attractive to users and to generate more revenue, for example, through a better personalization of ads, services have an incentive to collect large amounts of data without sharing them with their competitors (Krämer et al., 2020). For users, having provided their data without the possibility of retrieving them can lead to a “lock-in” where changing to another service (where all data would have to be entered again) becomes increasingly expensive and cumbersome (Farrell & Klemperer, 2007). Furthermore, ubiquitous data collection can cause users to lose awareness of when and what data is stored and processed by online services.

These issues are addressed by user rights embedded in privacy regulations such as the European Union’s General Data Protection Regulation (GDPR) (Council of European Union, 2016). In particular, the GDPR’s Right of Access (Art. 15), Right to Erasure (Art. 17), and Right to Data Portability (Art. 20) intend to give users the power to learn what data online services hold on them, to erase personal data from online services, and to export data from online services and possibly transfer them to another service. However, the compliance of services with these rights is still remarkably low – empirical studies yield compliance rates of up to 53% (Kröger et al., 2020) for the Right of Access, 73% for the Right to Erasure (Rupp et al., 2022), and 29% for the Right to Data Portability (Syrmoudis et al., 2021).

The Right to Data Portability aims to break down data silos by making it easier for users to transfer their data from one service to another (Article 29 Data Protection Working Party, 2017), not only empowering users but also market entrants who may be strengthened in their competition with incumbent services (Wohlfarth, 2019). In contrast to the Right of Access, which gives users the right to be informed about the data online services hold about them, the Right to Data Portability aims at giving users control over their data by obliging online services to export data in a (common, machine-readable, and structured) format that facilitates transferring that data to other online services (Article 29 Data Protection Working Party, 2017).

Both the Right of Access (Art. 15) and the Right to Data Portability (Art. 20) allow users to export their personal data from online services. Findings from prior work show that both rights suffer from low compliance rates (Kröger et al., 2020; Syrmoudis et al., 2021) and that online services fail to distinguish between or even mix up these two user rights (Syrmoudis et al., 2021). Furthermore, the Right to Data Portability does not live up to its “data transfer” promise, yet, as a great majority of services does not offer to import data exported from other services (Syrmoudis et al., 2021)

These findings from prior work indicate that both legislators and online services themselves need to continue to work on making the Right of Access and the Right to Data Portability successful user rights. Our study aims to increase the understanding of what users expect from data exports and data transfers, how they would like to use them, and what hinders them from doing so.

Our study further draws a connection between existing user rights and the concept of Personal Information Management Systems (PIMS). As defined by Janssen and Singh (2022), PIMS “provide technology-backed mechanisms for individuals to mediate, monitor and control how their data is accessed, used or shared.” The GDPR’s Right to Data Portability intends to give users substantial powers to learn what data companies hold and to control which companies hold their personal data. PIMS have, therefore, been proposed as a way of implementing data portability (Krämer, 2020; Urquhart et al., 2018).

Furthermore, data portability and interoperability have been described as essential features of PIMS (Attoresi & Moraes, 2020), and PIMS solutions like Solid are discussed among components that can be part of architectures for achieving data portability (Kranz et al., 2023).

In order to design PIMS in a way that sufficiently fulfills the requirements of Art. 20 GDPR, we need to learn how users interact with PIMS that allow the management of their data, what effects on users’ privacy-related attitudes may arise, and what further usage scenarios users see. We, therefore, pose three research questions that cover the whole data transfer process from export to import, allowing us to learn how users would like to manage their personal information gathered using user rights of the GDPR.

1.1. Users’ experiences of data export and inspection

Art. 20 GDPR allows online services a substantial amount of freedom in how they implement the Right to Data Portability. Exports must be provided in a structured, common, and machine-readable format and have to contain at least the data that has been received by the online service (i.e., actively provided by the user, such as posts on a social network site). For data that has been observed (i.e., passively provided such as a smartphone’s GPS data), there is no final interpretation on the mandatory inclusion in the data export yet (De Hert et al., 2018). While there is a recommendation to use formats like XML, JSON, or CSV (Article 29 Data Protection Working Party, 2017), online services can decide by themselves on the format of their data exports and on the procedure to request them. As direct ways to transfer data between services, such as the Data Transfer Project (Willard et al., 2018), are not operational yet, users have to transfer data in an indirect way by first requesting an export from one service and then importing the data to another service. For this way of data transfer to be feasible, users should be able to export data without hindrances and to inspect and inform themselves on the data provided by the exporting service. As known from user studies on the Right of Access, data subject requests can be unsatisfactory due to non-compliant and low-quality responses (Bowyer et al., 2022). In the case of data portability, a good user experience when exporting data is a fundamental prerequisite for the whole data transfer process to work. Therefore, gathering insights on the actual experiences of users with current data export processes is crucial for deriving recommendations for improvements of data export and transfer processes and the development of PIMS.

We pose Research Question 1: How do users experience exporting their personal data from online services? How do they inspect the exported data?

1.2. Effects of data export and inspection on privacy-related attitudes

The present study also examines users’ perceptions of online privacy in the context of data exports. The reason for this is that privacy plays an important role in the context of PIMS and the GDPR: One of the core goals of both the GDPR and the concept of PIMS is to strengthen the data sovereignty of end users and give them more control over how their data is processed and shared (Janssen & Singh, 2022; Janssen et al., 2020; Korir et al., 2022; Mazeh & Shmueli, 2020; Singh et al., 2017, 2021). One way in which this empowerment could take place is that interaction with their data, specifically, its export and exploration, influences the privacy-related attitudes of users.

An attitude is “a psychological tendency that is expressed by evaluating a particular entity with some degree of favor or disfavor” (Eagly & Chaiken, 1993, p. 1). The entity or object that attitudes refer to can be “anything a person may hold in mind, ranging from the mundane to the abstract, including things, people, groups, and ideas” (Bohner & Dickel, 2011, p. 392). Based on this definition, privacy-related attitudes in the broadest sense can refer to, for example, users’ assessments of privacy in general (e.g., as subjectively relevant), assessments of specific legislation such as the GDPR and the tools service providers use to implement this legislation (e.g., as helpful), as well as self-assessments (e.g., of their ability and intention to protect their privacy and use certain tools).

We, therefore, investigate how users’ privacy-related attitudes are impacted by experiencing data exports and being confronted with the personal information processed by online service providers.

Concretely, amongst the various conceptualizations of privacy-related attitudes that can be found in the literature (e.g., privacy concerns, privacy considerations, and privacy fatigue; Barth and de Jong (2017); Baruh et al. (2017)), we focus on three: Users’ attitudes toward sharing different kinds of data with online services and other users (Dienlin & Trepte, 2015), users’ perceived control over their data (that is, their belief in being able to protect their data and influence what online services do with their data; Saeri et al. (2014)), and their attitude toward using privacy-protective strategies (e.g., restricting access to their data).

These three privacy-related attitudes are relevant because attitudes toward data sharing, usage of protective strategies, and perceived control over data are important determinants of privacy-related behavior (Ajzen, 1991; Saeri et al., 2014).

