This paper uses the example of data of connected cars for showing the difficulties of solving data access problems through data portability rights. Especially the privacy law-based data portability of Art. 20 GDPR proves insufficient for solving competition and innovation problems caused by data access problems, due to a too narrow definition of the scope of portable data and the need for additional complementary regulations for making data portability effective. Therefore, data portability rights outside of privacy laws, e.g. based upon the consumer data rights approach or in competition policy, can offer more flexible and effective solutions for fostering competition and innovation.
By Daniel Gill & Wolfgang Kerber1
I. INTRODUCTION
In recent policy discussions data portability rights are often seen as a very promising instrument for solving problems for competition and innovation that are caused by a lack of access to data. Since the EU data protection law already introduced a data portability right (Art. 20 GDPR) in 2018, the European discussion focusses primarily on this data portability instrument for fostering competition and innovation. However, this right has not fulfilled these expectations so far, which has led to the current policy discussion in the EU on how this right can be made more effective.2 But data portability rights can also be introduced outside of privacy laws, as, e.g. in the recent approach of consumer data rights, which intends to give consumers more control over their consumer data by granting them, inter alia, a portability right. Australia is implementing such consumer data rights in a sector-specific way,3 which resembles to some extent sector-specific data access regulations in the EU as, e.g. the access to bank accounts for innovative financial services (PSD2: “Second Payment Service Directive”).
This article claims that data portability rights can contribute to the solution of data access problems for competition and innovation but only to a limited extent and under certain conditions. Some of them are already discussed in the policy debate about enhancing the data portability right of Art. 20 GDPR (standardized technical interfaces, continuous data portability). We would like to focus the attention to the need for a careful and deep analysis of the underlying data access problems for competition and innovation as a precondition for deriving conclusions about the appropriate design of data portability rights, and the need for additional complementary regulations for making data portability rights effective enough for achieving these objectives. Therefore section 2 will present some results of our research about the problems of access to data in connected cars for competition and innovation (on secondary markets), and why the data portability right of Art. 20 GDPR is not a suitable instrument for solving these problems. Based upon this case study, section 3 discusses some basic questions about the design, limits, and preconditions of effective data portability rights. After analyzing the limits of a privacy law-based data portability (as Art. 20 GDPR in the EU) for helping to solve data access problems for fostering competition and innovation, we argue that the alternative approach of consumer data rights allows for a more flexible design of data portability rights (e.g. by entailing also non-personal data) that can lead to more targeted and effective solutions for competition, innovation, and consumer empowerment. Therefore, the policy discussion should also focus on data portability rights outside of privacy laws (and beyond personal data) as part of consumer policy, competition policy, and the governance structure of the data economy.
II. CAN DATA PORTABILITY RIGHTS SOLVE ACCESS PROBLEMS TO IN-VEHICLE DATA IN CONNECTED CARS?
The technological transition to connected cars has led to a new regulatory discussion in Europe about access to the large sets of data collected and produced in these cars. Since the car manufacturers have designed their cars as closed systems and transmit all data directly to proprietary servers (“extended vehicle”), they have exclusive de facto control over all data and the technical access to the car. This gatekeeper position allows them to control the access to all secondary markets for services, which require either access to these “in-vehicle data” and/or technical access to the connected car (as, e.g. remote maintenance and repair services). Important is that most of these in-vehicle data are unique, not replicable or substitutable. Concerns of independent providers of aftermarket and other complementary services that this gatekeeper position allows the car manufacturers to foreclose them and leverage market power to these secondary markets is justified from a competition economics perspective, and can lead to negative effects on competition, innovation and consumer choice on these markets.4 This problem is also not solved by the current EU type approval regulation for motor vehicles, because this well-established mandatory access regime to essential repair and maintenance information for independent service providers is so far not sufficiently updated to the new technology of connected cars, and therefore does not encompass the access to these car data and the remote access to the car for protecting competition on these markets under the new technology.5
Since several years an intense policy debate exists between the car manufacturers defending their approach (with safety and security reasons) and a broad coalition of service providers who demand a regulatory solution.6 Different options for solving the problem exist: (1) The server with all car data is put directly under the governance of a neutral (data trustee-like) institution (which can grant non-discriminatory access), and (2) the introduction of interoperable telematics platforms, which would allow the storage of the data in the car, and gives the car users direct control over their data and the access to the connected car. Both solutions would eliminate the gatekeeper position of the car manufacturers with respect to the car data and have been assessed as superior compared to the current extended vehicle concept due to its advantages for competition.7 Other policy options are either (3) mandatory access solutions to essential data in competition law (e.g. Art. 102 TFEU), or (4) a broad extension of the existing mandatory data access regime of the motor vehicle type approval regulation to all data that are necessary for offering services on secondary markets of the connected car (including necessary interoperability requirements).8 The EU Commission has acknowledged the existence of this competition problem, and announced in its European data strategy a further reform of the type approval regulation.9
Since also Art. 20 GDPR is seen as a possible way how consumers can make data of a smart device available to other service providers, (5) this data portability right can also be seen as a possible solution for the data access problems with connected cars. According to Art. 20 GDPR the data subjects (i.e. the car users) have the right to have their personal data directly transmitted from the data-holding car manufacturers to other service providers. In the following, we will show why this data portability right does not offer a sufficiently effective mechanism for solving the above-described problems for competition and innovation.
