Document Actions

Special Issue on Contracts on Digital Goods and Services

Data Portability - A Tale of Two Concepts

  1. Prof. Dr. Ruth Janal

Abstract

Art. 20 of the General Data Protection Regulation (GDPR) introduces a new concept to European data protection law – the right to data portability. The rule seeks to empower the consumer, to foster the inter-operability of data, and to prevent lock-in effects on closed platforms. Upon request, data controllers are required to provide personal data to the data subject in a structured, commonly used and machine-readable format, which enables the data subject to transfer their personal data between controllers. However, Art. 20 GDPR leaves much room for interpretation, in particular with respect to the data covered, the scope of the exceptions and the requirement of inter-operability. The proposed Directive on certain aspects concerning contracts for the supply of digital content (DCD-proposal) takes matters a step further. Under the DCD-proposal, the supplier of digital content shall provide the consumer with technical means to retrieve all content provided by the consumer (not only personal data) and any other data produced or generated through the consumer’s use of the digital content. At the same time, the proposed provisions are stricter than Art. 20 GDPR: The data portability right under Art. 20 GDPR may be exercised at any point in time, whereas the right to content portability under the DCD-proposal only arises after the contract has been terminated following a rule in said directive. The paper highlights other circumstances which warrant a right to content portability and laments the lack of an exception to safeguard the rights and interest of third parties. Three case studies are included to illustrate how the portability rules in the GDPR and the proposed Digital Content Directive might work in practice. The paper closes with a synopsis showing the commonalities and differences of Art. 20 GDPR and the portability rules in the proposed Digital Content Directive.

Keywords

1. Portability is en vogue

Portability of data and content is currently a hot topic in EU law. A right to data portability is provided for in Art. 20 of the new General Data Protection Regulation (GDPR).  [1] The proposed Directive on certain aspects concerning contracts for the supply of digital content (DCD-proposal)  [2] contains a similar idea with respect to digital content. Furthermore, the European Commission has published a Proposal for a regulation on cross border portability of online content services.  [3] These three examples prove that portability is a multi-faceted concept: In the context of Art. 20 GDPR and the DCD-proposal, the term portability describes the right to retrieve data relating to a natural person. In contrast, the proposed rules on cross-border portability seek to ensure that digital content that a consumer has acquired in one Member State can be accessed without fee from any other Member State. While the latter is undoubtedly an interesting subject, this paper focuses on the right to retrieve data and will not address cross-border portability.

First, let us take a closer look at the rules which are the subject of this paper. Under Art. 20 GDPR, the data subject shall have the right to receive the personal data concerning themselves, which they have provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit this data to another controller without hindrance. In a similar vein, Art. 13 (2) (c) and Art. 16 (4) (b) of the proposal for a Directive on digital content rule that after the termination of a contract, “the supplier shall provide the consumer with technical means to retrieve all content provided by the consumer and any other data produced or generated through the consumer's use of the digital content.” Retrieval shall be possible without significant inconvenience, in reasonable time, and in a commonly used data format.

An example of how data and content portability may be put into practice is the Google archive function, which allows Google users to download an archive of their activities regarding most of Google’s services simply by selecting the respective service and clicking on a link.  [4]

2. Purpose of the portability rules

What is the purpose of those provisions? Having considered the matter for quite a while, I cannot supply a definite answer to that question. What I will do is provide an educated guess. It seems that the purpose of Art. 20 Data Protection Regulation is the empowerment of the data subject.  [5] To avoid lock-in effects, the data subject shall be empowered to take her personal data from one service and simply move on to another or an additional  [6] service. A true relocation naturally only works if the new service is willing to insert the personal data into its own databases.  [7] If you want to transfer from Facebook to Google Plus, Art. 20 will only give you a right against Facebook to retrieve your data, but will not give you a remedy to force Google to make use of the data. There is an obvious reason for this: Due to different data formats and different database structures, it can be quite difficult for data controllers to incorporate data provided by another controller. By accepting this limitation, the EU legislator has stopped short of establishing true data empowerment. Thus, it would seem that Art. 20 Data Protection Regulation double-functions as a competition rule.  [8] If a company is interested in winning customers from another service, Art. 20 will improve competition on the market, because a competitor can promise its potential customers to integrate their personal data (or parts thereof), if they bring their data with them. One prominent example would be social networks that incorporate their users’ contacts via the email provider’s contact API.  [9]

The purpose of Art. 13 (2)(c) and Art. 16(4)(b) of the Digital Content Proposal is more straightforward. Under the proposed directive, the right to portability only arises after the contract has been terminated by the consumer. Imagine you are a member of a particular platform and you have provided quite a bit of content – pictures, comments, and so forth. Then something happens that makes you want to terminate the contract. Obviously, the fear that your content may be lost if you terminate the agreement will play a role in the decision of whether to exercise your rights. Thus, the data portability rules of the Digital Content Proposal safeguard the consumer’s right of termination in order to avoid lock-in effects.  [10] The fostering of competition is a welcome side effect.  [11] With that in mind, let us now consider under which circumstances a right to data portability arises and what such a right entails.

3. Art. 20 General Data Protection Regulation

3.1. Prerequisites

I shall first take a closer look at Art. 20 GDPR, a rule which will apply as of 25 May 2018. The General Data Protection Regulation applies to the processing of personal data by automated means.  [12] What is further required is some connection to the European Union,  [13] in the form of a) the controller’s establishment within the EU, b) the offer of goods or services to data subjects in the Union, or c) the monitoring of behaviour which occurs within the European Union.