In addition, it also seems worthwhile to test how useful and beneficial to their privacy users rate the GDPR and the possibility of exporting and inspecting their data. Prior studies on the GDPR have found mixed results: Surveys suggest that users’ sense of control over their data has not increased since the introduction of the GDPR. Instead, some users report frustration and doubts about the effectiveness of the regulation, perhaps due to excessive confrontation with cookie banners and privacy policies required by the GDPR, leading to a sense of disempowerment (Mahieu & Ausloos, 2020; Strycharz et al., 2020). However, several studies found that users mostly assess concrete GDPR rights such as the Right to Data Portability as beneficial and useful but are often unaware of ways to exercise them (Kuebler-Wachendorff et al., 2021; Luzsa et al., 2022a). Likewise, users’ evaluation of the GDPR is influenced by their self-efficacy, i.e., their perceived ability to protect their privacy and the role they attribute to the GDPR in protecting their privacy (Marikyan et al., 2023). This suggests that exercising a GDPR right by exporting and exploring data and thereby strengthening their self-efficacy may impact users’ evaluation of the GDPR. Therefore, as a fourth privacy-related attitude, this study measures how users assess the value of the GDPR for their own online privacy and how this assessment is impacted by conducting a data export and inspecting the acquired data.

The assumption that a data export may serve as an intervention that positively affects privacy-related attitudes is backed both by theory and previous empirical research. At the conceptual level, data export is an act of Human-Data Interaction (Mortier et al., 2014), which is characterized by the legibility and comprehensibility of data and processes, the degree of users’ agency, and aspects of societal and individual negotiability (i.e., social norms and expectations). From this point of view, it can be assumed that conducting data export and exploration increases the comprehensibility of data and data processes and, as a result, also influences users’ sense of agency and privacy-related attitudes. Empirical findings support this notion: Interventions such as receiving information about service providers’ data policies (Golbeck & Mauriello, 2016), participating in simulations in which privacy-related decisions are made (Dincelli & Chengalur-Smith, 2020), or being exposed to nudges such as warning labels (Acquisti et al., 2017; Carpenter et al., 2017; Dogruel, 2019) all have been found to affect privacy awareness and similar privacy-related attitudes. In the context of the present study, we can therefore assume that exporting and exploring one’s own data from an online service such as Facebook may also serve as an intervention: It allows users to realize the scope of data collected, which most users report not to be aware of (Bartsch & Dienlin, 2016; Epstein & Quinn, 2020; Golbeck & Mauriello, 2016) and therefore could make them reevaluate which data they want to make available to the provider and other users. Moreover, conducting an export should also impact users’ perceived control over data, as it conveys knowledge to them about strategies to manage their data, thereby positively influencing their perception of GDPR as a privacy-strengthening legislature.

These assumptions are further supported by studies on the effects of privacy dashboards (i.e., user interfaces offered by specific service providers that allow users to view and manage data) on privacy-related attitudes. For example, Farke et al. (2021) found that users report fewer privacy concerns after interacting with Google’s “My Activity” dashboard, a system that visualizes the data that Google services have collected about a user (e.g., location data, search strings) and offers options to delete certain data or change privacy settings. Contrarily, in a study by Arias-Cabarcos et al. (2023), Facebook users report worrying more about privacy after being exposed to the “Off-Facebook activity” dashboard, an interface that informs about the personal data that third parties track via Facebook-provided tools and that allows for the deactivation of future tracking. These findings suggest that the effect of confrontation with collected personal data is influenced by different factors, such as the scope of the data and the privacy-management functions offered by the dashboard. However, the data export enabled by the Right to Data Portability differs from privacy dashboards in that the data is made available in a standardized format, but there is no curation, i.e., visual preparation by the service, and no options are offered for deleting data or disabling future tracking. This raises the question of how users react to this kind of “raw” and non-curated data export and how it affects their privacy-related attitudes. If effects of data export and exploration on privacy attitudes are found, it would suggest that PIMS can not only strengthen users’ digital sovereignty but also enhance their privacy awareness and that effects of PIMS on privacy attitudes should be closely considered in their design.

Therefore, the study examines Research Question 2: Does exporting and exploring data affect participants’ privacy-related attitudes, that is, their willingness to share information online, their perceived control over their data, their intention to use privacy-protecting measures, and their evaluation of the GDPR?

1.3. Users’ preferences for data import

Finally, the Right to Data Portability does not only intend to give users the possibility of exporting data but also to upload or transfer their data to other services and, therefore, stimulate data-driven online markets. Apart from the straightforward scenario of switching from one online service to another, i.e., transferring data to a substitutional service that offers similar features and deleting the old account afterward, scenarios where the data is kept at multiple services are also thinkable. Data could be transferred to complementary services that offer different features, which in turn could use the data to improve their offerings (Engels, 2016). Furthermore, the data included in an export may vary in its specificity and relevance. Depending on a concrete data transfer scenario, users may want to transfer only a subset of the exported data.

Research Question 3: follows: What import scenarios do users prefer? What type of data would they want to transfer to other services?

To address these research questions, we have conducted two comprehensive surveys with over 1500 participants in total. Over the course of the surveys, participants were asked to conduct real data exports. Participants described how they experienced the data exports and their perceived usefulness of exporting data. Furthermore, they were confronted with the amount of personal data online services stored on them with the effect of that confrontation on their privacy attitudes being measured. Lastly, in hypothetical data transfer scenarios, participants decided on what data they would transfer to which services when given the opportunity.

The remainder of the paper is structured as follows. In Section 2, we present related work. In Section 3, we describe our methodology with a focus on the design of the surveys. Our results on how users experience their data exports and on how they inspect their personal data are presented in Section 4.1. In Section 4.2, the results of the between-subjects experiment on the effects on users’ privacy attitudes are presented. Section 4.3 highlights our findings on the preferred data transfer scenarios of users. Finally, Section 5 discusses the results and their implications.

2. Related work

Several studies have been conducted on data exports from online services, focusing on the GDPR’s Right of Access. To the best of our knowledge, no large-scale studies with a focus on data transfer scenarios have been conducted, yet. Consequently, our research complements the existing literature by further investigating user needs and experiences regarding data exports and by adding insights into desirable properties of data transfers.

Most similar to our approach regarding RQ1 is a study by Pins et al. (2022). The authors conducted a user study where 59 participants received data following a total of 422 requests under the Right of Access. In particular, they observed how participants perceived the option to make data access requests, how the requests were executed, and how participants used the data. Using the grading scheme by Bangor et al. (2009), all but one of the examined service categories received overall usability scores of F (not acceptable) due to the data access procedures lacking clarity and guidance. Participants reported that the data helps them to understand what the service knows about them and that the provided data is easy to understand. However, despite the study being on the Right of Access, which does not require machine-readable exports, in 40% of the scenarios, machine-readable formats were used (compliance studies on the Right to Data Portability also indicate that some services treat the Right to Data Portability and the Right of Access as the same or mix them up, see, e.g., Syrmoudis et al. (2021)). Participants, therefore, reported that data formats were difficult to handle. Furthermore, many participants did not see use cases for the provided data. Pins et al. (2022) did not find an impact of inspecting the provided data on participants’ privacy-related attitudes. However, in contrast to our study (RQ2), this was not tested experimentally but based on participants’ self-assessments after inspecting the data.

