Published online by Cambridge University Press: 06 March 2019
The right to data portability (RtDP) introduced by Article 20 of the General Data Protection Regulation (GDPR) forms a regulatory innovation within EU law. The RtDP provides data subjects with the possibility to transfer personal data among data controllers, but has an impact beyond data protection. In particular, the RtDP facilitates the reuse of personal data that private companies hold by establishing a general-purpose control mechanism of horizontal application. Article 20 of the GDPR is agnostic about the type of use that follows from the ported data and its further diffusion. We argue that the RtDP does not fit well with the fundamental rights nature of data protection law, and should instead be seen as a new regulatory tool in EU law that aims to stimulate competition and innovation in data-driven markets.
What remains unclear is the extent to which the RtDP will be limited in its aspirations where intellectual property rights of current data holders—such as copyright, trade secrets and sui generis database rights—cause the regimes to clash. In such cases, a reconciliation of the interests might particularly confine the follow-on use of ported data again to specific set of socially justifiable purposes, possibly with schemes of fair remuneration. Despite these uncertainties, the RtDP is already being replicated in other fields, namely consumer protection law and the regulation of non-personal data. Competition law can also facilitate portability of data, but only for purpose-specific goals with the aim of addressing anticompetitive behavior.
We conclude that to the extent that other regimes will try to replicate the RtDP, they should closely consider the nature of the resulting control and its breadth and impact on incentives to innovate. In any case, the creation of data portability regimes should not become an end in itself. With an increasing number of instruments, orchestrating the consistency of legal regimes within the Digital Single Market and their mutual interplay should become an equally important concern.
1 Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions on a Digital Single Market Strategy for Europe 14, COM (2015) 192 final (May 6, 2015).Google Scholar
2 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Building a European Data Economy, COM (2017) 9 final (Jan. 10, 2017).Google Scholar
3 Commission Staff Working Document on the Free Flow of Data and Emerging Issues of the European Data Economy, Accompanying the Document Communication Building a European Data Economy 46, SWD (2017) 2 final (Jan. 10, 2017).Google Scholar
4 Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) (EU) [hereinafter GDPR].Google Scholar
5 See id. art. 4(1) (defining a data subject as “an identified or identifiable natural person” and specifying that an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person … .) In this article, the terms “data subject,” “individual,” “consumer,” and “user” will be used interchangeably.Google Scholar
6 Id. art. 4(7).Google Scholar
7 Id. art. 99.Google Scholar
8 See Directive 2002/22/EC of the European Parliament and of the Council of March 7, 2002 on Universal Service and the Rights of Users Relating to Electronic Communications Networks and Services (Universal Service Directive), 2002 O.J. (L 108) 51, as amended by Directive 2009/136/EC of the European Parliament and of the Council of November 25, 2009, 2009 O.J. (L 337) 11 (stating that under Art. 30 of the Universal Service Directive, porting of telephone numbers and their subsequent activation has to take place against a cost-oriented price and within the shortest possible time which is interpreted as maximum one working day); see also Directive 2015/2366 of the European Parliament and of the Council of November 25, 2015 on Payment Services in the Internal Market, 2015 O.J. (L 337) 35 (EU) (stating that under Art. 66 and 67 of the Payment Services Directive 2 to be implemented in national law by January 13, 2018, third party providers are able to access a customer's payment account information on the customer's request in order to provide payment initiation or account information services).Google Scholar
