Hostname: page-component-cd9895bd7-mkpzs Total loading time: 0 Render date: 2024-12-21T03:01:16.310Z Has data issue: false hasContentIssue false

Data Portability and Data Control: Lessons for an Emerging Concept in EU Law

Published online by Cambridge University Press:  06 March 2019

Abstract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

The right to data portability (RtDP) introduced by Article 20 of the General Data Protection Regulation (GDPR) forms a regulatory innovation within EU law. The RtDP provides data subjects with the possibility to transfer personal data among data controllers, but has an impact beyond data protection. In particular, the RtDP facilitates the reuse of personal data that private companies hold by establishing a general-purpose control mechanism of horizontal application. Article 20 of the GDPR is agnostic about the type of use that follows from the ported data and its further diffusion. We argue that the RtDP does not fit well with the fundamental rights nature of data protection law, and should instead be seen as a new regulatory tool in EU law that aims to stimulate competition and innovation in data-driven markets.

What remains unclear is the extent to which the RtDP will be limited in its aspirations where intellectual property rights of current data holders—such as copyright, trade secrets and sui generis database rights—cause the regimes to clash. In such cases, a reconciliation of the interests might particularly confine the follow-on use of ported data again to specific set of socially justifiable purposes, possibly with schemes of fair remuneration. Despite these uncertainties, the RtDP is already being replicated in other fields, namely consumer protection law and the regulation of non-personal data. Competition law can also facilitate portability of data, but only for purpose-specific goals with the aim of addressing anticompetitive behavior.

We conclude that to the extent that other regimes will try to replicate the RtDP, they should closely consider the nature of the resulting control and its breadth and impact on incentives to innovate. In any case, the creation of data portability regimes should not become an end in itself. With an increasing number of instruments, orchestrating the consistency of legal regimes within the Digital Single Market and their mutual interplay should become an equally important concern.

Type
Articles
Copyright
Copyright © 2018 by German Law Journal GbR 

References

1 Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions on a Digital Single Market Strategy for Europe 14, COM (2015) 192 final (May 6, 2015).Google Scholar

2 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Building a European Data Economy, COM (2017) 9 final (Jan. 10, 2017).Google Scholar

3 Commission Staff Working Document on the Free Flow of Data and Emerging Issues of the European Data Economy, Accompanying the Document Communication Building a European Data Economy 46, SWD (2017) 2 final (Jan. 10, 2017).Google Scholar

4 Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) (EU) [hereinafter GDPR].Google Scholar

5 See id. art. 4(1) (defining a data subject as “an identified or identifiable natural person” and specifying that an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person … .) In this article, the terms “data subject,” “individual,” “consumer,” and “user” will be used interchangeably.Google Scholar

6 Id. art. 4(7).Google Scholar

7 Id. art. 99.Google Scholar

8 See Directive 2002/22/EC of the European Parliament and of the Council of March 7, 2002 on Universal Service and the Rights of Users Relating to Electronic Communications Networks and Services (Universal Service Directive), 2002 O.J. (L 108) 51, as amended by Directive 2009/136/EC of the European Parliament and of the Council of November 25, 2009, 2009 O.J. (L 337) 11 (stating that under Art. 30 of the Universal Service Directive, porting of telephone numbers and their subsequent activation has to take place against a cost-oriented price and within the shortest possible time which is interpreted as maximum one working day); see also Directive 2015/2366 of the European Parliament and of the Council of November 25, 2015 on Payment Services in the Internal Market, 2015 O.J. (L 337) 35 (EU) (stating that under Art. 66 and 67 of the Payment Services Directive 2 to be implemented in national law by January 13, 2018, third party providers are able to access a customer's payment account information on the customer's request in order to provide payment initiation or account information services).Google Scholar

9 Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data, COM (2012) 11 final (Jan. 25, 2012).Google Scholar

10 Commission Staff Working Paper Impact Assessment Accompanying the Document Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data (General Data Protection Regulation) and the Directive of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and the Free Movement of such Data, at 43, SEC (2012) 72 final [hereinafter Impact Assessment].Google Scholar