Further studies on data access requests include Petelka et al. (2022), who conducted 38 access requests and found the processes to be not linear, often requiring the participants to execute workarounds in order to receive their data.

Veys et al. (2021) conducted a focus group study where 42 participants reacted to their exports from six services under the Right of Access. Participants found that increases in usefulness were necessary, with filtration, visualization, and summarization being means to do so.

Bowyer et al. (2022) qualitatively assessed users’ attributes regarding data-centric services before, during, and after executing data access requests. They found that a high number of services were non-compliant and delivered incomplete data, causing distrust among participants.

Karegar et al. (2016) conducted a qualitative user survey on visualizing data exports under the Right to Data Portability in 2016 (i.e., before the GDPR came into effect) and found that participants showed little interest in the visualization of location files exported from Google. When asked about the transmission of data between services, participants preferred indirect transfers of data (where they can first inspect the data) over direct transmissions from one service to another.

Strycharz et al. (2020) assessed users’ perceptions, awareness, and understanding of the GDPR. They surveyed 1288 participants and found awareness and knowledge of the GDPR and its individual rights to be high. Participants, however, indicated doubts about the effectiveness of the GDPR – a sentiment that has subsequently been confirmed by compliance studies (see, e.g., Kröger et al. (2020); Rupp et al. (2022); Syrmoudis et al. (2021); Wong and Henderson (2019)).

3. Method

To examine how users experience the process of requesting and inspecting their personal data, two comprehensive online surveys were conducted in July 2020 and July 2021 at the Technical University of Munich. The first survey focuses on how users inspect their data exports from a leading interactive online service and on the effects of being confronted with one’s personal data on the privacy attitude of users. The survey was conducted on the example of the Facebook social networking site. With 67.6% of the European population using the site as of May 2022,¹ the service is particularly suitable for a large-scale survey focusing on data exports. The second survey focuses on how useful participants find their data exports and on the use cases they see for the transfer of exported data to other online services. In contrast to the first survey, the data export task is not limited to Facebook only but includes a total of 29 popular online services. Details on design and measures are outlined in this section. In addition, the full surveys are available in the supplementary material of this paper.

3.1. Participants

In both surveys, participants were recruited from university students in two large business administration and information systems courses. Overall, 1545 participants (728 in survey 1 and 817 in survey 2) made 1395 successful data export requests under Art. 20 GDPR. As the surveys were conducted in different years, participants were part of two distinct student cohorts. The number of students who participated in both surveys was 28.

In survey 1, 57.1% of the participants were male, 40.4% were female, 0.5% were diverse/non-binary, and 1.9% did not want to report their gender. Similarly, in survey 2, there were 58.8% male, 40.1% female, and 0.4% diverse/non-binary participants, with 0.7% choosing not to report their gender.

The majority of participants were management students (survey 1: 76.0%, survey 2: 75.2%). Other groups with a share of more than 1% were students of information systems (survey 1: 16.4%, survey 2: 18.1%) and computer science (survey 1: 5.5%, survey 2: 3.7%). The mean number of studied semesters was 5.0 in survey 1 (median: 3, min: 1, max: >12) and 4.8 in survey 2 (median: 2, min: 1, max: >12).

Most participants (survey 1: 88.2%, survey 2: 91.5%) stated that they had not executed the Right to Data Portability prior to taking the survey.

3.2. Design

Survey 1 used a between-subjects experimental design to examine the effects of downloading and inspecting data from Facebook (independent variable, treatment group: with download, control group: no download) on several privacy-related attitudes (dependent variables). After measuring the dependent variables, the control group also downloaded and inspected their data, and additional explorative questions about participants’ evaluation of downloading and reviewing the data were asked in both groups.

Survey 2 did not feature a control group. Instead, all participants were equally asked to download and inspect data from two services that they use (chosen from a list of 29 commonly used services) and asked to evaluate their experiences, similar to survey 1. Additionally, participants’ preferences for importing their downloaded data to other, currently not-used services were measured.

3.3. Measures

3.3.1. Privacy-related attitudes (survey 1)

In survey 1, the effects of conducting a data export from Facebook and inspecting the data on several privacy-related attitudes were examined. Concretely, questions regarding four aspects were asked:

Firstly, we measured participants’ attitudes toward sharing different kinds of data on their Facebook profiles. For this, we used three scales developed by Dienlin and Trepte (2015): Sharing data that makes the user identifiable, sharing personal (i.e., private and emotional) information, and intention to restrict other users’ access to the Facebook profile. Each facet is operationalized as the mean of six items answered on a six-point Likert scale (e.g., “I think that giving information on FB that identifies me is (1) not useful … (6) very useful, (1) careless … (6) not careless”). The original authors report satisfying internal consistencies for all three scales (all Cronbach’s α ≥ .81). Therefore, mean values of the three scales are calculated.

Secondly, we asked four questions regarding participants’ perceived control over their data on Facebook. The questions were taken from Saeri et al. (2014) and answered on a six-point Likert scale, ranging from “strongly disagree” to “strongly agree” (sample item: I think I am able to control and manage what data Facebook stores about me and how this data is used”). The original authors report a boundary-acceptable internal consistency of α = .63. Therefore, we calculated the mean of all questions but also examined individual item values.

Thirdly, participants’ intention to use privacy protection measures on Facebook was measured with 11 questions proposed by Kezer et al. (2016). Participants were presented with different protection strategies (e.g., “Deactivate your profile,” “Untag photos/videos”) and were asked to indicate whether they planned to do this in the future in order to protect their privacy on a binary answer scale with the options “yes” and “no.” A sum score was calculated, counting “yes” as one and “no” as zero. The authors do not report the internal consistency; in our sample, we find α = .82.

Finally, participants were asked to rate how they assess the value of the GDPR for their own online privacy. For this, we used four self-formulated questions: “GDPR gives me the feeling of having more influence on how companies work with my data.,” “GDPR has strengthened my awareness of the value of data.,” “GDPR improves my privacy.,” and “GDPR increases my control over my personal data.” The items were again answered on a six-point Likert scale (from “strongly disagree” to “strongly agree”). As the questions address rather different aspects of privacy (e.g., awareness vs. influence of online service providers’ handling of data), no aggregate measure is calculated, and instead, individual item values are examined and reported.

3.3.2. Evaluation of data export and data inspection (survey 1)

After data exports were executed, participants’ attitudes regarding the triggering of exports, the inspection, and the perceived usefulness were measured.

First, we asked questions on the initiation of the data export. Participants were asked which options (data format, media quality, time limit) they selected when making the export request on Facebook, whether they needed to consult further resources, and how long the export took.

Secondly, we asked them open questions on the data inspection (“How did you inspect your Facebook data?,” “Which tools and programs did you use?”), the most useful aspects of the data export (“Which parts or aspects of your Facebook data did you find the most useful?,” “Which five categories of data in the data export do you consider the most valuable?”), and possibly unexpected data (“Was there content in your Facebook data you didn’t expect to find there? If yes, please elaborate.”).