9 Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data, COM (2012) 11 final (Jan. 25, 2012).Google Scholar
10 Commission Staff Working Paper Impact Assessment Accompanying the Document Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data (General Data Protection Regulation) and the Directive of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and the Free Movement of such Data, at 43, SEC (2012) 72 final [hereinafter Impact Assessment].Google Scholar
11 Resolution on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), Eur. Parl. Doc. P7_TA(2014)0212 (2014) http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0212.Google Scholar
12 See GDPR, supra note 4, art. 20.Google Scholar
13 Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COD (2014) 10614/14 (June 6, 2014) 3 n.1.Google Scholar
14 WP29 is composed of the following parties: a representative from the National Data Protection Authority of each EU Member State; a representative of the European Data Protection Supervisor (the independent supervisory authority that is responsible for ensuring that all EU institutions and bodies respect people's right to personal data protection and privacy when processing their personal data); and a representative of the European Commission.Google Scholar
15 Art. 29 Data Protection Working Party, Guidelines on the Right to Data Portability, 16/EN WP 242 (Dec. 13, 2016).Google Scholar
16 Art. 29 Data Protection Working Party, Guidelines on the Right to Data Portability, 16/EN WP 242 rev.01 (Apr. 5, 2017) [hereinafter WP29].Google Scholar
17 See, e.g., GDPR, supra note 4, art. 99(2).Google Scholar
18 WP29, supra note 16, at 4 n.1 (emphasis added).Google Scholar
19 Impact Assessment, supra note 10, at 62.Google Scholar
20 Impact Assessment, supra note 10.Google Scholar
21 See EU Network of Independent Experts on Fundamental Rights Commentary of the Charter of Fundamental Rights of the European Union, at 95 (June 2006), http://ec.europa.eu/justice/fundamental-rights/document/index_en.htm (stating, namely, that secondary legislation is adopted to give effect to the fundamental right to data protection, and that “the protection of personal data shall be exercised in accordance with the conditions and limits defined by the measures adopted to give effect to it.”).Google Scholar
22 See GDPR, supra note 4, art. 5(1) (a), (b) (featuring a parallel structure).Google Scholar
23 See id. at art. 6, 9.Google Scholar
24 See id.at art. 15.Google Scholar
25 See id. at art. 19.Google Scholar
26 See generally id. at art. 51.Google Scholar
27 See Charter of Fundamental Rights of the European Union, 2012/C 326/02, art. 8(2), 2012 O.J. (C 326) 391 (“Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”).Google Scholar
28 See GDPR, supra note 4, art 15(1), (3).Google Scholar
29 See id. at art 20(1).Google Scholar
30 See discussion infra Section C.II. on the notion of provided data.Google Scholar
31 See GDPR, supra note 4, art. 20(1)(b).Google Scholar
32 See id. at art. 6(1)(a), 9(2)(a).Google Scholar
33 See id. at art. 6(1)(b).Google Scholar
34 But see Lynskey, Orla, Aligning Data Protection Rights with Competition Law Remedies? The GDPR Right to Data Portability, 42(6) Eur. L. Rev. 793, 809–10 (2017) (claiming that the right to data portability “sits coherently within the data protection regime” because it promotes individual control over personal data by enhancing informational self-determination as “a central objective of the EU data protection regime.”).Google Scholar
35 See, e.g., Rubinstein, Ira, Big Data: The End of Privacy or a New Beginning?, 3 Int'l Data Privacy L., 74–87 (2013); see also Peter Swire & Yianni Lagos, Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique, 72 Md. L. Rev. 335, 373 (2013); Paul De Hert et al., The Right to Data Portability in the GDPR: Towards User-Centric Interoperability of Digital Services, 34 Comput. L. & Sec. Rev. 193, 201 (2018).Google Scholar
36 Rubinstein, supra note 35, at 84.Google Scholar
37 Nadezhda Purtova, Property Rights in Personal Data: a European Perspective 57 (2011).Google Scholar
