Peter Swire and Yianni Lagos have an article in a forthcoming issue of Maryland Law Review that challenges the EU’s draft Data Protection Regulation on the issue of a right to data portability. Here’s the abstract:
In its draft Data Protection Regulation, the European Union has announced a major new economic and human right – the right to data portability (‘RDP’). The basic idea of the RDP is that an individual would be able to transfer his or her material from one information service to another, without hindrance. For instance, consumers would have a legal right to get an immediate and full download of their data held by a social network such as Facebook, a cloud provider, or a smartphone app.
Although the idea of data portability is appealing, the RDP as defined in Article 18 of the draft Regulation is unprecedented and problematic. Part I explains Article 18, whose text appears to require software and online service providers to create what we call an ‘Export-Import Module,’ or software code that exports data seamlessly from the first service to the second service. The requirements would apply globally, for any entity that sells to an E.U. resident.
Part II critiques the RDP in light of the teachings of E.U. competition and U.S. antitrust law. Competition law has long addressed the problems of lock-in and high switching costs that form a chief justification for the RDP. The RDP, however, applies to small enterprises, where there is essentially no risk of lock-in. In contrast to competition law, the RDP applies to all online services even where there is no market power and no barrier to entry. Article 18 more generally is in conflict with the rules in competition law about exclusionary conduct – it creates a per se prohibition where competition law would apply a rule of reason approach. Competition law would consider the many efficiencies that result from a service provider deciding which functions and formats to include in its products, which undergo rapid innovation.
Part III shows that Article 18 also suffers serious difficulties as a matter of privacy or data protection law. Proponents have claimed the RDP is a new fundamental human right, aiding the individual’s autonomy for online activities. No jurisdiction has experimented with anything resembling the proposed Article 18, however, casting serious doubt on its status as a new human right. Among other difficulties, Article 18 poses serious risks to a long-established E.U. fundamental right of data protection, the right to security of a person’s data. Previous access requests by individuals were limited in scope and format. By contrast, when an individual’s lifetime of data must be exported ‘without hindrance,’ then one moment of identity fraud can turn into a lifetime breach of personal data. Part IV shows that Article 18 goes far beyond previous legal rules that specifically address interoperability.
In conclusion, the novel RDP is justified by the supposed benefits to consumers. As drafted, however, the RDP likely reduces consumer welfare, as articulated after long experience in competition law. It also creates risks to privacy that are not addressed in the current text. The RDP deserves far more scrutiny before becoming a mandate that applies globally to software and online services.
You can download the full paper on SSRN.