Finally, we asked them about the comprehensiveness of the exported data and possible use cases (“What would you do with the data you want to keep?”).

3.3.3. Data export experiences and transfer scenarios (survey 2)

In survey 2, participants made data export requests at two randomly selected online services. After receiving and inspecting the exports, participants were asked for their experiences with the data export using adapted questions from survey 1 (e.g., “How difficult was it to export your data from service 1/2?,” “How would you rate the comprehensibility of the data export?,” “Was there content in your service 1/2 data you didn’t expect to find there? If yes, please elaborate.”).

Finally, participants were asked about data transfer scenarios considering the received data exports. After asking for the usefulness of transferring the data to the respective 28 different services (“Please rate the usefulness of an import of your data from service 1/2 to the following services.”) using a six-point Likert scale, participants were confronted with two specific transfer scenarios. One to a randomly selected service where they were already registered at and one to a randomly selected service where they were not registered yet. Using open questions, participants were asked what reasons they could state for the data transfer (“What are the reasons why you would or would not use the possibility to import your exported data from export service 1/2 to import service 1/2?”) and what data scope they would prefer for such a data transfer (“Which types of data would you want to import from export service 1/2 to import service 1/2?”).

3.4. Procedure

3.4.1. Survey 1

Survey 1 consists of three blocks of questions: Sociodemographics and Social Media Usage (A), Privacy Attitude and Intentions (B), and Data Inspection (C). Participants are equally and randomly divided into a treatment group and a control group. The treatment group is asked to download and inspect their personal data from Facebook after question block A, whereas the control group has to perform this task after question block B. Participants are then instructed to press the “Pause the survey” button and continue the survey after they have received the data export or after more than five days have passed. Figure 1 shows a screenshot of this export task.

Figure 1. Data export task.

Participants who report that they do not have an account on Facebook or that they could not successfully export their data are given a set of dummy data generated by us from a real Facebook export. As shown in Figure 2, they are then asked to inspect their data export thoroughly.

Figure 2. Data inspection task.

For the data export, participants used Facebook’s “Download Your Information” tool. This tool allows users to select either JSON (in compliance with the Right to Data Portability) or HTML (in compliance with the Right of Access) as file format for the exported data.² We did not instruct the participants on which format they should choose. The dummy dataset given to participants who could not successfully export their data used the JSON file format.

In block A, participants are asked for basic sociodemographic information as well as the social media platforms they have an account on and the time they spend online.

In block B, the privacy-related attitudes (see Section 3.3.1) were measured.

In block C, the questions concerning participants’ evaluation of the export process and their strategies to inspect the data (see Section 3.3.2) were asked.

3.4.2. Survey 2

Survey 2 broadened the scope of the first survey by addressing not only Facebook but also examining data export in 29 commonly used online services. These services were selected using the worldwide and German Alexa lists of the most popular websites (Alexa Internet Inc, 2020). For each service, we ensured that there is an automated way of requesting data exports, typically by clicking a button in the user interface of the online service. When it was unclear whether this data export functionality was the service’s preferred way of requesting exports under the Right to Data Portability, we consulted its privacy policy or, if necessary, contacted its Data Protection Officer or customer service. We, therefore, only selected services that allow the request for data export under the Right to Data Portability in an automated way. In general, data exports under Art. 20 GDPR can take up to three months, and previous studies have shown that the compliance of online services with Art. 20 is rather low (Syrmoudis et al., 2021; Wong & Henderson, 2019). To keep waiting times for the survey participants reasonably low, data export requests were made to the Alexa top sites, and only the 29 services were selected for the survey where the request could be completed successfully and where the total waiting time was at most seven days. Using the Type of site and Services attributes on en.wikipedia.org, 11 services can be classified as social networks, 4 as messaging, 2 as music/streaming, and 2 as big tech. The remaining 10 services are classified as other as their respective types are unique among the 29 services.

Survey 2 consists of three blocks of questions: Sociodemographics and Existing Accounts (A), Data Export Experiences (B), and Data Transfer Scenarios (C).

Apart from basic sociodemographic questions, users are asked in block A at which of the 29 services they have an account (“On which of the following platforms do you have an account (even if you don’t actively use it)?”). After they have selected these services, two of them are selected at random for the data export task. Furthermore, two services are selected as hypothetical import candidates in block C of the survey: One from the set of services where they have an account and one from the set of services where they do not have an account.

The participants are then asked to export their personal data from the two selected services. Finding out how to request the export was a part of the task; we did not give the participants instructions on how to request a data export from the particular services. Like Facebook in survey 1, some services do not distinguish between the Right of Access and the Right to Data Portability or give the user the choice to select an export format that complies with one of the rights. While exporting data under the Right to Data Portability is possible for all services, we did not explicitly instruct users on which data format to select. Based on the service and the participants’ choices, they could either end up with an export that is compliant with the Right of Access, the Right to Data Portability, or both.

Participants are then instructed to press the “Pause the survey” button and to continue the survey after they have received both data exports or after more than 14 days have elapsed. Participants who report that they do not have accounts at two or more of the 29 possible services or that they could not successfully export their data from one or both services are given one or two sets of dummy data generated by us from real data exports. Participants are then asked to thoroughly inspect their data exports (or dummy datasets).

In block B, participants then reported their experiences with the data export (see Section 3.3.3).

Block C presents the participants with four hypothetical data transfer scenarios: From export service 1 to import service 1, from export service 2 to import service 1, from export service 1 to import service 2, and from export service 2 to import service 2. As described above, import service 1 is selected from the set of services where the user does have an account, while import service 2 is selected from the set of services where the user does not have an account. Data portability can both be used for switching to a new substitutional service as well as for transferring data to an existing account at a complementary service (Engels, 2016). The distinction between the scenarios allows us to gain insights regarding data transfer scenarios that users prefer as of today.

Finally, participants are asked to report their evaluation of the data transfer scenarios.

3.5. Analysis

In the experimental setting of survey 1, the effects of experiencing the Facebook data export on the three facets of privacy attitudes, behavioral control, and attitudes toward GDPR were tested with univariate ANOVAs, comparing expressed attitudes between participants with vs. without data export. The effects on privacy protection measures were tested using Welch’s t-test. As the measures for privacy attitudes, behavioral control, and privacy protection measures are based on established scales, statistical tests were performed on aggregated scales rather than single items. For GDPR attitudes, p-values were adjusted using the Bonferroni-Holm method to control for repeated testing.

While the primary analysis focus of our analysis is quantitative, we complement our statistical insights with qualitative data. For this purpose, the two surveys contain a total of 22 free-text questions. They were separately coded by six of the authors based on Mayring’s method of qualitative content analysis, a well-established approach for systematizing large sets of qualitative data (Mayring, 1991). The coding scheme is available in the supplementary materials of this paper. To ensure reliability of the coding despite the large number of answers, for three questions, a random sample of 10% was double-coded. The inter-coder agreement was at 81%, 84%, and 90%.