38 Id. at 86–88; but see Elinor Ostrom & Charlotte Hess, Private and Common Property Rights, in 5 Prop. L. & Econ. 53, 59 (Boudewijn Bouckaert ed., 2010) (“Property-rights systems that do not contain the right of alienation are considered to be ill-defined.”).Google Scholar
39 WP29, supra note 16, at 7.Google Scholar
40 Drexl, Josef, Designing Competitive Markets for Industrial Data — Between Propertisation and Access, 8 JIPITEC 257, 286, para. 155 (2017).Google Scholar
41 WP29, supra note 16, at 4 n.1 (emphasis added).Google Scholar
42 Id. at 5.Google Scholar
43 Id. at 4, 14.Google Scholar
44 Id. at 15.Google Scholar
45 See generally WP29, supra note 16.Google Scholar
46 Koops, Bert-Jaap, The Trouble with European Data Protection Law, 4 Int'l Data Privacy L., 250–61 (2014).Google Scholar
47 See GDPR, supra note 4, art. 6(1)(a), 9(2)(a) (specifying this point for special categories of data).Google Scholar
48 See id. Google Scholar
49 Cuijpers, Colette et al., Data Protection Reform and the Internet: The Draft Data Protection Regulation, in Research Handbook on EU Internet Law 543, 558 (Andrej Savin & Jan Tzarkowski eds., 2014).Google Scholar
50 See GDPR, supra note 4, art. 6(1)(f).Google Scholar
51 Directive 2003/98/EC of the European Parliament and of the Council of November 17, 2003 on the Re-Use of Public Sector information 2003 O.J. (L 345) 90, last amended by Directive 2013/37/EU of the European Parliament and of the Council of June 26, 2013 2013 O.J. (L 175) 1 [hereinafter PSI Directive] (stating that the amendments are in effect from July 18, 2015).Google Scholar
52 PSI Directive, supra note 51, at art. 4; but see id. at recital 8, 9 of the preamble (explaining that article 4 does not apply if access is, for instance, restricted or excluded under national access rules and due to third-party interests).Google Scholar
53 See CJEU, Joined Cases C-141/12 and C- 372/12, YS et al. v. Minister of Immigration, Integration and Asylum, ECLI:EU:C:2014:2081, Judgement of July 17, 2014 (concerning the relationship between data protection rights and the right to access to documents).Google Scholar
54 WP29, supra note 16, at 8 n.16.Google Scholar
55 Id. (referring to the relevant pages of WP29, “Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC,” April 9, 2014, WP217).Google Scholar
56 See, e.g., Nadezhda Purtova, The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law, 10 Law, Innovation & Tech. 40–81 (2018) (discussing the broad notion of personal data).Google Scholar
57 See GDPR, supra note 4, art. 4(5).Google Scholar
58 See also De Hert et al., supra note 35, at 202 (distinguishing between a restrictive and an extensive approach to data portability).Google Scholar
59 WP29, supra note 16, at 10.Google Scholar
60 Id. Google Scholar
61 Id. at 10 n.21.Google Scholar
62 Id. Google Scholar
63 Id. at 10.Google Scholar
64 Org. for Econ. Co-operation and Dev. [OECD], Summary of the OECD Privacy Expert Roundtable on Protecting Privacy in a Data-driven Economy: Taking Stock of Current Thinking 5 (Mar. 21, 2014), http://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=dsti/iccp/reg(2014)3&doclanguage=en; see also World Econ. Forum, Rethinking Personal Data: A New Lens for Strengthening Trust 5 (May 2014) http://www3.weforum.org/docs/WEF_RethinkingPersonalData_ANewLens_Report_2014.pdf.Google Scholar
65 OECD, supra note 64, at 5.Google Scholar
66 Id. Google Scholar
67 See WP29, supra note 16 (devoting substantial attention to how data protection rights of other data subjects should be respected when portable data concerns data subjects other than the one invoking the RtDP—think of the contact lists or email recipients).Google Scholar
68 Id. at 12.Google Scholar
69 Id. at 18.Google Scholar
70 Id. at 12.Google Scholar
71 See GDPR, supra note 4, at recital 63 of the preamble (emphasis added).Google Scholar
72 WP29, supra note 16, at 12.Google Scholar
73 Id. Google Scholar
74 In the area of data-enabled innovation, the state could offer prizes or research grants to facilitate or speed-up certain types of innovations.Google Scholar