When does the portability requirement arise? Art. 20 GDPR requires portability for personal data  [14] which the data subject has provided to a controller. Personal data means “any information relating to an identified or identifiable natural person”, the so-called “data subject”.  [15] There is some room for debate as to which data has been “provided” by the data subject. Clearly, the wording of the provision covers personal data explicitly provided by the data subject, such as contact information, comments und uploaded material. However, does it also refer to data which has been provided by the data subject’s conduct or use of a gadget or service – perhaps even unwittingly?  [16]

As an example, consider a sensor which measures the data subject’s heart rate. The data is provided quite willingly by an athlete wearing a fitness tracker with a sensor, and when the athlete changes suppliers, she may be interested in transferring that data to another controller. This would allow the athlete to monitor her heart rate over a longer period of time, irrespective of the contractual relationship with a particular supplier. However, take note that an identical sensor may also be incorporated into a car seat. There, it would form part of the attention assist system of the car. By measuring the heart rate, the system can determine signs of fatigue and alert the driver that she should take a break or switch drivers. In this instance, the driver may or may not be aware of the fact that her heart rate is tracked, and she may or may not have consented to that tracking, but in any case she will generally not be interested in keeping a record of that heart rate.

Turning back to Art. 20 GDPR, has the heart rate data been “provided” by the athlete and the driver? Arguably, the data was “collected” by the provider, rather than being “provided” by the data subject. However, this take on the matter would not be very convincing. At least in those instances where the collection of the data is based on the data subject’s consent, there is an active element of provision by the data subject.  [17] This position is supported by recital 60 sent. 4 GDPR, where collection of data is considered a form of provision of data by the data subject.  [18] More importantly, if the purpose of Art. 20 GDPR is empowerment and market competition, those goals will only be achieved if the right to portability extends to data provided by the consumer’s conduct and use of gadgets or services. The user of a fitness tracker may switch providers more willingly, if she is able to retrieve her fitness data and transfer it to her new provider. This might allow the athlete to compare the fitness data of her last marathon with the data of her current run.

That being said, it seems slightly over the top to extend the portability right to each and every data collected by the data controller, as is evidenced by the example of the car’s attention alert system. For this reason, it is a pity that Art. 20 GDPR does not contain a reasonability or proportionality restriction.  [19] One option would be to simply read a proportionality requirement into the rule. For example, a right to data portability should only arise where there is a reasonable expectation on the part of the data subject that the data will be available over time. However, I will readily admit that the wording of Art. 20 GDPR does not lend itself to this distinction. Rather, the text relates to any data that has been provided by the data subject and is still retained by the controller.

Finally, the right to data portability under Art. 20 (1) GDPR only arises where the processing of data is carried out by automated means and where it is either based on the data subject’s consent or the processing is necessary for the performance of a contract. This wording is too restrictive because it does not cover situations where the controller has illegally processed the data. The point of Art. 20(1) (a) GDPR is to relieve a controller from the portability requirement if the processing of data is based on the legal grounds of Art. 6 (1) (c) to (f) and Art. 9 (2) (b) to (j) GDPR.  [20] The portability right should however apply if a controller has illegally processed the data as there is no conceivable reason to reward the contravention by excluding the data subject’s right to retrieve data.

3.2. Exceptions

Art. 20 GDPR specifies three exceptions to the right to retrieve data. Firstly, the right only applies to data still retained by the controller – certainly if the data subject exercises her right to be forgotten under Art. 17 GDPR, she cannot simultaneously retrieve the data. The same is true for data that has been rendered anonymous and no longer pertains to an identifiable person.  [21] Secondly, the portability right may not interfere with a task carried out in the public interest.  [22] Thirdly, portability shall not adversely affect the rights and freedoms of others.

Considering the third exception in particular, personal data will oftentimes relate to more than one data subject: a picture may show more than one person; a work may be a collaborative effort; and communication by its very meaning requires at least one originator and one addressee. When does the retrieval by the data subject interfere with the rights and freedoms of another data subject? One approach is to allow data portability only if, under the new controller, the data is kept under the sole control of the requesting user and the data is managed for purely personal or household needs.  [23] I believe this approach may prove to be too strict. Namely, when the data subject requesting portability provided this data to the original controller, the other data subjects may not have been asked for their consent. Imagine a list of contacts provided by one data subject to a controller; when this list is ported to another controller, why should only the original controller be entitled to process the data under Art. 6 (1) (f) GDPR, but not the controller whom the data was ported to?

Alternatively therefore, I propose to answer the question by looking at the reasonable expectation of the other data subject involved. For example, if there is a group discussion on a social media platform, the expectation will generally be that views are exchanged on this platform and on this platform only. The group members cannot individually exercise their right to data portability, while mutual consent would allow them to exercise their rights collectively. In contrast, if someone converses via email, there is generally no reasonable expectation that the communication will be stored with a specific email provider. Thus, the rights and freedoms of the participant of an email exchange will not stand in the way of portability.