3.6. Research ethics

With our survey design, we tried to minimize possible harm caused by the study on participants and online services. Receiving data export requests from over 1500 participants can cause a considerable amount of work for services that process GDPR requests by hand. Therefore, we made sure that for all services in the study, no interaction with customer support or data protection officers is required to make a request under Art. 20 GDPR. Furthermore, all services in the study answered our initial requests within seven days, further indicating that exports were generated automatically.

Our institution does not require ethics approval for questionnaire-based studies. However, when conducting the study and analyzing the data, we followed standard practices for ethical research, e.g., presenting detailed study procedures, obtaining consent, and allowing to leave the study at any time.

Participation in the study was voluntary. Participants were rewarded for their participation with a bonus code that could be redeemed as part of a series of grade bonus tasks in their university course. This code was not stored with the collected data. The only condition for receiving the reward was a completion of the survey. Participants who did not make a successful export request but inspected the dummy data instead received the reward as well. In order to make export requests, participants had to interact with online services, which might collect data whenever users are on their websites. Given that participants were only assigned services for a data export they reported to be using anyway, we believe that possible adverse effects are outweighed by the societal benefits of our study. Participants were always able to select the dummy data option. The research team never had access to any exported data from participants.

4. Results

4.1. Data export requests and data inspection (surveys 1&2)

In survey 1, 485 successful data exports from Facebook were reported, and in survey 2, 910 successful data exports from 29 online services were reported. Wherever data exports were not successful, participants were asked to inspect dummy data instead. Unless mentioned otherwise, the results include only the cases where exports were successful and, therefore, real data and not dummy data was inspected.

To answer RQ1 (How do users experience exporting their personal data from online services? How do they inspect the exported data?), we asked users about their approach to requesting and exporting their data and their means of inspecting the received data export.

4.1.1. Requesting the data export

When requesting a data export from Facebook, users can choose between HTML and JSON formats. While HTML is more convenient for users to inspect their data, JSON is more suitable for processing the exported data. 97% of participants selected HTML as export format, which suggests that they do not see a high utility in being able to further process the data or are not as familiar with the JSON format.

On a six-point Likert scale, the mean value for the difficulty of finding the option to trigger a data export on Facebook is 3.73, with 56% of users rating the difficulty as “rather easy” or better. 15% consulted the Facebook Help Center for information on how to find the export functionality, and 34% searched using a search engine. Finally, 28% of participants had to use a direct link to the functionality that was provided by us.

For the 29 online services in survey 2, the users found triggering the data exports mainly easy, with a mean on the Likert scale of 4.55 and 84% of users rating the difficulty as “rather easy” or better.

Overall, in survey 1, 81% of participants who have an account on Facebook reported that they were able to download their data from Facebook. In survey 2, the average success rate was 59%. Of the remaining 41%, 30% of participants reported that they could not find an option to trigger the data export, and 11% did not receive the export within 14 days. Comparing the 29 services yields a median success rate of 56%. The minimum success rate was 13%, the first quartile 33%, the third quartile 67%, and the maximum 100%.

4.1.2. Inspecting the data

After receiving the exported data, users were asked to inspect it and to report which means they were choosing to do so. Table 1 lists the inspection tools that were most frequently named in the participants’ text answers. Almost all users used the standard tools available on their computer for inspecting the data, i.e., the tools that launch upon a double click on the file (e.g., a web browser for HTML files). This causes problems for users when the service exports the files in a format that is not easily readable for humans, such as JSON. In these cases, a majority of users reported that they were not able to inspect the data. Only a small number of users tried to download tools like a JSON viewer to be able to open the exported files.

Table 1. Data inspection tools used by participants.

Text Editor	Web Browser	CSV Viewer (e.g., MS Excel)	IDE	JSON Viewer	PDF Viewer	OS Preview
276	238	152	78	46	33	22

This observation indicates that while structured and machine-readable file formats make it easier to process the data automatically, they limit the possibilities for users to inspect them. Therefore, when giving the data to another online service, as intended by the Right to Data Portability, regular users only have limited control over the precise extent of shared data.

4.1.3. Export characteristics

After inspecting the data, users were asked to rate the exports. On a six-point Likert scale, the mean value for the comprehensibility of the Facebook data export is 4.11, with 76% of users rating it as “rather good” or better. The semantically related notion of clarity of the export is rated similarly, with a mean of 4.06, and 72% of users gave it a positive rating.

Asked for the completeness of the received data exports on both Facebook and the other online services, 70% of participants did not miss any data. Among the remaining 30%, 35% missed analytic data, e.g., regarding their preferences (“More of a classification or analysis of my music taste on which grounds tracks and playlists are recommended.”). 19% missed social content such as messages and chats or likes and dislikes. 11% expected more technical and usage data such as log-in times (“I expected information about my activity, something like how much I am using the app during the day […]”). Furthermore, 11% missed history data, such as their search history, and 8% expected to find a list of locations in the export that they thought the service should have tracked.

While the majority of participants could not list types of data they think are missing from the export, in 74% of the export cases, participants rather agree to the statement that the service stores more data on them than contained in the data export, with a mean on the Likert scale of 4.22. In the case of Facebook, the proportion of agreement is statistically significantly higher at 88% with a mean of 4.68 (t = 5.85, p < .001; Bonferroni-Holm adjusted).

Participants were further asked whether there was data contained in their export that they did not expect to find there. 42% of users answered that they did indeed find unexpected data in their exports. Content types that were most often reported as unexpected were payment details, location history, search history, and data on ads and interests of the user.

Finally, participants were asked whether they agreed with the statement that the service collects too much data about them. On a six-point Likert scale, 90% of participants chose “rather agree” or higher, with a mean of 4.89 in the case of Facebook. In the survey with 29 online services, 62% of participants agreed with the statement, with a mean of 3.91 (t = 12.44, p < .001; Bonferroni-Holm adjusted).

4.2. Effects on privacy-related attitudes (survey 1)

As described in Subsection 3.3.1, and in order to answer RQ2 (Does exporting and exploring data affect participants’ privacy-related attitudes, that is, their willingness to share information online, their perceived control over their data, their intention to use privacy-protecting measures and their evaluation of the GDPR?), study 1 measured the effects of being confronted with the Facebook data export on the privacy-related attitudes of users in a between-subjects experiment setting. Participants in the treatment group (T) were asked to answer questions on their privacy attitudes after requesting and inspecting their data exports, while participants in the control group (C) were asked these questions before the data export task.

4.2.1. Attitudes towards sharing data on Facebook

We find that participants who had exported their data report a slightly more skeptical attitude toward communicating personal information on Facebook³ (M = 3.130, SD = 0.802) than participants without prior export experience (M = 2.965, SD = 0.775, F(1;483) = 5.319, p = .0215, η² = 0.01).

No statistically significant difference, however, was found for giving identifying information (M = 3.286, SD = 0.789 for treatment vs. M = 3.210, SD = 0.772 for control group; F(1;483) = 1.148, p = .285, η² <0.001) as well as the participants’ attitude toward restricting access to their Facebook profile (M = 4.860, SD = 0.760 for treatment vs. M = 4.746, SD = 0.864 for control group; F(1;483) = 2.376, p = .124, η² <0.001).