11 Resolution on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), Eur. Parl. Doc. P7_TA(2014)0212 (2014) http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0212.Google Scholar

12 See GDPR, supra note 4, art. 20.Google Scholar

13 Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COD (2014) 10614/14 (June 6, 2014) 3 n.1.Google Scholar

14 WP29 is composed of the following parties: a representative from the National Data Protection Authority of each EU Member State; a representative of the European Data Protection Supervisor (the independent supervisory authority that is responsible for ensuring that all EU institutions and bodies respect people's right to personal data protection and privacy when processing their personal data); and a representative of the European Commission.Google Scholar

15 Art. 29 Data Protection Working Party, Guidelines on the Right to Data Portability, 16/EN WP 242 (Dec. 13, 2016).Google Scholar

16 Art. 29 Data Protection Working Party, Guidelines on the Right to Data Portability, 16/EN WP 242 rev.01 (Apr. 5, 2017) [hereinafter WP29].Google Scholar

17 See, e.g., GDPR, supra note 4, art. 99(2).Google Scholar

18 WP29, supra note 16, at 4 n.1 (emphasis added).Google Scholar

19 Impact Assessment, supra note 10, at 62.Google Scholar

20 Impact Assessment, supra note 10.Google Scholar

21 See EU Network of Independent Experts on Fundamental Rights Commentary of the Charter of Fundamental Rights of the European Union, at 95 (June 2006), http://ec.europa.eu/justice/fundamental-rights/document/index_en.htm (stating, namely, that secondary legislation is adopted to give effect to the fundamental right to data protection, and that “the protection of personal data shall be exercised in accordance with the conditions and limits defined by the measures adopted to give effect to it.”).Google Scholar

22 See GDPR, supra note 4, art. 5(1) (a), (b) (featuring a parallel structure).Google Scholar

23 See id. at art. 6, 9.Google Scholar

24 See id.at art. 15.Google Scholar

25 See id. at art. 19.Google Scholar

26 See generally id. at art. 51.Google Scholar

27 See Charter of Fundamental Rights of the European Union, 2012/C 326/02, art. 8(2), 2012 O.J. (C 326) 391 (“Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”).Google Scholar

28 See GDPR, supra note 4, art 15(1), (3).Google Scholar

29 See id. at art 20(1).Google Scholar

30 See discussion infra Section C.II. on the notion of provided data.Google Scholar

31 See GDPR, supra note 4, art. 20(1)(b).Google Scholar

32 See id. at art. 6(1)(a), 9(2)(a).Google Scholar

33 See id. at art. 6(1)(b).Google Scholar

34 But see Lynskey, Orla, Aligning Data Protection Rights with Competition Law Remedies? The GDPR Right to Data Portability, 42(6) Eur. L. Rev. 793, 809–10 (2017) (claiming that the right to data portability “sits coherently within the data protection regime” because it promotes individual control over personal data by enhancing informational self-determination as “a central objective of the EU data protection regime.”).Google Scholar

35 See, e.g., Rubinstein, Ira, Big Data: The End of Privacy or a New Beginning?, 3 Int'l Data Privacy L., 74–87 (2013); see also Peter Swire & Yianni Lagos, Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique, 72 Md. L. Rev. 335, 373 (2013); Paul De Hert et al., The Right to Data Portability in the GDPR: Towards User-Centric Interoperability of Digital Services, 34 Comput. L. & Sec. Rev. 193, 201 (2018).Google Scholar

36 Rubinstein, supra note 35, at 84.Google Scholar

37 Nadezhda Purtova, Property Rights in Personal Data: a European Perspective 57 (2011).Google Scholar

38 Id. at 86–88; but see Elinor Ostrom & Charlotte Hess, Private and Common Property Rights, in 5 Prop. L. & Econ. 53, 59 (Boudewijn Bouckaert ed., 2010) (“Property-rights systems that do not contain the right of alienation are considered to be ill-defined.”).Google Scholar

39 WP29, supra note 16, at 7.Google Scholar

40 Drexl, Josef, Designing Competitive Markets for Industrial Data — Between Propertisation and Access, 8 JIPITEC 257, 286, para. 155 (2017).Google Scholar