3.3. Consequences

Once the data subject has established the right to retrieve data, the obvious question is, what does the right entail? Under Art. 20 GDPR, the data subject has a right to receive the data in a structured, commonly used and machine-readable format (within one month of the receipt of the request – Art. 12(3) GDPR). The wording implies that it is not sufficient if the data subject can manually extract individual data. Rather, the controller has to provide a structured set of data. Where technically feasible, the data subject may require the controller to transmit that data directly to another controller. Both reception and transmission can be required at any point in time and are in principal free of charge.  [24]

The rule implies that there are commonly used data formats for all kinds of data. While this may be true for a lot of data, it is certainly not true for all kinds of data – consider the “likes” on a social media platform, or the data of a particular seat or mirror position in a car. What can be done if a commonly used data format simply does not exist? Must Art. 20 GDPR be understood as an impetus to develop such commonly used data formats? I would rather argue that in such an instance, the controller may fulfil the portability requirement by providing the data in the format presently used. It is also unclear how the standard of technical feasibility of a direct transfer of data is to be determined. Something which is technically feasible for companies such as Facebook and Google, may be difficult to implement for smaller controllers that have to rely on software developed and supported by third parties.  [25]

3.4. Enforcement

Before I turn to some examples, I should briefly note that the enforcement mechanism of the General Data Protection Regulation is two-fold: The failure to ensure data portability may lead to civil liability and a right to compensation under Art. 82 GDPR. Possibly of higher importance are the administrative powers of the supervisory authority, which include the imposition of fines of up to 20.000.000 EUR, or up to 4 % of the total worldwide annual turnover, Art. 58, 83 (1), (5) GDPR.

3.5. Examples

It has been reported that the primary aim of Art. 20 GDPR was to avoid lock-in effects in social media networks.  [26] Needless to say, the rule has a much broader scope and covers many industries distinct from social media. Below are a few examples.

3.5.1. Student vs. University

Suppose a student wishes to transfer from one university to another. The student asks her current university to transmit all personal data to the new school. Personal data stored by the university will likely encompass registration data, academic transcript information, the emails stored by the university mail provider, and any learning platform data, such as tests, discussion board posts etc.

Four aspects warrant consideration. First, was the processing of this data necessary for the performance of a task carried out in the public interest or in the exercise of official authority – in which case the exception in Art. 20(3) GDPR would apply? Even with respect to public learning institutions, I do not believe that this exception is intended to cover universities (a distinction between private and public learning institutions would hardly make sense with respect to portability). Secondly, which of this data has been provided by the student? Certainly grades are provided by members of the university staff, and emails that a student has received have been provided by their originator. A right to portability would therefore not arise with respect to this data. Third, is it technically feasible to transfer the data from one institution from the other? Oftentimes, universities rely on databases developed by third parties. Should the standard of feasibility be determined from the perspective of the universities involved or from the perspective of the respective software developers? Finally, the online quizzes a student has taken have been developed by lecturers and chats on the learning platform may involve a multitude of students. With respect to this information, the rights and freedom of third parties interfere with the student’s right to portability. If we follow the standard proposed above (C.II.), this information cannot be transferred to another controller, because the parties involved had a reasonable expectation that the information was platform-specific and would stay on the learning platform.

The – somewhat surprising – conclusion is that most of the data retained by the university is not covered by the student’s portability right. In particular, while the student will probably be mostly interested in transferring transcript data and emails received to the new university, portability is not guaranteed with respect to this information. This result seems acceptable if Art. 20 GDPR is solely viewed as a competition rule, because lock-in effects on the market for education seem unlikely. If the purpose of the rule is data empowerment, then the rule fails to achieve its aim in our example.

3.5.2. Car owner vs. Manufacturer

We all know that with the arrival of automated driving, our cars will resemble computers with wheels rather than machines with embedded software. In terms of data collected by car manufacturers, the days of connected driving have already arrived. A recent investigation of ADAC, the German automobile club, has offered some insight into data collected by German manufacturers.  [27] Here is a list of some of the data which is collected and periodically transmitted to the manufacturer: the position of the car; the number of electromotive seat-belt tensions; engine speed and temperature; operating hours of the lights; number of seat adjustments; status report on windows; selected program of the automatic transmission; miles travelled on motorways, country roads and city streets. Furthermore, modern cars provide the option of saving individual driver preferences (seat and mirror position, temperature, language used to communicate with the board terminal etc.), often accessed by means of biometric information, such as the driver’s fingerprint or voice. The majority of this data is personal, because a connection with an individual data subject (car owner or driver) may be established by various means.

If we consider the data as “provided” by the data subject (see above at C.I.), which should be the case at least regarding information actively saved by a particular driver (personal preferences as to seat, mirror, temperature), then a right to data portability arises. Is there a structured, commonly used format in which the data could be transmitted? This is so-far unclear. From the evidence available, each manufacturer uses its own proprietary data format, with few common standards. Then again, some data may at least be stored in a similar format (i.e. the data recorded in the car’s event data recorder),  [28] which brings us the question raised above of whether there is an obligation on controllers to develop a standard format.

3.5.3. User vs. online marketplace

Finally, let us take a look at online marketplaces such as eBay and Amazon Marketplace. These platforms process a multitude of data, such as registration data, transaction data, social data (ratings, personal messages, discussion board postings), user-generated data (search history, wish lists, preferences, gadgets used, IP addresses, information revealed by cookies etc.). Most, but not all of this data will be personal. In particular, some of the transaction-based data may simply be goods-related, such as the description of an item offered for sale. Again, the big question is which of this data has been provided by the data subject and is subject to the portability requirement. What seems to be clear is that the right to data portability does not encompass two important sets of data. (1) User profiles (patterns, preferences, scores) are established by the platform provider and not provided by the data subject;  [29] thus Art. 20 GDPR does not require the platform provider to release this valuable know-how. (2) The portability right also does not extend to online ratings, because the information contained in online rating systems is provided by other users of the system, not by the data subject herself.