We can, therefore, observe that being confronted with one’s data export from Facebook does have a statistically significant influence on users’ attitudes toward sharing data, only regarding personal information, not regarding identifying information or restricting access to information.

4.2.2. Perceived control over data

Besides assessing privacy-related attitudes, we also asked participants whether they think that they are able to control the data stored about them. Figure 3 compares the results of the respective Likert scales for control and treatment groups. Especially in the control group, the participants’ perception of data control on Facebook is very negative, with disagreement rates of 80% to 92%. In the treatment group, i.e., after having exported their personal data, a majority of users agree to the statements “I have the necessary information to access and download the data Facebook stores about me.” (59%) and “It is easy for me to access and download the data Facebook stores about me.” (58%).

Figure 3. Statements on data control on Facebook (left: total disagreement in percent, right: total agreement in percent).

Analyzing the aggregated scale, we find users who exported data report statistically significantly higher perceived control over data (M = 3.029, SD = 0.903) than the control group without export (M = 2.355, SD = 0.887; F(1;483) = 68.72, p < .001).

We further wanted to know if actually making use of a GDPR right influences the participants’ opinions on whether the GDPR can give them more control over their personal data. Figure 4 gives an overview of the Likert scales for control and treatment groups. Participants, in general, hold a positive view of the GDPR, with agreement rates of 67% to 85% in the control group and 71% to 89% in the treatment group.

Figure 4. Statements on the GDPR (left: total disagreement in percent, right: total agreement in percent).

After adjusting the p values using the Bonferroni-Holm method, we find that the data export treatment has no statistically significant effect on the perception of the GDPR statements (all p values between 0.35 and 1.00).

4.2.3. Intentions for future Facebook usage (privacy protection measures)

Finally, we wanted to know if being confronted with the data being stored about them has an influence on how participants plan to use Facebook in the future and which privacy-protecting strategies they intend to employ. Therefore, we asked them binary questions on what they plan to do within the next weeks on Facebook in order to protect their privacy. Figures 5 and Figure 6 give an overview of the answers in the control and treatment groups.

Figure 5. Intentions for future Facebook usage pt. 1 (left: disagreement in percent, right: agreement in percent).

Figure 6. Intentions for future Facebook usage pt. 2 (left: disagreement in percent, right: agreement in percent).

Overall, we find that users who exported data report a statistically significantly higher intention to use privacy protection measures (M = 1.333, SD = 0.260) than the control group without export (M = 1.293, SD = 0.241; t = −3.2715, df = 476.97, p = .001 for the aggregated scale). The observed effect sizes were small (Cohen’s d = −.30, with an absolute d between .20 and .50 to be interpreted as a small effect according to Cohen (1992)).

4.3. Data usage and transfer scenarios (survey 2)

To answer RQ3 (What import scenarios do users prefer? What type of data would they want to transfer to other services?), we asked participants for their preferred use cases and the types of data they would like to transfer to other services. We then compared feasible import scenarios.

4.3.1. Use cases for data exports

In our analysis, we find that 14% of participants doubt that their exported data from Facebook can be of any use (e.g., “It was interesting but not very useful to me,” “None, I would never had the idea to download it, if I didn’t have to do it for this survey,” “I didn’t find any of the data particularly useful, honestly.”).

The majority of users (86%) were able to identify an aspect of their data export that they found the most useful. As shown in Table 2, they attribute the highest usefulness to activity data (“The aspect that everything that has been posted or send can easily be accessible and is transparent.”), conversations (“The data about my message, because herewith I get transparency about my messaging history.”), and multimedia (“The most useful for me is the information on my playlists so that in case of an account migration I could take them with me or as an back-up.”).

Table 2. Data types perceived as most useful.

Activity Data (e.g., search history)	Conversations	Multimedia	Marketing Data (e.g., ad targeting)	Account Information
467 (38%)	330 (27%)	246 (20%)	174 (14%)	11 (1%)

After inspecting the data export from Facebook, we asked participants what they would want to do with the data they kept from the export. At 48%, the largest group stated that they do not want to keep any data. 42% would save it on a storage medium at home. Only 2 out of 485 participants remarked that they would use the data for transferring to another network (before being specifically confronted with import scenarios).

We further asked participants which five categories of data from their Facebook data they found the most useful. Most often mentioned were profile information (273), security and login (272), messages (268), locations (251), and search history (237).

4.3.2. Transferring data to other services

When asked for the types of data from their exports they find the most useful for transferring to other services, data about music (tastes and habits) was mentioned most often by the participants. They find this data useful, in particular for getting better recommendations on the new platform, for exchanging interests with friends, or for transferring and sharing their music data with other apps like social networks.

Further mentioned was contact data from social networks and messaging services and the exchange of data between social networks in order to find their friends from other networks more easily.

In general, the participants displayed a largely negative attitude toward transferring their data to other services. The most common arguments against data transfers were a desire for privacy and security and a lack of trust regarding online services. 27% of participants mentioned that they do not want to share even more data with online services and that they would rather decrease the amount of data services hold about them. 23% of participants mentioned that they want to protect their personal data, and 10% explicitly stated that they do not trust the specific online service and that they do not want to give them access to their data for free. Furthermore, 19% of participants stated that they want to keep their online accounts separated and do not want to mix personal data.

However, when analyzing the hypothetical data transfer scenarios where participants were confronted with a potential data transfer to a service where they already have an account and a data transfer to a service where they do not have an account yet, we find a substantial difference between these scenarios. While 35% of participants rate a data transfer to a service with an existing account as “rather useful” or better (mean of Likert scale 2.40), only 18% do so for switching scenarios (mean on Likert scale 1.99; t = 4.86, p $<0.001$). Overall, the usefulness across all scenarios is 27%.

It has to be noted that services were matched on a random basis; therefore, for some of the pairs, the participants mentioned that transferring data between these two services made no sense to them. We do, however, know from the content of data exports that all exports include basic personal data that could be used at all services, e.g., for the creation of user accounts without the need to enter this data. As our results show, such a transfer upon account creation is not seen as useful by the majority of participants.

We also asked participants about the types of data they would like to import when transferring data between the services. Table 3 lists the most commonly named types of data with personal information (e.g., name, username, e-mail), contacts/friends/followers being the most prevalent ones. Thus, while the majority of participants do not perceive data transfer upon account creation as useful, personal information is still the most relevant type of data for data transfers.

Table 3. Data types that participants would like to import.

None	Personal information	Contacts/Friends/Followers	Music/Playlists	Interests	Photos/Videos
1840 (52%)	866 (24%)	378 (11%)	199 (6%)	195 (5%)	91 (3%)

5. Discussion

Our results indicate that users show an interest in exporting their personal data to inform themselves about the data online services store about them. The confrontation with their data even leads to a slight but statistically significant change in psychological privacy attitudes, i.e., their perusal makes them more concerned about psychological privacy.

However, apart from data exports, with Article 20, the GDPR also envisions data transfers between online services. In our results, we find that users, in many cases, do not consider data transfers to be a useful scenario. In the following subsections, we discuss the implications of our findings and possible limitations of our study and conclude with a brief summary and avenues for future research.