75 Public Sector Information (PSI) is an area where the state actively promotes reuse of data which is produced by the governments and its agencies. PSI policies—see the PSI Directive—are meant to spur broader availability of such data. This is supporting supply of information for data applications—such as travel navigators.Google Scholar
76 See Directive 2001/29/EC, of the European Parliament and of the Council of May 22, 2001 on the Harmonisation of Certain Aspects of Copyright and Related Rights in the Information Society, 2001 O.J. (L 167) 10 [hereinafter InfoSoc Directive]; see also CJEU, Case C-5/08, Infopaq Int'l A/S v. Danske Dagblades Forening, ECLI:EU:C:2009:465, Judgement of July 16, 2009.Google Scholar
77 See Directive 96/9/EC, of the European Parliament and of the Council of March 11, 1996 on the Legal Protection of Databases 1996 O.J. (L 77) 20 [hereinafter Database Directive]; see also CJEU, Case C-203/02, British Horseracing Board Ltd. V. William Hill Organization Ltd., ECLI:EU:C:2004:695, Judgement of November 9, 2004.Google Scholar
78 See BGH, Dec. 1, 2010, I ZR 196/08, https://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=en&sid=ddaeb8a77db54f5f3e77f66c04e774ff&nr=56329&pos=0&anz=1 (explaining that the German Federal Court of Justice accepted the amount of 4,000 EUR as sufficient); see also, Martin Husovec, The End of (Meta) Search Engines in Europe?, 14 Chi.-Kent J. of Intell. Prop. 145, 145–72 (2014) (discussing the different thresholds across the EU).Google Scholar
79 Directive 2016/943, of the European Parliament and of the Council of June 8, 2016 on the Protection of Undisclosed Know-How and Business Information (Trade Secrets) Against Their Unlawful Acquisition, Use, and Disclosure, 2016 O.J. (L 157) 1 [hereinafter Trade Secret Directive].Google Scholar
80 See InfoSoc Directive, supra note 76, art. 2, 3.Google Scholar
81 See Database Directive, supra note 77, art. 7.Google Scholar
82 See Trade Secret Directive, supra note 79, art. 4(2).Google Scholar
83 See generally Herbert Zech, Information als Schutzgegenstand (2012); see also Herbert Zech, Information as Property, 6 JIPITEC, 192 (2015).Google Scholar
84 At the moment, there is an ongoing policy debate and a lot of academic interest in ownership of data discussing who owns data, when and whether we need to introduce new exclusive rights, such as a right of data producers. See European Commission, Legal Study on Ownership and Access to Data, SMART No. 2016/0085 (2016); see also Anette Gärtner & Kate Brimsted, Let's Talk About Data Ownership, 39 Eur. Intell. Prop. Rev., 461, 461–66; see also Daria Kim, No One's Ownership as the Status Quo and a Possible Way Forward: A Note on the Public Consultation on Building a European Data Economy, 13 J. of Intell. Prop. L. & Prac., 154 (2017).Google Scholar
85 It might still invoke, however, a right to conduct business. See GDPR, supra note 4, art. 20(4). Such objections are probably less likely to be persuasive than ones backed with existing IP rights. This is because any ownership of this information is not a result of legal allocation by means of exclusive rights, but only a mere consequence of the service's set-up, such as its technological design coupled with market power leveraged through contract law. The grey area between IP-encumbered and IP-free data might be information which are not covered by any exclusive rights but can be protected against misappropriation through unfair competition laws. Unless such tortious claims qualify for protection as a form “intellectual property” under Art. 17(2) of the Charter, they might be taken into account only within a right to conduct a business. Today, such doctrines are not harmonized on the EU level, and differ greatly across the countries. See Ansgar Ohly, Interfaces Between Trade Mark Protection and Unfair Competition Law: Confusion About Confusion and Misconceptions About Misappropriation?, in Intellectual Property, Unfair Competition and Publicity: Convergences and Development 33 (Nari Lee et al. eds., 2014); see also Dirk Visser, Misrepresentation and Misappropriation: Two Common Principles or Common ‘Basic Moral Feelings’ of Intellectual Property and Unfair Competition Law, in Common Principles of European Intellectual Property Law 247, 247–54 (Ansgar Ohly ed., 2012).Google Scholar