3.6. Takeaways regarding Art. 20 GDPR

There are two main takeaways from this quick look at Art. 20 GDPR. First, there remains some food for thought on the interpretation of that rule until 25 May 2018 (which is the day on which the GDPR will start to apply). Second, the scope of the rules and therefore its positive effect on competition has some limitations, as it only extends to personal data provided by the data subject. Bearing that in mind, let us examine whether help is under way in form of the portability rules in the DCD-proposal.

4. Data and Content Portability in the Proposal for a Digital Content Directive

The proposal for a Directive on certain aspects concerning contracts for the supply of digital content contains two provisions on portability. The proposed rules differ from Art. 20 GDPR in two important aspects: (1) they only apply after the termination of a B2C-contract for the supply of digital content and; (2) the right to portability is not limited to personal data, but extends to all kinds of digital content.

4.1. Contracts covered by the Proposal

A lot of ink has already been spilled on the kinds of contracts covered by the proposed Directive,  [30] thus I shall keep my comments brief in that regard. The Directive shall apply to business-to-consumer-contracts for the supply of digital content, such as video and audio files, software, cloud storage, social media and visual modelling files for 3D printing,  [31] as well as games, email provision, online marketplaces and sharing platforms.  [32] Once those rules have been implemented in the national laws of the Member States, the portability provisions will apply whenever the rules of private international law point to the contract law of an EU Member State (cf. Art. 4 and 6 Rom I-Regulation).

The proposed Directive mandates that the contract require the consumer to either pay a price or actively provide counter-performance other than money in the form of data. The prerequisite of an “active” provision of data is both vague  [33] and inappropriate from a policy perspective.  [34] Namely, data that is collected from the consumer during the performance of a service will often be of more interest to the supplier than data which the consumer has actively volunteered. The intention of the Commission seems to be to exclude contracts that do not require registration.  [35] Even where the consumer actively provides personal data, this data shall not be considered a counter-performance if the data is strictly necessary for the performance of the contract or for meeting legal requirements, as long as the supplier does not make use of the data for other purposes, in particular commercial ones.  [36] Consequently, there may be instances in which the provision of data is not considered an active counter-performance. However, in practice this exemption will rarely come into play because consumer data is regularly used by suppliers for other purposes than the performance of the contract.

The requirement of “active” provision of data is also of interest with respect to embedded software, a problematic issue in its own right. According to recital 11 of the DCD-proposal and recital 13 of the proposed Directive on the online sales of goods,  [37] the proposed Online Sales Directive shall apply to embedded software if the software’s functions are subordinate to the main functionalities of the goods and it operates as an integral part of the goods. This distinction has been widely criticized.  [38] With respect to data portability, the crux of the matter is a particular one: Bear in mind that the seller of the good or supplier of the embedded software and the person collecting data by means of the embedded software will often be different parties. When a fitness tracker, a smartphone, or a car is sold, the contract is between seller and consumer; thus the seller would be obliged to return data and digital content to the consumer. However, the seller does not usually collect the data generated through the use of embedded software. Typically, the consumer’s data is collected instead by the producer of the gadget or of the gadget’s operating system. A right to retrieve data and content from the producer however, will only arise if consumer and producer have formed a separate contract for the provision of digital content in the meaning of Art. 3 DCD-proposal. It seems worthwhile to keep this tripartite relationship in mind when devising the application sphere of the final DCD- and Online Sales Regulations.

4.2. Termination of contract

Let us assume the relationship between consumer and supplier satisfies the requirements of Art. 3 DCD-proposal. After clearing this first hurdle, we find ourselves immediately facing a second obstacle; namely, the consumer’s right to retrieve data and content arises only if the consumer has exercised her right to terminate the contract according to a provision of the DCD-Proposal. This approach is unconvincing because the proposed directive addresses only a small segment of possible grounds for termination. Art. 12 (5) DCD-proposal allows the consumer to terminate the contract for lack of conformity, and Art. 16 (1) DCD-proposal gives the consumer the right to terminate a long-term contract any time after the expiration of the first 12-month period.

Obviously, there are several other reasons why a B2C-contract may be terminated: the exercise of a right of withdrawal under Art. 9 Consumer Rights Directive;  [39] a contractually stipulated right of termination before the end of a 12 month-period; or a contract with a shorter duration than 12 months. In the case of embedded software, the consumer might rescind the contract with the seller because the good is defective,  [40] and might consequently no longer be interested in the contract with the supplier of the digital content. If portability is to safeguard the consumer’s right to sever ties with the supplier and to avoid lock-in effects, then the right to retrieve data should also exist in those instances.