1) Legal problems: The general critique of the EU data portability right that the scope of the portable data is not clearly defined is also a problem in the case of connected cars. Although most data produced in the connected car are seen as personal data, it is debated which in-vehicle data are personal data and which are not. Since the data portability right only refers to personal data that are “provided” by the data subjects, it is not clear what this means in connected cars that produce the in-vehicle data, mostly through sensors. It is particularly unclear whether this right also entails data that are observed by the connected car. Including also observed data was suggested by the European Data Protection Board, but this is disputed and unclear from a legal perspective.10 This legal uncertainty about the scope of the portable data and about other legal aspects (as, e.g. liability issues, rights of others, business secrets) is a huge problem for the effectiveness of this data portability solution. In any case, the scope of portable data can be expected to be too narrow for solving the problems for competition and innovation. Another important issue in the connected car example is that the data portability right does not entail a continuous transmission of data in real-time to other service providers, as it would be necessary for many of these services on the secondary markets.
2) Technical problems: Another important limitation is the provision that the data portability right is only applicable if technically feasible. But data controllers have no obligation to implement measures for ensuring technical feasibility, as, e.g. using APIs and developing industry-standards for data formats and interfaces for enabling data interoperability. This is very different in the PSD2 regulation, where banks have an obligation to develop APIs and standardized interfaces for allowing independent service providers to access bank account data. But the technical problems go beyond data interoperability. The provision of many services by independent firms to the users of connected cars would also require a direct technical access to the car. Since the cars are designed as closed systems, the car manufacturers can block the interoperability with other services, and thus can control the markets for all services that need to interoperate with the car. This problem that emerges with many smart devices and IoT applications cannot be solved by a data portability right. Although safety and security problems that can emerge with data portability and interoperability of services have to be solved, the car manufacturers have no obligation to implement a safety and security system which would allow the safe transmission of data and interoperability of services. Also, this is different in the PSD2 regulation about open banking, which entail also strict mandatory rules for safety and security.
3) Economic problems: A huge hurdle for the effectiveness of any data portability rights can be the transaction costs of using these rights. This refers to the consumers, who have to exert these rights, to the service providers to whom data are made available, but also to the data holders that have to port these data without being allowed to demand fees. Most important is whether the consumers are aware of their data portability right and have sufficient incentives for exerting it. Due to the above-described manifold problems, it cannot be expected that consumers are using it. But even if it would work, i.e. lead to the benefit of being offered additional services, using this data portability mechanism has to be as simple as possible. One option are standardized processes that allow the service providers to initiate the data portability process similar to solutions in the PSD2 regulation (or the old regulations regarding phone number portability), where the consumers only have to give their consent. The current way of applying for data portability in Art. 20 GDPR is too burdensome. An additional problem emerges, if service providers do not need only the individual-level data of specific customers but need aggregate-level data from many connected cars for developing new services (or training algorithms). Then collecting enough data through inducing individual car users to use their data portability right might be too cumbersome and costly for these service providers (collective-action problem).