86 WP29, supra note 16, at 12.Google Scholar
87 See Technomed Ltd. v. Bluecrest Health Screening Ltd. [2017] EWHC (Ch) 2142 [75].Google Scholar
88 See GDPR, supra note 4, art. 20(1).Google Scholar
89 See Husovec, Martin, Trademark Use Doctrine in the European Union and Japan, 21 Marq. Intell. Prop. L. Rev. 1 (2017) (explaining that in trademark law, “adverse effect” has its use in the area of trademark functions).Google Scholar
90 See Jaeger, Till, Legal Opinion – Legal Aspects of European Electricity Data, JBB Rechtsanwälte (2017), https://open-power-system-data.org/legal-opinion.pdf (discussing the limits on follow-on use of energy data).Google Scholar
91 See WP29, supra note 16, at 4 (“The new right to data portability aims to empower data subjects regarding their own personal data, as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another.”).Google Scholar
92 At the moment, an exclusive licensee seems like a rare model. Many services take a non-exclusive license with a possibility to sub-license. See Steven Hetcher, User-Generated Content and the Future of Copyright: Part Two -Agreements Between Users and Mega-Sites, 24 Santa Clara High Tech. L. J. 829, 847 (2008) (discussing Facebook's Terms of Service); Terms of Service, Facebook (Apr. 19, 2018), https://www.facebook.com/terms.php; see also TripAdvisor Widget Terms of Use, TripAdvisor (Sept. 2017), https://www.tripadvisor.com/pages/widget_terms.html; Terms of Service, Airbnb (Apr. 16, 2018), https://www.airbnb.com/terms; Twitter Terms of Service, Twitter (May 25, 2018), https://twitter.com/en/tos; Terms of Service, YouTube (May 25, 2018), https://www.youtube.com/static?template=terms&gl=US. Sometimes, however, the borderline between the user's and site's content can be murky.Google Scholar
93 For simplicity, assume a safe harbor scenario, such as the application of art. 14 of the E-Commerce Directive.Google Scholar
94 See InfoSoc Directive, supra note 76, art. 5.Google Scholar
95 As an illustration, Facebook has already invoked trade secret protection as a justification for not disclosing all personal data in response to an access request of an individual user. The social network provider claimed that one of the sections of the Irish Data Protection Acts, to which Facebook is subject because its international headquarters are in Ireland, “carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property.” See Email from Facebook to Max Schrems, (Sept. 28 2011), http://www.europe-v-facebook.org/FB_E-Mails_28_9_11.pdf.Google Scholar
96 See Trade Secret Directive, supra note 79, art. 2(1).Google Scholar
97 In IP scholarship, there is lively debate about whether trade secrets are a form of “intellectual property.” See Lionel Bentley, Trade Secrets: “Intellectual Property” but not “Property?”, in Concepts of Property in Intellectual Property Law 60 (Helena Howe & Jonathan Griffiths eds., 2013) (arguing that they are predominantly being accepted as “intellectual property,” but not “property”).Google Scholar
98 See Trade Secret Directive, supra note 79, art. 3.Google Scholar
99 See supra Section C.II.Google Scholar
100 See Trade Secret Directive, supra note 79, art. 2(1)(a).Google Scholar
101 See id. Google Scholar
102 See also Bentley, supra note 97, at 77 (discussing the Veolia case and whether disclosure would be in conflict with Article 8 ECHR or Article 1 of the First Protocol of the ECHR).Google Scholar
103 See GDPR, supra note 4, art. 15(3) (“For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.”).Google Scholar
104 See generally JRC Science and Policy Report on Fair, Reasonable and Non-Discriminatory (FRAND) Licensing Terms, (2015), http://is.jrc.ec.europa.eu/pages/ISG/EURIPIDIS/documents/05.FRANDreport.pdf.Google Scholar
105 Inge Graef & Martin Husovec, Response to the Public Consultation on “Building a European Data Economy,“ Tilburg Law School Research Paper Series No. 10/2017 (Apr. 25, 2017) (discussing this trade-off between short term and long term).Google Scholar