4.3. Exceptions

The right to retrieve data and content arises once the consumer exercises her right to terminate the contract under Art. 12 (5) or Art. 16 (1) DCD-Proposal. It encompasses any content provided by the consumer and any other data produced or generated through the consumer's use of the digital content. The proposal clarifies that the supplier is not required to retain any data in order to allow for portability.  [41] Likewise, if the supplier has taken successful measures to anonymize the data, he should not be considered to have retained the data.  [42]

Strikingly, there is no exemption for the rights and freedoms of third parties, even though the supplier obviously has to safeguard other parties’ data protection rights. This is a clear gap which should be closed along the lines suggested above regarding Art. 20 (4) GDPR (III.2.). If no amends are made, the supplier might be caught between a rock (portability right of the consumer) and a hard place (data protection of the other natural persons involved).

Another aspect which needs to be addressed is the requirement of proportionality. In line with Art. 20 GDPR, the portability rules of the proposed directive currently do not contain a reasonability restriction. As the scope of the portability right under the DCD-proposal entails not only personal data, but also user-generated content, such a restriction is sorely missed. This can be illustrated by looking at the gaming industry – exporting an avatar created by a gamer into a different game is virtually impossible and generally not of interest to the consumer.  [43] In this context, the provision of a portability right seems unreasonable and disproportionate.

4.4. Consequences

As I have already noted, the implications of Art. 13 (2)(c) and Art. 16(4)(b) DCD-Proposal are much broader than those of Art. 20 GDPR. Portability is not only required with respect to personal data,  [44] but also with respect to any other content provided by the consumer and any data produced or generated through the consumer’s use of the digital content. This would apply i.e. to pictures uploaded by the consumer, as well as to a photo book which the consumer has created online.

How is portability to be achieved? In that respect, the DCD-proposal is more lenient than Art. 20 GDPR. The supplier shall provide the consumer with the technical means to retrieve the content, without significant inconvenience, in reasonable time and in a commonly used data format. As there is no requirement to provide the data in a structured format, suppliers may seemingly refer their customers to extract the material manually/individually, as long as this does not cause significant inconvenience. The data is to be provided in a commonly used data format, which would give the supplier a choice from various formats on the market. Again, there is no indication on how to proceed when a common data format is non-existent. Note that – unlike Art. 20 GDPR – the DCD-proposal does not include a right to have the content transferred from one supplier to another.

Under the current proposal, portability is free of charge only if requested after the consumer terminates the contract due to a lack of conformity, whereas the supplier is entitled to demand a fee in the context of Art. 16 (4)(b) DCD-proposal.  [45] I find this distinction misguided. First of all, the consumer is entitled to retrieve some of this data free of charge due to Art. 20 GDPR and allowing for a fee in the context of Art. 16 (4)(b) DCD-proposal might obscure that right. Secondly, if the aim of portability in the context of the DCD-proposal is to safeguard the consumer’s right to terminate the contract, that aim will not be achieved if the consumer is required to pay a fee to retrieve the content. Finally, any fee requested by the supplier would have to be adequate to avoid a deterrent effect on the consumer, and satellite litigation regarding the adequacy of the fee might ensue.

4.5. Enforcement

The issue of enforcement of the portability rules in the DCD-proposal is left to the Member States. Art. 18 DCD-proposal contains the typical requirement that Member States shall implement adequate and effective means to ensure compliance and must provide for representative actions.

4.6. Examples

I will now return to the previous examples to illustrate the workings of Art. 13(2)(c) and 16(4)(b) DCD-proposal.

4.6.1. Student vs. university

In the case of a student requesting data from the university, the first question is whether a contract for the supply of digital content exists between the student and her university. Evidently the relationship between student and university has a much broader ambit, but services such as campus management, learning platforms and email provision are certainly digital content within the meaning of the proposed directive. Following Art. 3(6) DCD-proposal, the directive shall apply to the obligations and remedies of the parties as supplier and consumer of the digital content, even if a contract includes elements in addition to the supply of digital content. Within a university context however, education is not an addition to the digital services. Rather, the digital services are offered as additions to the provision of education as the university’s main obligation.

4.6.2. Car owner vs. manufacturer

In the case of the car owner, assume that the owner has bought a BMW 320d which is defective. She would like to terminate the contract and instead buy a Mercedes B-class, which – as an investigation by the ADAC has shown – collects more or less the same data as the BMW.  [46] The termination of the contract with the seller will follow the rules of the Consumer Sales Directive or the proposed Online Sales Directive. Neither of those directives provide for data portability. Is there a separate contract for the supply of digital content with a corresponding counter-performance by the car owner, which might trigger a right to portability? Generally speaking there is not. However, if the owner has registered with BMW connected drive or the equivalent Mercedes me-Service, the relationship between owner and manufacturer will meet the requirements of a contract for the supply of digital content. Even in that case, the consumer will not have a right to data portability, since the contract was not terminated under Art. 12(5) or Art. 16 (1) DCD-proposal. Consequently, the car owner or driver would have to rely on Art. 20 GDPR to realize portability.

4.6.3. User vs. online marketplace

Our last example pertains to online marketplaces such as eBay and Amazon Marketplace. Do these platforms provide digital content? Following Art. 2 (1)(b) of the DCD-proposal, the definition of “digital content” includes services allowing the creation, processing and storage of data in a digital form, where that data is provided by the consumer. Thus, if a consumer is using the platform to sell a good, the user agreement will be covered by the DCD-proposal. What if the consumer is using the platform to buy a product? In this instance, Art. 2 (1)(c) comes into play, according to which digital content also encompasses “a service allowing sharing of and any other interaction with data in digital form provided by other users of the service”. Does the consumer offer a counter-performance? Obviously, that depends on the platform model. Usually the registration as such and the purchase of goods on the platform is without charge, while a fee may be requested if the consumer sells something via the platform. Even if the supplier does not charge a fee, the contract will usually fall within the application sphere of the DCD-proposal because the consumer actively provides counter-performance in the form of data and this data is usually put to some commercial use (thus rendering the exception in Art. 3 (4) DCD-proposal inapplicable).