Also, the costs for the data-holding companies have to be considered. Similar to mandatory data access solutions also a far-reaching data portability right can reduce the incentives for producing certain data sets in the connected car, e.g. through additional sensors.
The result of our analysis is very clear. The data portability right suffers from legal uncertainty, a too narrow scope of data, its slowness and lack of continuous data portability, and missing obligations for ensuring the technical preconditions for data interoperability and interoperability with other services, as well as standardized safety and security solutions, and standardized processes for minimizing transaction costs. The regulations of the PSD2 Directive consist of an entire package of regulatory solutions that address all these problems.11 If a data portability right would be designed with an adequate scope of in-vehicle data and continuous portability, and complemented with additional regulations for solving these technical and economic problems, then it also might offer a chance for solving the competition and innovation problems in the connected car example.12 However, such a solution is far away from what can be done with the current data portability right of Art. 20 GDPR.
III. DATA PORTABILITY RIGHTS: THE NEED FOR A FLEXIBLE INSTRUMENT
As part of its European Data Strategy the EU Commission intends to make the data portability right of Art. 20 GDPR more effective, also for fostering competition and innovation, especially also with regard to IoT devices with lock-in effects for consumers. For addressing the current difficulties regarding the use of this right, the Commission considers also “mandating technical interfaces and machine-readable formats allowing portability of data in real-time.”13 Enabling data interoperability and continuous data portability are also important demands in the academic discussion for making the data portability right more effective. Other demands refer to the large legal uncertainty, e.g. about the scope of portable data, which needs a fast clarification, and a better enforcement of the existing data portability rules. Also, the need for developing trustworthy personal information management systems (“PIMS”) for helping individuals to self-manage their personal data (consent management) is discussed.14 All of these proposals would be helpful for a wider use of this data portability right. However, it will be very difficult to implement most of these proposals and they also would not be sufficient for solving many of the existing data access problems for competition and innovation (as, e.g. in the connected car example).
The main problem of using the data portability right of Art. 20 GDPR for solving competition and innovation problems lies in its general cross-sector character and limitation to personal data. Since it is an integral part of EU data protection law (based upon privacy as fundamental value), it is a general right that is granted to all data subjects regarding their personal data. Although EU data protection law has acknowledged that this data protection right can, indirectly, also foster competition and innovation, its basic objective is strengthening the “informational self-determination” of individual persons regarding their personal data. This limits severely the flexibility to adapt this data portability right (e.g. regarding the scope of portable data) to the often very different needs for making data available to other service providers (including additional necessary regulations) for enabling competition and supporting innovation in a sufficient way.15
In the policy discussion about mandatory data access/sharing solutions, it has been seen as one of the problems of general (“horizontal”) data access solutions that it is much more difficult to apply them in a sufficiently differentiated (targeted) way compared to sector-specific regulatory solutions, with regard to when data access obligations can be justified and how to make them effective.16 This is the reason why so far the EU and other countries have focused more on sector-specific data access solutions as in sectors like banking (PSD2), energy, and others, which allow for a more targeted approach. The same problem does also exist with data portability rights. From an economic perspective, also data portability rights have to be designed and applied in a differentiated way, because the benefits and costs of solving data access problems through data portability rights can vary widely in different economic and technological contexts (no one-size-fits-all solution). It therefore depends very much on the data access problem in the specific markets, how a data portability right should be designed (scope of data, continuous portability, fees etc.), and whether it has to be complemented with additional regulations for rendering it effective with respect to competition and innovation. It is also necessary to analyze whether other data governance solutions like data access/sharing obligations, data trustee solutions, or technological solutions that change directly who has de facto control over data (as interoperable telematics platforms in the connected car example) would lead to more effective results than data portability rights.17
Therefore, the question arises whether the approach to rely primarily on a general privacy law-based data portability right (as Art. 20 GDPR) is the best way for developing effective data portability rights for solving competition and innovation problems, or whether the policy discussion should focus much more on data portability rights outside of privacy laws and beyond the limitation to personal data. Although the EU has taken some steps for introducing data portability rights for non-personal data, these approaches are still in its infancy and suffer from the lack of a coherent concept.18 It rather is the consumer data rights legislation in Australia, which might help to develop a consistent alternative approach to data portability rights, which is not based upon data protection or privacy laws. The basic idea of consumer data rights is to give consumers more control over their consumer data (consumer empowerment) by granting them directly certain inalienable rights over their consumer data, which also encompass data portability rights.19 The main advantage of the consumer data rights approach is that it is much more flexible, because consumer data need not be identical with personal data (as defined by privacy laws). They can therefore also encompass non-personal data, and not all personal data need to be consumer data. Therefore, a data portability right regarding consumer data can be much better adapted to different economic and technological conditions.