5.1. Interpretation and implications

In our study, we found hindrances in the data export and inspection process (RQ1), a more critical user attitude toward sharing personal information (RQ2), and a lack of perceived usefulness regarding transfer scenarios (RQ3). Our results have implications on the design of export and transfer mechanisms and, regarding privacy concerns, also on the design of PIMS in general.

5.1.1. Data export processes

While we had verified for all 29 services that data exports under Art. 20 GDPR could be executed by automated means, and within a timeframe of 7 days, our survey data yields large differences in export success rates between services, ranging from 13% to 100%. Thus, for some services, participants apparently experience problems in finding and identifying data export functions.

These numbers can be explained by the text answers where participants frequently describe the process of requesting their personal data, accessing their data, handling their data, and analyzing their data as unstructured and cumbersome. It is often left to the user to find out how to get their data and what to do with it. This is particularly true for services that only export data that is not directly human-readable. Average users are easily overwhelmed by the complexity of the data and, without further guidance, are not able to make use of their data exports.

One possible solution for this problem is offering interfaces where users can inspect their data on the services’ websites and make a preselection of what data they want to have exported. Privacy dashboards, as found at some services for the Right of Access (Raschke et al., 2018; Tolsdorf et al., 2021), could serve as an example of how the Right to Data Portability can be implemented in a more user-friendly and less complex way. Services could display a user’s personal data in a privacy dashboard (in compliance with Art. 15 GDPR) and allow a user to select which data to export, e.g., by clicking checkboxes next to each data category.

5.1.2. Privacy implications for the design of PIMS

The finding that users exhibit a more critical attitude toward sharing personal information with service providers after exporting and exploring their data (RQ2) has several implications for the design of data export processes and PIMS:

It suggests that making use of the Right to Data Portability to export and manage data in a PIMS can serve as a privacy awareness intervention by supporting users in realizing the scope of data collected, thereby allowing them to make more informed privacy choices. At the same time, however, PIMS should also prevent this effect from getting too pronounced, i.e., users being overwhelmed and unsettled by being confronted with a large amount of data collected about them by various services. One approach to this may lie in curating data and offering management functions directly, thereby strengthening users’ privacy self-efficacy (i.e., their perception of their own ability to protect their privacy; Chen and Chen (2015)). In the current study, more skeptical attitudes toward data disclosure emerged after users had explored uncurated, “raw” data with their own tools (e.g., text editors), while in a previous study, for example, users of the curated Google MyActivity actually reported fewer privacy concerns after use (Farke et al., 2021). It, therefore, seems advisable to provide users’ data in full in a PIMS yet always offer direct options for managing it, deleting it from providers, or exerting influence in other ways.

Future research may address this, for example, by further analyzing how users’ privacy-related attitudes interact with different ways to import, manage, and release data and how an optimal balance between raising awareness about the scope of data processed and avoiding feelings of being overwhelmed by the data can be achieved.

5.1.3. Hindrances on the way to a functioning data transfer infrastructure

5.1.3.1. No trust in data security

Many participants displayed hesitance in making use of data transfer options due to lack of trust in the security of such transfers. When asked for arguments against transferring data, concerns about security and privacy are the second most common reason against data transfers (19%), behind a general lack of usefulness (64%).

Inspecting their exports, participants could observe that these exports contain sensitive personal information. Transferring data to other online services leads to increasing possible attack vectors by having sensitive data at multiple services and during the actual data transfer. Users understandably do not want to risk that their sensitive information becomes subject to a data breach. Complicated transfer procedures further increase the perceived risk of losing the data, e.g., by incorrectly executing the data transfer.

To mitigate risks and enhance user trust, services should offer homogeneous infrastructures where the user can comprehend what happens with the data and how to execute a data transfer securely. One possible candidate for such an infrastructure is the vision for the Data Transfer Project (Willard et al., 2018), which aims to streamline the process, decrease the effort for online services to participate, and offer users a uniform transfer experience across participating services. However, as of today, no comparable infrastructure is operable (Kranz et al., 2023).

5.1.3.2. Lack of perceived usefulness

As shown in Section “Data Usage and Transfer Scenarios,” a notable share of participants did not perceive their exported data as useful for any data transfer scenario. This can, in part, be explained by the differences between online services, e.g., a music streaming service may simply have no (immediately apparent) use for importing social media posts. However, data exports from each service contain basic personal information that could, for instance, be used to shorten the registration process on another service. More innovative scenarios could be explored, e.g., using social media posts (e.g., comments and multimedia content) to infer music taste and to make suitable recommendations on a different platform. Nevertheless, a majority of users do not envision such scenarios.

The lack of usefulness of exported data in the hypothetical data transfer scenarios can also be explained by the actual lack of import possibilities in the real world (Syrmoudis et al., 2021). Users are not used to being able to transfer their data between online services and thus are not able to imagine of what use such a transfer could be to them.

Furthermore, data exports feature a high degree of heterogeneity between online services when it comes to data format, scope, structure, and completeness (Syrmoudis et al., 2021; Wong & Henderson, 2019). This makes it more difficult to work with exported data for both online services, which have to develop separate import mechanisms for each service, and users who have to become accustomed to new formats and structures over and over again.

It is, therefore, upon the regulator to standardize data exports, e.g., by obligating services to develop standard formats, and upon online services to sensitize users to the opportunities of data transfers by implementing procedures that allow users to make further use of their exported data.

5.1.3.3. Lack of understanding

The text answers of participants further indicate that even after actually executing a user right of the GDPR, not all participants have fully understood the aims of the regulation and the possibilities it provides to users. The low awareness of the Right to Data Portability in the overall population (European Commission, 2019) is, therefore, also reflected in the exhibited understanding of the right by the survey participants. When asked what they could do with their data using the Right to Data Portability, many participants had no idea, and some of the participants described use cases that are not covered by Art. 20 GDPR (e.g., “I can hear my favorite music while doing sports via runtastic.” or “[…] maybe the seller of a car to play me music i liked when i bought his car.”).

The low understanding and knowledge of the Right to Data Portability implies that regulators need to make more efforts to inform users of the goals of the regulation and how to reach them.

5.2. Limitations

The participants of our surveys were mainly students in business administration and information systems who arguably are more technically literate and, due to their lower age, more open to new technologies than the general population. While these properties are negligible for the experimental part of the study, where participants have been randomly assigned to control and treatment groups, they may have an effect on the reported absolute results, like the perceived usefulness of transferring data from one provider to another. Here, the already low numbers likely still overestimate the perceived usefulness in the general population (see Luzsa and Mayr (2022) and Luzsa et al. (2022b) for analyses of inter-individual and sociodemographic differences in attitudes toward data portability and privacy).

As described in Subsection “Research Ethics,” we have only included services that offer automated means to execute the Right to Data Portability for ethical and practical reasons. While we do believe that for the main purposes of the Right to Access – informing users on the personal data stored about them – and the Right to Data Portability – transferring data between online services – users should not have to manually contact Data Protection Officers via e-mail, we cannot provide insights on the preferred request methods of users. It should be noted that for the Right of Access, Alizadeh et al. (2020) found that out of 13 households that requested their personal data from loyalty card providers, 11 found e-mail to be the most natural way of doing so.