41 WP29, supra note 16, at 4 n.1 (emphasis added).Google Scholar

42 Id. at 5.Google Scholar

43 Id. at 4, 14.Google Scholar

44 Id. at 15.Google Scholar

45 See generally WP29, supra note 16.Google Scholar

46 Koops, Bert-Jaap, The Trouble with European Data Protection Law, 4 Int'l Data Privacy L., 250–61 (2014).Google Scholar

47 See GDPR, supra note 4, art. 6(1)(a), 9(2)(a) (specifying this point for special categories of data).Google Scholar

48 See id. Google Scholar

49 Cuijpers, Colette et al., Data Protection Reform and the Internet: The Draft Data Protection Regulation, in Research Handbook on EU Internet Law 543, 558 (Andrej Savin & Jan Tzarkowski eds., 2014).Google Scholar

50 See GDPR, supra note 4, art. 6(1)(f).Google Scholar

51 Directive 2003/98/EC of the European Parliament and of the Council of November 17, 2003 on the Re-Use of Public Sector information 2003 O.J. (L 345) 90, last amended by Directive 2013/37/EU of the European Parliament and of the Council of June 26, 2013 2013 O.J. (L 175) 1 [hereinafter PSI Directive] (stating that the amendments are in effect from July 18, 2015).Google Scholar

52 PSI Directive, supra note 51, at art. 4; but see id. at recital 8, 9 of the preamble (explaining that article 4 does not apply if access is, for instance, restricted or excluded under national access rules and due to third-party interests).Google Scholar

53 See CJEU, Joined Cases C-141/12 and C- 372/12, YS et al. v. Minister of Immigration, Integration and Asylum, ECLI:EU:C:2014:2081, Judgement of July 17, 2014 (concerning the relationship between data protection rights and the right to access to documents).Google Scholar

54 WP29, supra note 16, at 8 n.16.Google Scholar

55 Id. (referring to the relevant pages of WP29, “Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC,” April 9, 2014, WP217).Google Scholar

56 See, e.g., Nadezhda Purtova, The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law, 10 Law, Innovation & Tech. 40–81 (2018) (discussing the broad notion of personal data).Google Scholar

57 See GDPR, supra note 4, art. 4(5).Google Scholar

58 See also De Hert et al., supra note 35, at 202 (distinguishing between a restrictive and an extensive approach to data portability).Google Scholar

59 WP29, supra note 16, at 10.Google Scholar

61 Id. at 10 n.21.Google Scholar

63 Id. at 10.Google Scholar

64 Org. for Econ. Co-operation and Dev. [OECD], Summary of the OECD Privacy Expert Roundtable on Protecting Privacy in a Data-driven Economy: Taking Stock of Current Thinking 5 (Mar. 21, 2014), http://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=dsti/iccp/reg(2014)3&doclanguage=en; see also World Econ. Forum, Rethinking Personal Data: A New Lens for Strengthening Trust 5 (May 2014) http://www3.weforum.org/docs/WEF_RethinkingPersonalData_ANewLens_Report_2014.pdf.Google Scholar

65 OECD, supra note 64, at 5.Google Scholar

67 See WP29, supra note 16 (devoting substantial attention to how data protection rights of other data subjects should be respected when portable data concerns data subjects other than the one invoking the RtDP—think of the contact lists or email recipients).Google Scholar

68 Id. at 12.Google Scholar

69 Id. at 18.Google Scholar

70 Id. at 12.Google Scholar

71 See GDPR, supra note 4, at recital 63 of the preamble (emphasis added).Google Scholar

72 WP29, supra note 16, at 12.Google Scholar

74 In the area of data-enabled innovation, the state could offer prizes or research grants to facilitate or speed-up certain types of innovations.Google Scholar

75 Public Sector Information (PSI) is an area where the state actively promotes reuse of data which is produced by the governments and its agencies. PSI policies—see the PSI Directive—are meant to spur broader availability of such data. This is supporting supply of information for data applications—such as travel navigators.Google Scholar

76 See Directive 2001/29/EC, of the European Parliament and of the Council of May 22, 2001 on the Harmonisation of Certain Aspects of Copyright and Related Rights in the Information Society, 2001 O.J. (L 167) 10 [hereinafter InfoSoc Directive]; see also CJEU, Case C-5/08, Infopaq Int'l A/S v. Danske Dagblades Forening, ECLI:EU:C:2009:465, Judgement of July 16, 2009.Google Scholar

77 See Directive 96/9/EC, of the European Parliament and of the Council of March 11, 1996 on the Legal Protection of Databases 1996 O.J. (L 77) 20 [hereinafter Database Directive]; see also CJEU, Case C-203/02, British Horseracing Board Ltd. V. William Hill Organization Ltd., ECLI:EU:C:2004:695, Judgement of November 9, 2004.Google Scholar

78 See BGH, Dec. 1, 2010, I ZR 196/08, https://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=en&sid=ddaeb8a77db54f5f3e77f66c04e774ff&nr=56329&pos=0&anz=1 (explaining that the German Federal Court of Justice accepted the amount of 4,000 EUR as sufficient); see also, Martin Husovec, The End of (Meta) Search Engines in Europe?, 14 Chi.-Kent J. of Intell. Prop. 145, 145–72 (2014) (discussing the different thresholds across the EU).Google Scholar

79 Directive 2016/943, of the European Parliament and of the Council of June 8, 2016 on the Protection of Undisclosed Know-How and Business Information (Trade Secrets) Against Their Unlawful Acquisition, Use, and Disclosure, 2016 O.J. (L 157) 1 [hereinafter Trade Secret Directive].Google Scholar

80 See InfoSoc Directive, supra note 76, art. 2, 3.Google Scholar

81 See Database Directive, supra note 77, art. 7.Google Scholar

82 See Trade Secret Directive, supra note 79, art. 4(2).Google Scholar

83 See generally Herbert Zech, Information als Schutzgegenstand (2012); see also Herbert Zech, Information as Property, 6 JIPITEC, 192 (2015).Google Scholar

84 At the moment, there is an ongoing policy debate and a lot of academic interest in ownership of data discussing who owns data, when and whether we need to introduce new exclusive rights, such as a right of data producers. See European Commission, Legal Study on Ownership and Access to Data, SMART No. 2016/0085 (2016); see also Anette Gärtner & Kate Brimsted, Let's Talk About Data Ownership, 39 Eur. Intell. Prop. Rev., 461, 461–66; see also Daria Kim, No One's Ownership as the Status Quo and a Possible Way Forward: A Note on the Public Consultation on Building a European Data Economy, 13 J. of Intell. Prop. L. & Prac., 154 (2017).Google Scholar

85 It might still invoke, however, a right to conduct business. See GDPR, supra note 4, art. 20(4). Such objections are probably less likely to be persuasive than ones backed with existing IP rights. This is because any ownership of this information is not a result of legal allocation by means of exclusive rights, but only a mere consequence of the service's set-up, such as its technological design coupled with market power leveraged through contract law. The grey area between IP-encumbered and IP-free data might be information which are not covered by any exclusive rights but can be protected against misappropriation through unfair competition laws. Unless such tortious claims qualify for protection as a form “intellectual property” under Art. 17(2) of the Charter, they might be taken into account only within a right to conduct a business. Today, such doctrines are not harmonized on the EU level, and differ greatly across the countries. See Ansgar Ohly, Interfaces Between Trade Mark Protection and Unfair Competition Law: Confusion About Confusion and Misconceptions About Misappropriation?, in Intellectual Property, Unfair Competition and Publicity: Convergences and Development 33 (Nari Lee et al. eds., 2014); see also Dirk Visser, Misrepresentation and Misappropriation: Two Common Principles or Common ‘Basic Moral Feelings’ of Intellectual Property and Unfair Competition Law, in Common Principles of European Intellectual Property Law 247, 247–54 (Ansgar Ohly ed., 2012).Google Scholar