It is not surprising that in Australia a hybrid version of a general and a sector-specific approach was chosen for the consumer data rights.20 Although consumer data rights are seen as a general approach for granting consumers (and small businesses) more control over their consumer data and how they can be used, their implementation is done through a step-by-step process in a sector-specific way (banking, energy, telecommunication etc.). This implies that the scope of transferable data as well as the mechanisms for transfer and security protocols can be defined in a sector-specific and problem-oriented way. This allows for a much more targeted approach for designing effective data portability rights for solving specific data access problems in different contexts, and therefore also enables a better balancing of the benefits and costs of data portability rights. With such a sector-specific implementable consumer data rights approach, also data portability solutions might be possible for the connected car example by defining all car data that are necessary for competition and innovation on secondary markets as portable consumer data and complementing this with the necessary additional regulations. It also fits to this approach that the Australian Competition and Consumer Commission (“ACCC”) is the lead regulator and enforcement agency for these consumer data rights.21 The conceptual advantage of consumer data portability rights is that it can encompass both personal and non-personal data, and it can be seen both as an instrument of consumer and competition policy.
Another way of using data portability rights outside of privacy laws for solving competition and innovation problems is to apply them as additional tools in competition law, e.g. as remedies in traditional competition cases or as part of the current competition policy reform discussion.22 Both in merger cases and in cases of abusive behavior of dominant firms data portability remedies can be used as one of several types of data remedies, as, e.g. also data access/sharing obligations, separation of data sets (internal unbundling), and other limits on the use of data. Data portability remedies can refer both to personal and non-personal data and be complemented with specific conditions for making them effective. Also, strategies of firms with market power that impede data portability can be prohibited as abusive behavior. The German Commission Competition Law 4.0 went one step further by proposing 2019 the introduction of an EU regulation for dominant platforms that would also entail an obligation of these platforms to enable the portability of user and use data in real-time (and to ensure interoperability with complementary services).23 This leads directly to the question whether (and how) the instrument of data portability rights can and should also be part of a “new competition tool” and an ex ante regulation of digital platforms in EU competition policy. We suggest that data portability rights can play a valuable role in both instruments if appropriately designed and applied.
IV. CONCLUSIONS
Data portability rights can be a valuable instrument in the toolbox of policymakers in the data economy. However, they are not a cure-all and will often not be the most effective instruments for solving data access/sharing problems, because they can come with considerable costs and problems, and might require additional regulatory solutions as preconditions for their effectiveness. It is important to understand that they can be used as part of different policies and for achieving different objectives. In privacy laws it is an instrument for informational self-determination regarding personal data, in consumer policy it is about empowering consumers to get more control over the use of their consumer data, and in competition policy it is about solving problems for competition and innovation due to a lack of access to data, e.g. through data-related gatekeeper positions (as in the connected car example). Data portability rights seem to be attractive, because they have positive effects on all these policy objectives, but we also should not underestimate trade off-problems and conflicts between these policies. Therefore, a more integrative policy approach between data protection policy, competition policy, and consumer policy is also necessary with respect to data portability rights, which also have to be integrated well into the overall governance structure of the data economy. For the discussion in the EU we want to warn against relying too much on the data portability right of Art. 20 GDPR (with the danger of over-burdening this instrument), and instead recommend to develop also more data portability solutions outside of EU data protection law, e.g. by using the concept of consumer data rights.
1 Daniel Gill, Teaching and Research Assistant (daniel.gill@wiwi.uni-marburg.de); Wolfgang Kerber, Professor of Economics (kerber@wiwi.uni-marburg.de); Marburg Centre for Institutional Economics (MACIE), School of Business & Economics, University of Marburg (Germany). The authors declare no conflict of interests.