As mentioned above (III.5.c.), data portability under Art. 20 GDPR only relates to personal data and thus may not cover transaction-related data. In contrast, the portability rules of the DCD-proposal apply to all content provided by the consumer, which includes non-personal pictures or the description of a good sold. Furthermore, the proposal is clear that the right to retrieve data also applies to data produced or generated through the consumer's use of the digital content (to the extent that data has been retained by the supplier). Under the current wording, the portability right even extends to user profiles (patterns, preferences, scores) established by the supplier. While I do not believe that the Commission intends to require businesses to reveal such sensitive know how, a clarification of this matter would be welcome.  [47] Furthermore, recital 15 DCD-proposal suggests that online ratings are supposed to be portable. Again, this is not immediately clear from the wording of the provisions (“data generated through the consumer’s use of the digital content”), since platform users often rate the consumer’s performance in the “real world” (conformity of the good sold or the apartment rented), rather than rating her platform conduct. A clarification might be helpful. In any case, bear in mind that the right to retrieve the data only arises if the contract is terminated due to faulty service or after more than 12 months.

5. Relationship between the three portability provisions

Having considered these three examples, a final question remains. Namely, what is the relationship between the portability rules addressed in this presentation? There is a clear-cut distinction between Art. 13(2)(c) and Art. 16(4)(b) DCD-proposal: the former applies to the termination of contract for lack of conformity, whereas the latter applies when the contract has been terminated by the consumer after 12 months plus.

If a right to portability arises both under Art. 20 GDPR and one of the provisions of the DCD-proposal, the consumer may choose which rule they rely upon – or may even rely upon both. Art. 3 (8) DCD-proposal clarifies that the rules of the DCD-proposal are without prejudice to data protection rules.  [48] It makes sense that neither portability rule takes precedence over the other, as the provisions show both peculiarities and significant overlap. If the consumer’s requirements are met by a request under one Directive, the consumer will not have to additionally resort to the other Directive. On the other hand, where some of the consumer’s requirements will only be met under Art. 20 GDPR (transmission to another supplier) and other demands will only be met under the DCD-proposal (portability of content other than personal data), it is helpful for the consumer to combine both rights.

6. Closing Remarks

Data portability is a hot topic as well as a novel topic. It is therefore hardly surprising that the rules addressed in this article offer some room for improvement. With respect to Art. 20 GDPR, the challenge ahead lies in the development of a lucid interpretation of the rule. Currently, it is unclear which data is deemed to be provided by the data subject and which standard should be applied to determine the technical feasibility of transmission.

The portability rules in the DCD-proposal will certainly undergo a change before they are enacted. What is needed is a clarification of the application sphere, especially with respect to embedded software. The portability right should arise with the termination of contract, irrespective of the ground for termination. One might even consider a right to retrieve content at any point in time during the performance of the contract. Portability should be free of charge in all instances, barring abusive conduct of the consumer. Finally, there is an urgent need to introduce some exceptions to the rule – the portability provisions of the DCD-provisions should acknowledge the rights and interests of third parties as well as the legitimate interest of the supplier, which includes a limit for reasons of proportionality.

7. Synopsis of commonalities and differences

The following synopsis gives an overview of the many commonalities, but also a number of key differences between the portability rules of the GDPR and the DCD-proposal:

Art. 20 General Data Protection Regulation

Art. 13 (2)(c), 16 (4)(b) proposed Directive on Digital Content

purpose

competition / empowerment

safeguard for right of termination

application sphere

Art. 2 (1) GDPR

  • processing of personal data wholly or partly by automated means

  • connecting factor to EU

Art. 3 DCD-Proposal

  • B2C-contract for the supply of digital content

  • counter performance: either price or active provision of data

  • applicable contract law = law of EU member state (Art. 6 Rome I Reg.)

data covered

  • personal data provided by data subject

  • any content provided by the consumer

  • any other data produced or generated through the consumer's use of the digital content

prerequisites

  • processing based on consent or contract and carried out by automated means

  • data still retained by controller

  • termination for lack of conformity, Art. 13 (2)(c) DCD-proposal

  • termination after 12 months +, Art. 16(4)(c) DCD-proposal

  • data / content retained by supplier

exceptions

  • task in the public interest or in the exercise of official authority

  • rights and freedoms of others

no explicit exceptions

point in time

anytime

after termination of contract

consequences

  • right to receive the data in a structured, commonly used and machine-readable format

  • right to transmit data directly from one controller to another, where technically feasible

  • technical means to retrieve content and data

  • without significant inconvenience, in reasonable time and in a commonly used data format

fee

  • free of charge (exceptions see Art. 12 (5) GDPR)

  • free of charge in case of Art. 13(2)

  • fee possible in case of Art. 16 (4)

relationship

without prejudice to data protection,

Art. 3 (8) DCD-Proposal

enforcement

  • compensation, Art. 82 GDPR

  • administrative fines, Art. 58, 83 (1), (5) GDPR

  • adequate and effective means (left to Member States), Art. 18

  • representative actions

* Ruth Janal is a Professor of Law at Freie Universität Berlin. In her research, she addresses the interface between Intellectual Property and IT law as well as European Civil Procedure and EU Consumer Law.