86 WP29, supra note 16, at 12.Google Scholar

87 See Technomed Ltd. v. Bluecrest Health Screening Ltd. [2017] EWHC (Ch) 2142 [75].Google Scholar

88 See GDPR, supra note 4, art. 20(1).Google Scholar

89 See Husovec, Martin, Trademark Use Doctrine in the European Union and Japan, 21 Marq. Intell. Prop. L. Rev. 1 (2017) (explaining that in trademark law, “adverse effect” has its use in the area of trademark functions).Google Scholar

90 See Jaeger, Till, Legal Opinion – Legal Aspects of European Electricity Data, JBB Rechtsanwälte (2017), https://open-power-system-data.org/legal-opinion.pdf (discussing the limits on follow-on use of energy data).Google Scholar

91 See WP29, supra note 16, at 4 (“The new right to data portability aims to empower data subjects regarding their own personal data, as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another.”).Google Scholar

92 At the moment, an exclusive licensee seems like a rare model. Many services take a non-exclusive license with a possibility to sub-license. See Steven Hetcher, User-Generated Content and the Future of Copyright: Part Two -Agreements Between Users and Mega-Sites, 24 Santa Clara High Tech. L. J. 829, 847 (2008) (discussing Facebook's Terms of Service); Terms of Service, Facebook (Apr. 19, 2018), https://www.facebook.com/terms.php; see also TripAdvisor Widget Terms of Use, TripAdvisor (Sept. 2017), https://www.tripadvisor.com/pages/widget_terms.html; Terms of Service, Airbnb (Apr. 16, 2018), https://www.airbnb.com/terms; Twitter Terms of Service, Twitter (May 25, 2018), https://twitter.com/en/tos; Terms of Service, YouTube (May 25, 2018), https://www.youtube.com/static?template=terms&gl=US. Sometimes, however, the borderline between the user's and site's content can be murky.Google Scholar

93 For simplicity, assume a safe harbor scenario, such as the application of art. 14 of the E-Commerce Directive.Google Scholar

94 See InfoSoc Directive, supra note 76, art. 5.Google Scholar

95 As an illustration, Facebook has already invoked trade secret protection as a justification for not disclosing all personal data in response to an access request of an individual user. The social network provider claimed that one of the sections of the Irish Data Protection Acts, to which Facebook is subject because its international headquarters are in Ireland, “carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property.” See Email from Facebook to Max Schrems, (Sept. 28 2011), http://www.europe-v-facebook.org/FB_E-Mails_28_9_11.pdf.Google Scholar

96 See Trade Secret Directive, supra note 79, art. 2(1).Google Scholar

97 In IP scholarship, there is lively debate about whether trade secrets are a form of “intellectual property.” See Lionel Bentley, Trade Secrets: “Intellectual Property” but not “Property?”, in Concepts of Property in Intellectual Property Law 60 (Helena Howe & Jonathan Griffiths eds., 2013) (arguing that they are predominantly being accepted as “intellectual property,” but not “property”).Google Scholar

98 See Trade Secret Directive, supra note 79, art. 3.Google Scholar

99 See supra Section C.II.Google Scholar

100 See Trade Secret Directive, supra note 79, art. 2(1)(a).Google Scholar

101 See id. Google Scholar

102 See also Bentley, supra note 97, at 77 (discussing the Veolia case and whether disclosure would be in conflict with Article 8 ECHR or Article 1 of the First Protocol of the ECHR).Google Scholar

103 See GDPR, supra note 4, art. 15(3) (“For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.”).Google Scholar

104 See generally JRC Science and Policy Report on Fair, Reasonable and Non-Discriminatory (FRAND) Licensing Terms, (2015), http://is.jrc.ec.europa.eu/pages/ISG/EURIPIDIS/documents/05.FRANDreport.pdf.Google Scholar

105 Inge Graef & Martin Husovec, Response to the Public Consultation on “Building a European Data Economy, Tilburg Law School Research Paper Series No. 10/2017 (Apr. 25, 2017) (discussing this trade-off between short term and long term).Google Scholar

106 Examples include private levies for private reproduction, licensing through collective management organizations, FRAND-licensing in the area of standardization, compulsory licensing, etc.Google Scholar

