In the final post in the Data Portability Series curated by our colleagues at the Interdisciplinary Centre for Law and ICT (ICRI) of the KU Leuven – University of Leuven, Yuli Wahyuningtyas argues that there are more aspects of data portability that need to be considered before the adoption of the proposal currently on the EU’s table.
Art. 15(2a) of the Proposal for the European General Data Protection Regulation (GDPR), as amended by the European Parliament in March 2014, introduced the right to data portability alongside the right to access for online platform users. The Brussels Internet & Telecom Seminar last week sought to shed some light on how the right to data portability may enhance consumer control over their personal data, redress consumer lock-in and thereby, lower entry barriers and promote competition. The seminar also raised issues that should be considered before the adoption of the Proposal.
‘Personal data’ subject to the right to data portability
In the silence of clarification on the GDPR Proposal, in which data is subject to the right to data portability, it may be possible that the term ‘personal data’ in the right to data portability should only refer to data that is intentionally created and uploaded by an individual user to a certain online platform. Thus, it does not include data generated by the online platform from observing and analyzing the behavior of the user on the platform, although such data can also be considered ‘personal data’. In this sense, the scope of data covered by the right to data portability is narrower than personal data defined in Art. 2 lit. (a) of the Directive 95/46/EC as ‘any information relating to an identified or identifiable natural person (data subject)’.
Aspects covered by the right to data portability
The right to data portability encompasses two aspects: the right to obtain copies of data and the right to transfer the data. The right to copy data entails, first of all, certain technical formats that will allow further use of the data by the user (data subject). Second, it requires security measures in order to ensure confidentiality, data integrity (no tampering or changes), and availability. Third, it needs a clear scope of the type of data and to which extent an individual user can get a copy.
The right to transfer data should entail the right to data removal from the first platform, when the user does not wish to use the platform simultaneously with any other platform (multihoming). For this purpose, there should be a clear policy of the service provider on how to handle the data made available for the user and certain technical tools that will allow user to give consent or to refuse the policy of the data handling.
Data portability also raises technical issues for interoperability. Technical constraints may appear on the level of the interoperability of data and communication that covers the problems of data format, e.g. *.doc, *.dot, and interfaces and protocols problems, e.g. for synchronization of data. There will be also technical constraints in the execution level with respect to functionality and platform support. One way to deal with these issues is by setting standards that could be implemented by all online platforms. In this part, competition law analysis may be relevant in cases where standard setting involves an agreement that restraints competition prohibited in Article 101(1) TFEU.
The right to data portability, consumer lock-in, and incentives to compete
Data portability will set users free from being ‘imprisoned’ in a platform. In other words, it will reduce user lock-in. From industry’s viewpoint, data portability will result in easiness for online platforms to obtain users and thus, will reduce entry barriers for new online platforms and be useful to keep multi players in the market. The result can be at least two-fold. First of all, because an online platform is usually offered for the users for zero price, there will be no (or at least no significant) price competition in the market. As a result, online platforms will have to compete in innovation for better quality of services. Second, since unhappy users will be able to easily switch to any other online platform, data portability could provide incentives for online platforms to treat user data in more respectful manners.
Keeping in mind that multi-sided platform are a common business model of online platforms, it is also important to emphasize that user data is not an exchange or payment of using services for zero price. Thus, using a service for no price shall not impair user’s rights to their data.
There is disagreement on whether regulatory intervention is necessary for data portability instead of leaving it to technology to do the job. This argument shifts to the question of how competition law can play a role in fast moving markets, like ICT. There are problems with relying solely on competition law in this matter, because of its time frame (it takes a considerably long time to settle competition law cases) and it takes case by case approaches instead of providing ex-ante rules. Thus, sector specific regulation may still play a key role in the market.
Nevertheless, critics consider the GDPR Proposal too ambitious and unclear with words and terms that may create interpretation problems, either too narrow or too broad. For instance, the general obligation imposed to all companies may create too heavy a burden for small business, while there is no balancing opportunity for efficiency. The clause ‘where technically feasible and available’ for direct transfer of user data between online platforms is too vague and may weaken the incentives for companies to enable data portability. Recital 55 that encourages data controllers to develop interoperable formats to enable data portability seems to shift the burden to industries to come up with technical solutions for data portability.
Although progress has been made, some homework remains on data portability that should be taken into account before the adoption of the GDPR Proposal.
This article gives the views of the author, and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics