Inge Graef – Assistant professor at Tilburg Institute for
Law, Technology, and Society (TILT) and
Tilburg Law and Economics Center (TILEC)
While data is regarded as a key resource for economic growth and societal progress, policymakers are concerned that its full potential is not reaped as long as generators of data keep the asset to themselves and the information is consequently analysed in silos (2017 Communication ‘Building a European Data Economy’). To promote the exchange and reuse of data across market players, the European Commission has been actively exploring policy options in relation to data sharing. In particular, the Commission adopted a Communication ‘Towards a common European data space’ in April 2018 in parallel with a Staff Working Document taking the shape of ‘Guidance on sharing private sector data’. At the national level, the Dutch government, for instance, published its ‘Vision on data sharing between businesses’ in February 2019. This attention for the issue of data sharing can be traced back to the adoption of the General Data Protection Regulation (GDPR) which has introduced a right to data portability (RtDP) in Article 20. Beyond the GDPR’s right to data portability, a number of sector-specific data access regimes are being developed such as in the energy, payment and digital content/services industries.
This blog post summarises a working paper co-authored with Martin Husovec and Jasper van den Boom analysing the relationship of these sector-specific regimes with the GDPR’s RtDP that applies horizontally to the entire economy. As more industries are becoming digitised and rely on data as input to offer products and services to consumers, the availability of effective portability and access instruments ( ‘data sharing’ is used in the remainder as an umbrella term referring to both data portability and data access) is going become even more important. The successful adoption of innovations within the Internet of Things calls for seamless transfer and exchange of data between businesses, and even between sectors by combining data from different types of services. The objective of the paper is to identify possible spill-overs between these regimes so as to establish a more horizontal, overarching framework for the governance of data sharing in the EU that would benefit individuals as well as market players who increasingly depend on data access – not only within but also across sectors.
GDPR’s right to data portability
The GDPR provides data subjects with: (1) a right to receive their personal data provided to a controller ‘in a structured, commonly used and machine-readable format’ and transmit those data to another controller (Article 20(1) GDPR); and (2) a right to have the personal data transmitted directly from one controller to another ‘where technically feasible’ (Article 20(2) GDPR). Although the Article 29 Working Party adopted ‘Guidelines on data portability’ in April 2017, there are still many uncertainties surrounding the scope of the GDPR’s RtDP. In particular, it is not clear when direct data transfers are ‘technically feasible’ and to what extent Article 20 GDPR gives data subjects control over their data.
Although it forms part of a data protection instrument and can be considered to promote individual control, one can also see the RtDP as an instrument to stimulate competition and innovation in data-driven markets. In any case, it is clear that the GDPR’s RtDP has an effect beyond data protection by potentially reducing lock-in through enabling users to switch easily between services. The RtDP will therefore also increase competition between data controllers and encourage the exchange of data across the economy. In this sense, the GDPR’s RtDP has similarities with sector-specific data access regimes in terms of impact – even though their objectives and scope differ.
Sector-specific data access regimes
Sector-specific legislation on the topic of data access has been adopted or is being developed in several sectors. The paper analyses the scope of legislative instruments enabling data access in a number of industries and compares them with the GDPR’s RtDP that applies horizontally, across all sectors of the economy. The selected sector-specific regimes include the proposed recast of the Electricity Directive in the energy sector, the Payment Services Directive 2 (PSD2) in the payment sector, and the Digital Content Directive in the digital content/services industries. Each of these instruments forms part of EU internal market law more broadly, but have their own objectives and focus on protecting particular interests. Despite differences in scope, the GDPR’s RtDP and the sector-specific instruments apply and can be invoked in parallel.
Against the background of this parallel application, the paper explores what dimensions define sector-specific regimes of data access and how they relate to the GDPR’s RtDP. The key aim is to explore how overarching principles can be distilled from the current piecemeal approach of regulating data sharing across sectors. This exercise is particularly instructive from the perspective of the potential of spill-overs to occur from the implementation of sector-specific data access instruments for the interpretation of more horizontal regimes like the GDPR. A spill-over is regarded as a situation where the substance of the rules in one regime impact the interpretation of the rules in another regime irrespective of their original meaning. As wider accessibility and reuse of data becomes common practice in selected industries, market players, policymakers and regulatory authorities may be less hesitant to apply similar approaches across the economy building upon the lessons learned from sector-specific interventions.
The paper illustrates that from the perspective of the effectiveness of data sharing policies, a number of aspects are to be regarded as a key. Considering the dynamic nature of current services, the possibility to establish a continuous and real-time stream of data between providers is desirable. It is not clear whether the GDPR’s RtDP can be configured to mandate continuous and real-time portability of data, as it was originally envisaged for a more static setting where a data subject files a request to the data controller as a one-off mechanism. Irrespective of this legal question, continuous access would require the development of adequate standards and processes. While this involves a serious effort by all relevant stakeholders, such an outcome does not seem unfeasible when observing the ongoing developments in the energy and payment sectors regarding standardisation. Industry-specific developments are likely to impact the interpretation of Article 20 GDPR. Because the PSD2 and the proposed recast of the Electricity Directive are giving rise to the development of standards to facilitate data access within their particular scope, such standardisation of data formats and interoperability between systems also increases the ‘technical feasibility’ of direct transfers of personal data under the GDPR’s RtDP. Where sector-specific regimes provide for continuous access to data (as the PSD2 and the proposed recast of the Electricity Directive both do), Article 20 GDPR can be interpreted in light of these instruments so that there is a spill-over effect towards a broad interpretation of the GDPR’s RtDP as well.
Another issue is the room for data controllers to impose a ‘reasonable fee’ when a data subject invokes Article 20 GDPR. Although a number of the regimes discussed provide for the possibility to charge costs, there are strong indications that one expects the remuneration not to go beyond what is necessary to cover the administrative charges for enabling portability and access. It can be questioned whether this is a good development. The ability of holders of data to ask third parties a fee to access datasets in which they have invested may encourage higher levels of data sharing on the market. In its 2017 Communication on ‘Building a European Data Economy’, the Commission referred to the possibility of establishing access against fair, reasonable and non-discriminatory (FRAND) terms in analogy to the licensing of standard essential patents. What does seem required in any case is for the fees to be applicable in principle only in business-to-business situations so that the rights of individuals as data subjects or consumers are not restricted.
Relying on sector-specific data access regimes for interpreting the scope of the GDPR’s RtDP would imply that the latter’s requirements will differ among industries depending on the presence of additional regimes promoting data sharing. While this may not be desirable considering the horizontal nature of the GDPR, there can be a beneficial wider spill-over effect of the existence of more far-reaching data access regimes in specific sectors. As data sharing becomes increasingly accepted and used by individuals as well as businesses, the attitude towards the transfer of data may change more generally so that a worthwhile spill-over effect occurs even towards sectors currently not having any additional data sharing requirements in place. Common approaches for the governance of data sharing are therefore not out of reach. The identification of spill-overs is promising in the process towards establishing a more horizontal, overarching framework for the governance of data sharing, enabling individuals as well as businesses with more effective ways to reap the benefits from the exchange of data across services and sectors.