107 See Drexl, supra note 40; see also P. Bernt Hugenholtz, Something Completely Different: Europe's Sui Generis Database Right, in The Internet and the Emerging Importance of New Forms of Intellectual Property (Susy Frankel & Daniel Gervais eds., 2016); Wolfgang Kerber, A New (Intellectual) Property Right for Non-Personal Data? An Economic Analysis, GRUR Int. 989, 989–98 (2016); Husovec, supra note 78, at 145–72.Google Scholar

108 See Husovec, supra note 78, at 145–72 (discussing this aspect in the context of database sui generis right).Google Scholar

109 CJEU, Case C-170/13, Huawei Technologies Co. v. ZTE Corp., ECLI:EU:C:2015:477, Judgement of July 16, 2015.Google Scholar

110 WP29, supra note 16, at 3.Google Scholar

111 See also Lynskey, supra note 34, at 804–06.Google Scholar

112 See Swire & Lagos, supra note 35, at 352; see also Legal Memo with Respect to the Article 29 Guidelines on the Right to Data Portability, European Telecommunications Network Operators’ Association 8–9, (Feb. 16, 2017) https://etno.eu/datas/positions-papers/2017/170131%20ETNO_Data%20Portability_Memo/170131%20ETNO_Data%20Portability_Memo.pdf [hereinafter ETNO Memo] (arguing that the interpretation of the RtDP as put forward by WP29—namely that the concept of data “provided by the data subject” includes not only data actively and knowingly inserted by a data subject, but also data obtained by observing the behavior of a data subject—places a disproportionate obligation on telecom operators which are already subject to portability duties under the EU framework for electronic communications).Google Scholar

113 See Accessing & Downloading Your Information, Facebook (2018) https://www.facebook.com/help/131112897028467; see also Download Your Data, Google, https://takeout.google.com/settings/takeout; see also Introducing Data Transfer Project: an open source platform promoting universal data portability, Google Open Source Blog (Jul. 20, 2018), https://opensource.googleblog.com/2018/07/introducing-data-transfer-project.html (stating that in July 2018, Google Facebook, Microsoft and Twitter announced the Data Transfer Project which is “an open source initiative dedicated to developing tools that will enable consumers to transfer their data directly from one service to another, without needing to download and re-upload it.”).Google Scholar

114 See ETNO Memo, supra note 112, at 7–8.Google Scholar

115 See Vanberg, Aysem Diker & Ünver, Mehmet Bilal, The Right to Data Portability in the GDPR and EU Competition Law: Odd Couple or Dynamic Duo?, 8 Eur. J. of L. & Tech. 1, 2 (2017).Google Scholar

116 See also Rubinstein, supra note 35, at 80.Google Scholar

117 See Engels, Barbara, Data Portability Among Online Platforms, 5 Internet Pol'y Rev. 6–10 (2016) (making a distinction between platforms offering substitute and complementary services when examining the possible impact of the right to data portability on competition and innovation).Google Scholar

118 See Costa-Cabral, Francisco & Lynskey, Orla, Family Ties: The Intersection Between Data Protection and Competition in EU Law, 54 Common Mkt L. Rev. 11, 39 (2017) (arguing that standard-setting to ensure a good functioning of the right to data portability “may necessitate an agreement between competitors and therefore entail a potential violation of Article 101 TFEU”).Google Scholar

119 See discussion supra Section C.II. regarding the concepts of derived and inferred data.Google Scholar

120 See also Lynskey, supra note 34, at 801–02 (comparing the personal and material scope of the GDPR right versus the competition law remedy of data portability).Google Scholar

121 These are the preconditions for the right to data portability to apply under Art. 20(1)(a) and (b) GDPR.Google Scholar

122 See Marc Bourreau et al., Big Data and Competition Policy: Market Power, Personalised Pricing and Advertising 25 (2017), http://cerre.eu/sites/cerre/files/170216_CERRE_CompData_FinalReport.pdf (comparing enforcements of data portability on the basis of data protection and competition law in).Google Scholar