106 Examples include private levies for private reproduction, licensing through collective management organizations, FRAND-licensing in the area of standardization, compulsory licensing, etc.Google Scholar
107 See Drexl, supra note 40; see also P. Bernt Hugenholtz, Something Completely Different: Europe's Sui Generis Database Right, in The Internet and the Emerging Importance of New Forms of Intellectual Property (Susy Frankel & Daniel Gervais eds., 2016); Wolfgang Kerber, A New (Intellectual) Property Right for Non-Personal Data? An Economic Analysis, GRUR Int. 989, 989–98 (2016); Husovec, supra note 78, at 145–72.Google Scholar
108 See Husovec, supra note 78, at 145–72 (discussing this aspect in the context of database sui generis right).Google Scholar
109 CJEU, Case C-170/13, Huawei Technologies Co. v. ZTE Corp., ECLI:EU:C:2015:477, Judgement of July 16, 2015.Google Scholar
110 WP29, supra note 16, at 3.Google Scholar
111 See also Lynskey, supra note 34, at 804–06.Google Scholar
112 See Swire & Lagos, supra note 35, at 352; see also Legal Memo with Respect to the Article 29 Guidelines on the Right to Data Portability, European Telecommunications Network Operators’ Association 8–9, (Feb. 16, 2017) https://etno.eu/datas/positions-papers/2017/170131%20ETNO_Data%20Portability_Memo/170131%20ETNO_Data%20Portability_Memo.pdf [hereinafter ETNO Memo] (arguing that the interpretation of the RtDP as put forward by WP29—namely that the concept of data “provided by the data subject” includes not only data actively and knowingly inserted by a data subject, but also data obtained by observing the behavior of a data subject—places a disproportionate obligation on telecom operators which are already subject to portability duties under the EU framework for electronic communications).Google Scholar
113 See Accessing & Downloading Your Information, Facebook (2018) https://www.facebook.com/help/131112897028467; see also Download Your Data, Google, https://takeout.google.com/settings/takeout; see also Introducing Data Transfer Project: an open source platform promoting universal data portability, Google Open Source Blog (Jul. 20, 2018), https://opensource.googleblog.com/2018/07/introducing-data-transfer-project.html (stating that in July 2018, Google Facebook, Microsoft and Twitter announced the Data Transfer Project which is “an open source initiative dedicated to developing tools that will enable consumers to transfer their data directly from one service to another, without needing to download and re-upload it.”).Google Scholar
114 See ETNO Memo, supra note 112, at 7–8.Google Scholar
115 See Vanberg, Aysem Diker & Ünver, Mehmet Bilal, The Right to Data Portability in the GDPR and EU Competition Law: Odd Couple or Dynamic Duo?, 8 Eur. J. of L. & Tech. 1, 2 (2017).Google Scholar
116 See also Rubinstein, supra note 35, at 80.Google Scholar
117 See Engels, Barbara, Data Portability Among Online Platforms, 5 Internet Pol'y Rev. 6–10 (2016) (making a distinction between platforms offering substitute and complementary services when examining the possible impact of the right to data portability on competition and innovation).Google Scholar
118 See Costa-Cabral, Francisco & Lynskey, Orla, Family Ties: The Intersection Between Data Protection and Competition in EU Law, 54 Common Mkt L. Rev. 11, 39 (2017) (arguing that standard-setting to ensure a good functioning of the right to data portability “may necessitate an agreement between competitors and therefore entail a potential violation of Article 101 TFEU”).Google Scholar
119 See discussion supra Section C.II. regarding the concepts of derived and inferred data.Google Scholar
120 See also Lynskey, supra note 34, at 801–02 (comparing the personal and material scope of the GDPR right versus the competition law remedy of data portability).Google Scholar
121 These are the preconditions for the right to data portability to apply under Art. 20(1)(a) and (b) GDPR.Google Scholar
122 See Marc Bourreau et al., Big Data and Competition Policy: Market Power, Personalised Pricing and Advertising 25 (2017), http://cerre.eu/sites/cerre/files/170216_CERRE_CompData_FinalReport.pdf (comparing enforcements of data portability on the basis of data protection and competition law in).Google Scholar