Contact: rjanal@zedat.fu-berlin.de. Transcript of a presentation given at the Conference on Digital Goods and Services in Berlin on 6 October 2016.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119/1 of 4.5.2016.

[2] Art. 13 (2) (c) and Art. 16 (4) (b) of the Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content, COM (2015) 634 of 9.12.2015.

[3] Proposal for a Regulation of the European Parliament and of the Council on ensuring the cross-border portability of online content services in the internal market, COM (2015) 627 of 9.12.2015.

[5] According to recital 68 GDRP, data portability strengthens the data subject’s control over his or her own data; see also Article 29 Data Protection Working Party, Guidelines on the right to data portability, 13.12.2016, 16/EN WP 242, p. 4; Maisch, Informationelle Selbstbestimmung in Netzwerken, Berlin 2015, p. 311.

[6] The simultaneous presence on multiple similar or equivalent platforms is referred to as “multi-homing”.

[7] Kühling/Martini, EuZW 2016, 448 (450).

[8] Article 29 Working Party (fn. 4), p. 4. Commission Staff Working Document on the free flow of data and emerging issues of the European data economy of 10.1.2017, SWD (2017) 2, p. 11. In a similar vain see Härting, BB 2012, 459 (465); Kipker/Voskamp, DuD 2012, 737 (740); Kühling/Martini, EuZW 2016, 448 (450); Schantz, NJW 2016, 1841 (1845); Antwort der Bundesregierung auf Kleine Anfrage (Drucksache 17/10452), p. 7. For the economic consequences of portability cf. Commission Staff Working Document (ibid), p. 47 et seq.

[9] For further examples see Article 29 Working Party (fn. 4), p. 5. For the dispute between Facebook and Google regarding the contact API cf. Singel, Google Calls Out Facebook’s Data Hypocrisy, Blocks Gmail Import, 11.5.2010 https://www.wired.com/2010/11/google-facebook-data and Metz, Facebook engineer bashes Google for Gmail block – When hypocrisies collide, http://www.theregister.co.uk/2010/11/10/google_v_facebook_contact_fight_round_two .

[10] See also recital 39 of the DCD-proposal; summary of results of the public consultation on contract rules for online purchases of digital content and tangible goods, http://ec.europa.eu/justice/contract/files/summary_of_results.docx , p. 2.

[11] Recital 46 DCD-proposal; Spindler, MMR 2016, 219 (221 et seq.).

[12] Art. 2 (1) GDPR, which furthermore provides that the Directive also applies “to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”

[13] Art. 2 (1) GDPR.

[14] Regarding the portability of other data cf. the observations in the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of 10.1.2017, COM (2017) 9, “Building a European Data Economy”, p. 15 et seq.

[15] The definition provided in Art. 4(1) GDPR explains that “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. Recital 26 further explains that a person is deemed identifiably if she can be identified by the controller or another person using reasonable means.

[16] In the affirmative Maisch, Informationelle Selbstbestimmung in Netzwerken, Berlin 2015, p. 304; Spindler, MMR 2016, 219 (222); in the negative submission of the Handelsverband Deutschland e.V. (HDE) (1), http://www.bmjv.de/SharedDocs/Downloads/DE/ , p. 2.

[17] Cf. Article 29 Working Party (fn. 4), p. 8: “Observed data are ‘provided’ by the data subject by virtue of the use of the service or the device”. The Commission Staff Working Document on the free flow of data and emerging issues of the European data economy of 10.1.2017, SWD (2017) 2, p. 46, seems to share this view.

[18] “Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data.”

[19] Cf. Werkmeister/Brandt, CR 2016, 233 (237).

[20] Recital 68 GDPR states: “That right [to retrieve data] should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract.”

[21] Cf. recital 26 GDPR; Article 29 Working Party (fn. 4), p. 7.

[22] On the concept of public interest cf. recital 73 GDPR.

[23] Article 29 Working Party (fn. 4), p. 10.

[24] Art. 12 (5) GDPR; this does not apply to manifestly unfounded or excessive (i.e. repetitive) requests. Article 29 Working Party (fn. 4), p. 12 argues that “For information society or similar online services that specialise in automated processing of personal data, it is very unlikely that the answering of multiple data portability requests should generally be considered to impose an excessive burden”.

[25] Regarding the potential use of personal information management services see Commission Staff Working Document on the free flow of data and emerging issues of the European data economy of 10.1.2017, SWD (2017) 2, p. 11.

[26] Härting, BB 2012, 459 (465); Kipker/Voskamp, DuD 2012, 737 (740).

[28] Cf. minimum data elements required for all vehicles equipped with an event data recorder, http://www.crashdatagroup.com/learnmore/howitworks.html .

[29] Article 29 Working Party (fn. 4), p. 8.

[30] Bokor, Die Richtlinienvorschläge der Kommission zu Verträgen über digitalen Inhalt und Online-Warenhandel, p. 4 et seq.; submission of the Bundesverband Interaktive Unterhaltungssoftware e.V. (BIU), http://www.bmjv.de/SharedDocs/Downloads/DE/PDF/ , p. 2; submission of the TRUSTED SHOPS GmbH, http://www.bmjv.de/SharedDocs/Downloads/DE/PDF , p. 3.