2 See Communication: A European Strategy for Data. COM(2020) 66 final, 21, and, e.g. Krämer, J., Senellart, P., de Streel, A., Making Data Portability More Effective for the Digital Economy. CERRE, June 2020.
3 See OECD, Consumer Data Rights and Competition – Background Note. DAF/ COMP(2020)1, 11-14.
4 See for a market failure analysis from an economic perspective Kerber, W., Data Governance in Connected Cars: The Problem of Access to In-Vehicle Data. 9 JIPITEC 2018, 316-325; see for the general problem of foreclosing service providers on secondary markets in IoT ecosystems through gatekeeper positions of manufacturers J. Crémer, Y.A. de Montjoye, H. Schweitzer, Competition Policy for the Digital Era, 2019, 87-90.
5 See Regulation (EU) 2018/858 (motor vehicle type approval), [2018] OJ L 151/1; Kerber, W. and D. Gill, Access to Data in Connected Cars and the Recent Reform of the Motor Vehicle Type Approval Regulation, 10(2) JIPITEC 2019, 251-256.
6 See for this debate and the following policy options C-ITS Platform, Final Report 2016, 72-90, TRL, Access to In-Vehicle Data and Resources – Final Report 2017, 32-49, Kerber, supra note 4, 312-315.
7 See TRL, supra note 6, 160; Kerber, supra note 4, 325.
8 See Kerber/Gill, supra note 5, 255.
9 See Communication: A European strategy for data (fn.1), 28.
10 See Article 29 Data Protection Working Party, Guidelines on the Right to Data Portability. WP242 rev.01, 10; see for this problem also Krämer et al, supra note 2, 78, and Graef, I., Husovec, M., & van den Boom, J., Spill-Overs in Data Governance: The Relationship Between the GDPR’s Right to Data Portability and EU Sector-Specific Data Access Regimes, 2019, available at http://dx.doi.org/10.2139/ssrn.3369509, 8.
11 See Kerber, W., From (horizontal and sectoral) data access solutions towards data governance systems, 2020, 10-12; available at http://dx.doi.org/10.2139/ssrn.3681263; forthcoming in: Drexl J. (ed.), Data Access, Consumer Interests and Public Welfare.
12 It should be noted that the existing type approval regulation for motor vehicles already encompasses a similar regulatory package, but it would need a huge step for updating this regulatory regime to the challenges of the new technology of connected cars. See Kerber/Gill, supra note 5, 255.
13 Communication of the European Commission: Data Protection as a Pillar of Citizens’ Empowerment and the EU’s Approach to the Digital Transition – Two Years of Application of the General Data Protection Regulation. COM(2020) 264 final, 9.
14 See, e.g. Krämer et al, supra note 3, 75-84.
15 See for this problem also Graef et al, supra note 11, 22.
16 See for the discussion “Horizontal vs. Sectoral data access solutions” Kerber, supra note 12, 4-17.
17 For the need of an economic analysis of entire data governance systems for deriving the proper solutions see Kerber, supra note 12, 20-31.
18 See the Digital Content Directive and Free Flow of Data Regulation of the EU.
19 See for this concept OECD, supra note 3, 7-14.
20 See ACCC, Consumer Data Right (CDR), available online at https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-0, Beaton-Wells, C., Platform Power and Privacy Protection: A Case for Policy Innovation, CPI Antitrust Chronicle September 2018, 6-8, Specht-Riemenschneider, Data access rights – A Comparative Perspective, 2020, forthcoming in: Drexl J. (ed.), Data Access, Consumer Interests and Public Welfare.
21 The ACCC however collaborates with OAIC (privacy protection agency) and the Data Standards Body (“DSB”).
22 See for a comprehensive overview Vezzoso, S., Competition Policy in Transition: Exploring Data Portability’s Role, forthcoming in: Journal of Competition Law & Practice (JECLAP); available at http://dx.doi.org/10.2139/ssrn.3634736.
23 Kommission Wettbewerbsrecht 4.0, Ein neuer Wettbewerbsrahmen für die Digitalwirtschaft, 2019, 6.