123 Press Release, Almunia, Joaquin, Competition Comm'r, European Comm'n, Remarks on Competition and Personal Data Protection at the Privacy Platform Event: Competition and Privacy in Markets of Data in Brussels, (Nov. 26, 2012), http://europa.eu/rapid/press-release_SPEECH-12-860_en.htm.Google Scholar
124 Id. Google Scholar
125 See, e.g., Graef, Inge et al., Mandating Portability and Interoperability in Online Social Networks: Regulatory and Competition Law Issues in the European Union, 39 Telecomm. Pol'y 502, 508–09 (2015); see also Inge Graef et al., Putting the Right to Data Portability into a Competition Law Perspective, Law. J. of the Higher Sch. of Econ. Ann. Rev. 7–8 (2013).Google Scholar
126 Case No COMP/M.7217, October 3, 2014, paras. 113–15, 134, 2014 O.J., http://ec.europa.eu/competition/mergers/cases/decisions/m7217_20141003_20310_3962132_EN.pdf.Google Scholar
127 For Commitments of Google, see Case COMP/C-3/39.740 Foundem and others, April 3, 2013, paras. 27–31, 2013 O.J., http://ec.europa.eu/competition/antitrust/cases/dec_docs/39740/39740_8608_5.pdf; see also Joaquin Almunia, Competition Comm'r, European Comm'n, Remarks on the Google Antitrust Case: What is at Stake?, (Oct. 1, 2013), http://europa.eu/rapid/press-release_SPEECH-13-768_en.htm (stating that Google offered improved commitments to the Commission which included a new proposal providing stronger guarantees against circumvention of the earlier commitments regarding portability of advertising campaigns).Google Scholar
128 Google Agrees to Change Its Business Practices to Resolve FTC Competition Concerns in the Markets for Devices Like Smart Phones, Games and Tablets, and in Online Search, FTC (Jan. 3 2013), http://www.ftc.gov/news-events/press-releases/2013/01/google-agrees-change-its-business-practices-resolve-ftc.Google Scholar
129 See Yoo, Christopher, When Antitrust Met Facebook, 19 Geo. Mason L. Rev. 1147, 1154–55 (2012); see also Damien Geradin & Monika Kuschewsky, Competition Law and Personal Data: Preliminary Thoughts on a Complex Issue 11, (SSRN Working Paper, 2013), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2216088.Google Scholar
130 See Costa-Cabral, Francisco, The Preliminary Opinion of the European Data Protection Supervisor and the Discretion of the European Commission in Enforcing Competition Law, 23 Maastricht J. Eur. and Comp. L. 495, 511 (2016).Google Scholar
131 See Inge Graef, EU Competition Law, Data Protection and Online Platforms: Data as Essential Facility 249–80 (2016) (discussing in detail the application of the essential facilities doctrine to data).Google Scholar
132 See, e.g., CJEU, Joined Cases C-241/91 and C-242/91, Radio Telefis Eireann and Indep. Television Publ'ns Ltd v. Comm'n of the European Communities, ECLI:EU:C:1995:98, Judgement of April 6, 1995; CJEU, Case C-7/97, Oscar Bronner GmbH & Co. KG v. Mediaprint Zeitungs, ECLI:EU:C:1998:569, Judgement of November 26, 1998; CJEU, Case C-418/01, IMS Health GmbH & Co. OHG v. NDC Health GmbH & Co. KG, ECLI:EU:C:2004:257, Judgement of April 29, 2004; CJEU, Microsoft Corp. v. Comm'n of the European Communities, Case T-201/04, ECLI:EU:T:2007:289, Judgement of September 17, 2007.Google Scholar
133 Council Regulation (EC) 139/2004 of Jan. 20, 2004 on the Control of Concentrations Between Undertakings (EU Merger Regulation), art. 2(3), 2004 O.J. (L 24) 1, 7.Google Scholar
134 Case No COMP/M.4726 February 19, 2008, 2008 O.J., http://ec.europa.eu/competition/mergers/cases/decisions/m4726_20080219_20600_en.pdf.Google Scholar
135 See Van der Auwermeulen, Barbara, How to Attribute the Right to Data Portability in Europe: A Comparative Analysis of Legislations, (2017) 33 Computer L. & Security Rev. 57, 63 (“It cannot be excluded that article 102 of the TFEU may apply to some anti-competitive situations resulting from restrictions on data portability. Nevertheless, it appears to be challenging to apply European Competition Law to data portability.”).Google Scholar
136 See Graef, Inge et al., Fairness and Enforcement: Bridging Competition, Data Protection, and Consumer Law, Int'l Data Privacy L. (forthcoming 2018).Google Scholar