[31] Explanatory Memorandum DCD-proposal, p. 11.

[32] Spindler, Stellungnahme zum Vorschlag für eine Richtlinie des Europäischen Parlaments und des Rates über bestimmte vertragliche Aspekte der Bereitstellung digitaler Inhalte, https://www.bundestag.de/blob/420320/f592286ecb85f113710d7bd40bd92b47/spindler-data.pdf , p. 5; Wendland, GPR 2016, 8 (12).

[33] Recital 14 sheds some light as to what is meant by an „active” provision of data: registration by the consumer is seen as actively providing data, accepting a cookie is not.

[34] Cf. also Schmidt-Kessel, Präsentation: Daten als Gegenleistung in Verträgen über die Bereitstellung digitaler Inhalte, 03.05.2015, http://www.bmjv.de/SharedDocs/ , p. 17; Wendehorst, Präsentation: Gewährleistung für digitale Inhalte im Lichte des Richtlinienentwurfs COM(2015) 634, 03.05.2016, http://www.bmjv.de/SharedDocs/Downloads/DE/ , p. 7; v.Westphalen, Stellungnahme zum Entwurf der Richtlinie 2015/634, https://www.bmjv.de/SharedDocs/Downloads/DE/PDF/AbteilungenReferate/ , p. 1; submission of the Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (vzbz), http://www.bmjv.de/SharedDocs , p. 7.

[35] Spindler, Stellungnahme zum Vorschlag für eine Richtlinie des Europäischen Parlaments und des Rates über bestimmte vertragliche Aspekte der Bereitstellung digitaler Inhalte, https://www.bundestag.de/blob/ , p. 8.

[36] Cf. Art. 3(5) DCD-Proposal. Processing with a purpose which is not contract-related will thus retroactively lead to the application of the proposed Directive, cf. the critical assessment of Stürner, Stellungnahme zu den Kommissionsvorschlägen COM(2015) 634 und COM(2015) 635, 04.05.2016, https://www.bundestag.de/blob/422106/efd7cdf67eb00e2c82d577d7c480bcfb/stuerner-data.pdf , p. 12 et seq.

[37] Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the online and other distance sales of goods, COM(2015) 635 of 9.12.2015.

[38] Submission of the Bundesverband der Deutschen Industrie e.V. (BDI), http://www.bmjv.de/SharedDocs/Download , p. 4; submission of the Bundesverband E-Commerce und Versandhandel Deutschland e.V. (bevh), http://www.bmjv.de/SharedDocs/Downloads/DE/PDF/ , p.3; submission of the Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V. (Bitkom) (2), http://www.bmjv.de/SharedDoc , p. 5 et seq.; submission of the Bundesverband Interaktive Unterhaltungssoftware e.V. (BIU), http://www.bmjv.de/SharedDocs , p. 5; submission of the Verbraucherzentrale Bundesverband e.V. (vzbv), http://www.bmjv.de/SharedDocs/ , p. 4, 8; submission of the Zentralverband Elektrotechnik- und Elektroindustrie e.V. (ZVEI), http://www.bmjv.de/SharedDocs/Downloads/DE/PDF/ , p. 4.

[39] Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, OJ L 304/64 of 22.11.2011; the exception in Art. 16 m Consumer Rights Directive does not cover all of the contracts within the scope of the DCD-proposal.

[40] Cf. Art. 3 (5) Consumer Sales Directive / Art. 9 (3) Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the online and other distance sales of goods, COM(2015) 635 final of 09.12.2015.

[41] Recital 39 DCD-proposal clarifies that the obligation extends to any data which the supplier has effectively retained in relation to the contract.

[42] Spindler, MMR 2016, 219 (222); Submission of the Handelsverband Deutschland e.V. (HDE) (1), http://www.bmjv.de/SharedDocs/Download , p. 12.

[43] Submission of the Bundesverband Interaktive Unterhaltungssoftware e.V. (BIU), http://www.bmjv.de/SharedDocs/Downloads/DE/PDF/A , p. 12 et seq.

[44] Spindler, MMR 2016, 219, 222: It is uncertain, whether the „other data” also includes all personal data. Considering the broad interpretation of the term, it includes both personal data and user-generated content, even if the data is produced by the supplier.

[45] Argumentum a contrario Art. 13 (2) (c), cf. also recital 40.

[47] See also submission of the Gesellschaft für Datenschutz und Datensicherheit (GDD) e.V., https://www.gdd.de/downloads/aktuelles/stellungnahmen/S , p. 10.

[48] The relationship between GDPR and DCD-proposal is not addressed by Art. 3 (7) DCD-proposal. The provisions are not in conflict with each other, and neither of the two acts is more specific; rather, they address a different subject matter.

Fulltext

License

Any party may pass on this Work by electronic means and make it available for download under the terms and conditions of the Digital Peer Publishing License. The text of the license may be accessed and retrieved at http://www.dipp.nrw.de/lizenzen/dppl/dppl/DPPL_v2_en_06-2004.html.

JIPITEC – Journal of Intellectual Property, Information Technology and E-Commerce Law

Artikelsuche
erweiterte Artikelsuche
Newsletter
Subscribe to our newsletter
Follow Us
twitter