123 Press Release, Almunia, Joaquin, Competition Comm'r, European Comm'n, Remarks on Competition and Personal Data Protection at the Privacy Platform Event: Competition and Privacy in Markets of Data in Brussels, (Nov. 26, 2012), http://europa.eu/rapid/press-release_SPEECH-12-860_en.htm.Google Scholar

124 Id. Google Scholar

125 See, e.g., Graef, Inge et al., Mandating Portability and Interoperability in Online Social Networks: Regulatory and Competition Law Issues in the European Union, 39 Telecomm. Pol'y 502, 508–09 (2015); see also Inge Graef et al., Putting the Right to Data Portability into a Competition Law Perspective, Law. J. of the Higher Sch. of Econ. Ann. Rev. 7–8 (2013).Google Scholar

126 Case No COMP/M.7217, October 3, 2014, paras. 113–15, 134, 2014 O.J., http://ec.europa.eu/competition/mergers/cases/decisions/m7217_20141003_20310_3962132_EN.pdf.Google Scholar

127 For Commitments of Google, see Case COMP/C-3/39.740 Foundem and others, April 3, 2013, paras. 27–31, 2013 O.J., http://ec.europa.eu/competition/antitrust/cases/dec_docs/39740/39740_8608_5.pdf; see also Joaquin Almunia, Competition Comm'r, European Comm'n, Remarks on the Google Antitrust Case: What is at Stake?, (Oct. 1, 2013), http://europa.eu/rapid/press-release_SPEECH-13-768_en.htm (stating that Google offered improved commitments to the Commission which included a new proposal providing stronger guarantees against circumvention of the earlier commitments regarding portability of advertising campaigns).Google Scholar

128 Google Agrees to Change Its Business Practices to Resolve FTC Competition Concerns in the Markets for Devices Like Smart Phones, Games and Tablets, and in Online Search, FTC (Jan. 3 2013), http://www.ftc.gov/news-events/press-releases/2013/01/google-agrees-change-its-business-practices-resolve-ftc.Google Scholar

129 See Yoo, Christopher, When Antitrust Met Facebook, 19 Geo. Mason L. Rev. 1147, 1154–55 (2012); see also Damien Geradin & Monika Kuschewsky, Competition Law and Personal Data: Preliminary Thoughts on a Complex Issue 11, (SSRN Working Paper, 2013), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2216088.Google Scholar

130 See Costa-Cabral, Francisco, The Preliminary Opinion of the European Data Protection Supervisor and the Discretion of the European Commission in Enforcing Competition Law, 23 Maastricht J. Eur. and Comp. L. 495, 511 (2016).Google Scholar

131 See Inge Graef, EU Competition Law, Data Protection and Online Platforms: Data as Essential Facility 249–80 (2016) (discussing in detail the application of the essential facilities doctrine to data).Google Scholar

132 See, e.g., CJEU, Joined Cases C-241/91 and C-242/91, Radio Telefis Eireann and Indep. Television Publ'ns Ltd v. Comm'n of the European Communities, ECLI:EU:C:1995:98, Judgement of April 6, 1995; CJEU, Case C-7/97, Oscar Bronner GmbH & Co. KG v. Mediaprint Zeitungs, ECLI:EU:C:1998:569, Judgement of November 26, 1998; CJEU, Case C-418/01, IMS Health GmbH & Co. OHG v. NDC Health GmbH & Co. KG, ECLI:EU:C:2004:257, Judgement of April 29, 2004; CJEU, Microsoft Corp. v. Comm'n of the European Communities, Case T-201/04, ECLI:EU:T:2007:289, Judgement of September 17, 2007.Google Scholar

133 Council Regulation (EC) 139/2004 of Jan. 20, 2004 on the Control of Concentrations Between Undertakings (EU Merger Regulation), art. 2(3), 2004 O.J. (L 24) 1, 7.Google Scholar

135 See Van der Auwermeulen, Barbara, How to Attribute the Right to Data Portability in Europe: A Comparative Analysis of Legislations, (2017) 33 Computer L. & Security Rev. 57, 63 (“It cannot be excluded that article 102 of the TFEU may apply to some anti-competitive situations resulting from restrictions on data portability. Nevertheless, it appears to be challenging to apply European Competition Law to data portability.”).Google Scholar