137 CJEU, European Comm'n v. Alrosa Co., Case C-441/07 P, ECLI:EU:C:2010:377, para. 48 (June 29, 2010).Google Scholar
138 See also Costa-Cabral, supra note 130, at 511.Google Scholar
139 Proposal for a Directive of the European Parliament and of the Council on Certain Aspects Concerning Contracts for the Supply of Digital Content, COM (2015) 634 final (Dec. 9, 2015) [hereinafter Proposal for a Digital Content Directive].Google Scholar
140 See id. at art. 16(4)(b) (providing for a similar obligation for suppliers with regard to long term contracts for the supply of digital content). Interestingly, art. 16(4)(b) does not state that consumers are entitled to receive the content free of charge and thus seems to allow suppliers to ask for a fee.Google Scholar
141 See id. at art. 13(2)(b)Google Scholar
142 See id. at recital 39 of the preamble.Google Scholar
143 See discussion supra Section C.II.Google Scholar
144 WP29, supra note 16, at 10–11.Google Scholar
145 General Approach of the Council (June 8, 2017), art. 13a(3), http://data.consilium.europa.eu/doc/document/ST-9901-2017-INIT/en/pdf (emphasis added).Google Scholar
146 See also Metzger, Axel et al., Data-Related Aspects of the Digital Content Directive, 9 JIPITECH 90, 102–04 (2018) (comparing the RtDP in the GDPR and the data retrieval obligations in the Digital Content Directive).Google Scholar
147 See Opinion of the European Data Protection Supervisor 4/2017 on the Proposal for a Directive on Certain Aspects Concerning Contracts for the Supply of Digital Content 8–9, 18–20, (Mar. 14, 2017), https://edps.europa.eu/sites/edp/files/publication/17-03-14_opinion_digital_content_en.pdf (making recommendations to ensure that the Digital Content Directive does not change the balance found by the GDPR under which the processing of personal data may take place in the digital market); see also Natali Helberger et al., The Perfect Match? A Closer Look at the Relationship Between EU Consumer Law and Data Protection Law, 54 Common Mkt. L. Rev., 1427–66 (2017) (discussing the relationship between data and consumer protection law more generally).Google Scholar
148 General Approach of the Council, supra note 145, art. 13a(3).Google Scholar
149 See ETNO Memo, supra note 112, at 9 (explaining—within the context of the GDPR and the EU electronic communications framework—that, “[w]hile the data protection oriented data portability right of the GDPR has a different scoping and orientation, one should be careful not to impose cumulative, redundant and potentially contradictory portability obligations on the telecoms industry.”).Google Scholar
150 See Regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union, art. 6(1) (Nov. 9, 2018), http://data.consilium.europa.eu/doc/document/PE-53-2018-INIT/en/pdf.Google Scholar
151 See Art. L. 224-42-1 - L. 224-42-4 of Loi 2016-1321 du 7 octobre 2016 pour une République numérique [Law 2018-132 of October 7, 2016 for a Digital Republic] Journal Officiel de la République Française [J.O.] [Official Gazette of France], Oct. 7, 2016, pp. 14–15 (stating that providers of online public communications service have to enable a consumer to recover free of charge all data that he or she has stored online—as well as all data resulting from the use of his or her user account that can be consulted online—with the exception of the data which has been significantly enhanced by the provider concerned). This provision resembles the data retrieval obligation that has been included in the proposal for a Digital Content Directive. The difference is that the latter is still under consideration in the EU legislative process while the former has already been adopted in its final form. As a result, regardless of what will happen to the relevant provisions in the proposal for a Digital Content Directive, providers of online public communications services in France have already had to comply with the data retrieval obligation set out in French consumer law as of the entry into force of the new duty enters in May 2018 (simultaneously with the start of the applicability of the GDPR).Google Scholar