Due to the service preselection, the share of services that are compliant with the provisions of Art. 15 GDPR and Art. 20 GDPR is likely higher than in the overall set of online services. Therefore, our measures of perceived usefulness may overestimate the true usefulness of the average data export.

As finding out how to trigger a data export was part of the survey, we did not instruct participants on how to make data export requests. Thus, in some cases, participants may not have triggered a full data export under Art. 15 or Art. 20 GDPR but instead have used a download portal that exports data in a way that does not fulfill the provisions of the GDPR. We have verified for each service that a download portal for requests under Art. 20 exists. However, in addition to regular GDPR requests, services may also offer download portals where users can request a limited export of their data. In our study, we accepted the risk of incomplete data exports in order to learn about the actual data export processes of the participants.

5.3. Concluding remarks and outlook

Empirical studies that have found low compliance of online services with the GDPR’s Right to Data Portability (Syrmoudis et al., 2021; Wong & Henderson, 2019) and other user rights (Kröger et al., 2020; Rupp et al., 2022) indicate that doing research which includes the actual execution of data rights (Ausloos & Veale, 2020) is an important component in making GDPR rights more effective as it informs both legislators and service providers of shortcomings in the current implementation. To address these shortcomings from a user perspective, we have asked 1545 study participants to make actual data export requests, which by far represents the largest investigation of its kind.

In our user studies on data export experiences and transfer scenarios, we find that participants find little use in transferring their personal data between online services. Interestingly, the use case considered most appealing is transferring the data to services with existing accounts. In contrast to the main notion of the Right to Data Portability, users do, therefore, not seek to use the right to switch to new online services but to have their data available at multiple, possibly complementary, online services.

In our survey design, we implemented indirect data transfer scenarios by letting users download their personal data first and (hypothetically) upload them to other online services afterward. While, as of today, this is the only feasible way of using the Right to Data Portability, this complicated process might have contributed to the low usefulness users attribute to their data exports. Future studies should, therefore, investigate how users would perceive direct data transfers where they do not have to serve as intermediaries between online services.

Regarding privacy-related attitudes, our results partially confirm the assumption that experiencing the export of one’s Facebook data increases awareness about privacy issues: Participants who had exported their data expressed a higher level of privacy attitudes and concerns about privacy; that is, they were more hesitant toward sharing personal data on Facebook. This may be explained as an effect of realizing the scope of data available and collected and of the wish to reduce and/or limit this scope in their future interaction with the platform. Depending on how strong privacy-related attitudes are linked to actual privacy behavior (Bartsch & Dienlin, 2016; Spiekermann et al., 2001), it can be assumed that the confrontation with their Facebook data may make users also more likely to actually reduce the data shared on their profile. Our study offered initial insights showing that privacy-protective behaviors may indeed be affected. Future research might address this and examine the effects of data exports on actual behavior, for example, by letting participants create fictitious social media profiles after experiencing the data export or by letting them implement changes to their real Facebook profiles.

It must be noted that, despite the previously reported effects, the study found no impact of conducting a data export on social and informational privacy, that is, participants’ attitudes toward restricting other users’ access to their Facebook profiles. An explanation for this could be that the current study only focused on data export but did not instruct participants on how to actually change their privacy and visibility settings. Future studies and interventions should, therefore, combine awareness creation with strategies for increasing individuals’ privacy self-efficacy (Chen, 2018; Chen & Chen, 2015), that is, to teach them how to actually protect their privacy and thereby increase their self-perceived competence to do so.

Acknowledgments

We would like to thank the participants of our studies for contributing their time, the anonymous reviewers for their helpful feedback, and Johannes Pecher, Nikolay Terziyski, and Maximilian J. Frank for their valuable research assistance. Responsibility for the contents of this publication rests with the authors.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Supplemental data

Supplemental data for this article can be accessed online at https://doi.org/10.1080/07370024.2024.2325347.

Additional information

Funding

The work was supported by the Bayerisches Forschungsinstitut für Digitale Transformation (bidt).

Notes on contributors

Emmanuel Syrmoudis

Emmanuel Syrmoudis is a computer scientist with an interest in the effects of privacy regulation, particularly the GDPR’s Right to Data Portability, on users and online services; he is a research associate at the Chair of Cyber Trust in the TUM School of Computation, Information and Technology.

Robert Luzsa

Robert Luzsa is a psychologist and focuses on the interplay between technology, the individual and society, in particular online opinion formation, digital sovereignty and privacy as well as augmented reality in education; he is a post-doctoral researcher at the Chair of Psychology and Human-Machine Interaction at the University of Passau.

Yvonne Ehrlich

Yvonne Ehrlich a graduate student in Management and Technology at the Technical University of Munich, is driven by empowering users through innovative solutions. Her research aims to enhance digital privacy and user control in the digital landscape.

Dennis Agidigbi

Dennis Osahon Agidigbi is a Management and Computer Science graduate from the Technical University of Munich and a former visiting student researcher at Stanford University. He is interested in technology and its impact on human behavior and business opportunities and conducted research at the intersection of entrepreneurship, venture capital, diversity, equity & inclusion (DEI) and education.

Kai Kirsch

Kai Kirsch is a graduate student in Management and Computer Science at the Technical University of Munich and an Honors Degree student in Technology Management at the Center for Digital Technology and Management; he is interested in digital technologies and how they can create new business opportunities.

Danny Rudolf

Danny Rudolf is a graduate student in Management & Technology at the TUM School of Management; he has a keen interest in cybersecurity, with a particular focus on consumer attitudes toward security in digital environments, as well as exploring the intersection of technology and sustainability.

Daniel Schlaeger

Daniel Schlaeger is a graduate in Management and Technology from the Technical University of Munich and Strategic Management from HEC Paris. His research aims to drive innovation and understanding within the dynamic interdisciplinary domain of business and technology.

Joelle Weber

Joelle Weber is a graduate student in Management & Technology with a major in finance and a technical focus on informatics at the TUM School of Management. Her interests revolve around privacy regulations, particularly focusing on data portability, and cybersecurity, with a specific emphasis on understanding consumer attitudes toward security in digital environments.

Jens Grossklags

Jens Grossklags is Professor of Cyber Trust in the School of Computation, Information and Technology at the Technical University of Munich. His research and teaching activities focus on interdisciplinary challenges in the areas of security, privacy and technology policy.

Notes

¹ https://www.statista.com/statistics/241552/share-of-global-population-using-facebook-by-region/

² In 2021, one year after survey 1 was conducted, Facebook released its “Transfer a Copy of Your Information” tool. It allows users to directly transfer data to a small number of predefined services. However, as it does not offer to export data, the “Download your Information” tool is still the only compliant way to request data exports under the GDPR’s Right to Data Portability (Art. 20(1)).

³ In the used scale by Dienlin and Trepte (2015), there is no differentiation between communicating information to other users and communicating it to the online service.