Ahead of the upcoming Brussels Internet & Telecom Seminar on data portability in Brussels, Inge Graef and Yuli Wahyuningtyas of the Interdisciplinary Centre for Law and ICT (ICRI) of the KU Leuven – University of Leuven will be curating a special series on the topic. In this first post of the series Inge Graef explains how data portability lies at the crossroads of competition and data protection policy.
In January 2012, the European Commission adopted a proposal for a General Data Protection Regulation that includes a new right to data portability which would enable data subjects to transfer their personal data “from one electronic processing system to and into another, without being prevented from doing so by the controller”. The review of the Commission’s proposal in the European Parliament that was concluded in March 2014 has led to the adoption of a number of amendments which substantially reduce the potential impact of the right to data portability.
The new right would not only give individuals more control over their personal data in the digital environment, but may also reduce lock-in by enabling users to switch easily between services. In this respect, the right to data portability has a competition law aspect. In the absence of a strong right to data portability under data protection law, competition law may play an increased role in facilitating data portability among online services.
Right to data portability
Article 18(2) of the Commission’s proposal gives gives users the right to transfer their personal data to another electronic processing system. This right goes a step further than the right of users to obtain a copy of personal data as contained in Article 18(1). The right to obtain a copy would, for instance, entitle social media users to obtain the data that they inserted in a particular social networking site in a format that can be easily used in another social networking platform. The right to data portability goes beyond the right to obtain a copy, since it requires controllers to transmit the data directly to another controller at the request of the data subject, and can be compared to number portability in switching between mobile providers. To use the example of social networks again, it would entitle a Facebook user to ask Facebook to transfer personal data directly to Google+, instead of downloading the data from Facebook him- or herself and upload it again to Google+.
While most social networking sites like Facebook and Google+ offer users the possibility to obtain a copy of their data, there are still considerable limits on the direct transfer of personal information to other platforms. In practice, users have to re-enter their profile information, photos, videos and other information manually in the new platform if they want to switch from one social network to another. The right to data portability would address this problem.
European Commission versus European Parliament
The European Parliament has merged the right to data portability with the right of access in Article 15(2a) of the draft legislation. While the principles underlying the right to data portability remain part of the amended proposal, the European Parliament has limited the scope of application of the new right. In the view of the European Parliament, the right to data portability should only apply where a direct transfer of personal data is “technically feasible and available”. Under the proposal submitted by the European Commission, the right to data portability would apply generally to all automated processing systems irrespective of whether transfer of data is already technically possible. The amendment of the European Parliament thus significantly tones down the potential impact of the right to data portability.
If the new right to data portability would be interpreted in such a way as to be applicable exclusively if a technical measure for direct transfer of data is already available, users would only be able to rely on it in very limited circumstances. This interpretation may even discourage controllers from developing standards, as the duty to transmit data only applies when this is technically feasible, thereby continuing to lock-in users.
Data portability and competition law
In a speech, the Commissioner for Competition stated that the proposed right to data portability “goes to the heart of competition policy” and that “customers should not be locked in to a particular company just because they once trusted them with their content”. It therefore cannot be excluded that the European Commission will also take action on the basis of competition law if a dominant firm does not allow users to take their data with them when switching services. The Google case confirms that portability can play a role in competition enforcement. One of the issues at stake in this case involves the limitations that Google allegedly imposes on the portability of advertising campaigns on its advertising platform AdWords. In this regard, the Commission is concerned that advertisers are locked-in to Google’s platform which may reduce competition in the market.
Depending on the factual circumstances, restrictions on data portability may qualify as abuse of dominance under Article 102 of the Treaty on the Functioning of the European Union (TFEU). In order to remedy abusive behaviour consisting of a lack of data portability, competition authorities could impose a duty on a dominant provider to enable users to transfer their data between services.
However, action on the basis of Article 102 of the TFEU can only be taken in case a dominant provider abuses its position by refusing to facilitate data portability. In contrast, the right to data portability in the General Data Protection Regulation would apply generally. No dominance or abuse will have to be established in order for data subjects to be able to move their data between services. Nevertheless, enforcement of data portability under competition law may gain in importance if the limited scope of application of the right to data portability as proposed by the European Parliament will be adopted in the final text of the Regulation.
This article gives the views of the author, and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics. A more extensive discussion of the issue is available on SSRN: Putting the Right to Data Portability into a Competition Law Perspective. The Brussels Internet & Telecom Seminar on data portability will take place on 29 April.
For GDPR, can you confirm if I am not EU citizen but visits EU as a tourist and gives my personal data to a Hotel, does GDPR still apply to the Hotel or not ? Are they accountable in line with GDPR to protect my data?
Yes, According to the fundamental rights Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’), Everyone has the right to the protection of personal data concerning him or her.
The data controller (Hotel) need the consent of the data subject (Mahesh Bhardwaj) to use the data for the specified purpose and they are accountable for that data according to GDPR.
I work for a web design agency and I have to say, implementing GDPR is turning into a bit of a nightmare. Whereas original EU cookie Law was pretty straightforward for Ma & Pa online businesses to run with, the sheer scope of exactly what is GDPR makes it hard for regular people to get a handle on.
If this could be explained in more simple terms – like, ”you need to beef up security, contact your list for reconfirmation, tweak your Ts & Cs and add a tickbox to your contact form” people wouldn’t be getting anywhere near as excited as they are.
For us, as a company with hundreds of existing clients – all in need of revamped forms, a new privacy policy page and a list snooping plugins, this is a bit of a nightmare…