136 See Graef, Inge et al., Fairness and Enforcement: Bridging Competition, Data Protection, and Consumer Law, Int'l Data Privacy L. (forthcoming 2018).Google Scholar

137 CJEU, European Comm'n v. Alrosa Co., Case C-441/07 P, ECLI:EU:C:2010:377, para. 48 (June 29, 2010).Google Scholar

138 See also Costa-Cabral, supra note 130, at 511.Google Scholar

139 Proposal for a Directive of the European Parliament and of the Council on Certain Aspects Concerning Contracts for the Supply of Digital Content, COM (2015) 634 final (Dec. 9, 2015) [hereinafter Proposal for a Digital Content Directive].Google Scholar

140 See id. at art. 16(4)(b) (providing for a similar obligation for suppliers with regard to long term contracts for the supply of digital content). Interestingly, art. 16(4)(b) does not state that consumers are entitled to receive the content free of charge and thus seems to allow suppliers to ask for a fee.Google Scholar

141 See id. at art. 13(2)(b)Google Scholar

142 See id. at recital 39 of the preamble.Google Scholar

143 See discussion supra Section C.II.Google Scholar

144 WP29, supra note 16, at 10–11.Google Scholar

145 General Approach of the Council (June 8, 2017), art. 13a(3), http://data.consilium.europa.eu/doc/document/ST-9901-2017-INIT/en/pdf (emphasis added).Google Scholar

146 See also Metzger, Axel et al., Data-Related Aspects of the Digital Content Directive, 9 JIPITECH 90, 102–04 (2018) (comparing the RtDP in the GDPR and the data retrieval obligations in the Digital Content Directive).Google Scholar

147 See Opinion of the European Data Protection Supervisor 4/2017 on the Proposal for a Directive on Certain Aspects Concerning Contracts for the Supply of Digital Content 8–9, 18–20, (Mar. 14, 2017), https://edps.europa.eu/sites/edp/files/publication/17-03-14_opinion_digital_content_en.pdf (making recommendations to ensure that the Digital Content Directive does not change the balance found by the GDPR under which the processing of personal data may take place in the digital market); see also Natali Helberger et al., The Perfect Match? A Closer Look at the Relationship Between EU Consumer Law and Data Protection Law, 54 Common Mkt. L. Rev., 1427–66 (2017) (discussing the relationship between data and consumer protection law more generally).Google Scholar

148 General Approach of the Council, supra note 145, art. 13a(3).Google Scholar

149 See ETNO Memo, supra note 112, at 9 (explaining—within the context of the GDPR and the EU electronic communications framework—that, “[w]hile the data protection oriented data portability right of the GDPR has a different scoping and orientation, one should be careful not to impose cumulative, redundant and potentially contradictory portability obligations on the telecoms industry.”).Google Scholar

150 See Regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union, art. 6(1) (Nov. 9, 2018), http://data.consilium.europa.eu/doc/document/PE-53-2018-INIT/en/pdf.Google Scholar

151 See Art. L. 224-42-1 - L. 224-42-4 of Loi 2016-1321 du 7 octobre 2016 pour une République numérique [Law 2018-132 of October 7, 2016 for a Digital Republic] Journal Officiel de la République Française [J.O.] [Official Gazette of France], Oct. 7, 2016, pp. 14–15 (stating that providers of online public communications service have to enable a consumer to recover free of charge all data that he or she has stored online—as well as all data resulting from the use of his or her user account that can be consulted online—with the exception of the data which has been significantly enhanced by the provider concerned). This provision resembles the data retrieval obligation that has been included in the proposal for a Digital Content Directive. The difference is that the latter is still under consideration in the EU legislative process while the former has already been adopted in its final form. As a result, regardless of what will happen to the relevant provisions in the proposal for a Digital Content Directive, providers of online public communications services in France have already had to comply with the data retrieval obligation set out in French consumer law as of the entry into force of the new duty enters in May 2018 (simultaneously with the start of the applicability of the GDPR).Google Scholar