The right to data portability in the GDPR and EU competition law: odd couple or dynamic duo?
The EU General Data Protection Regulation (GDPR) was published in the Official Journal of the European Union on 4 May 2016. It will become applicable on May 25, 2018. The GDPR comprises a new right to data portability for individuals, which requires data controllers to ensure that they can hand over the personal data that has been provided by the data subject himself/herself, in a structured, commonly used and transferable format.
This paper critically examines the right to data portability and suggests that in order to ensure comprehensive data portability that reaches out to all relevant stakeholders, including businesses, the provisions in the GDPR need to be analysed by taking into account EU competition rules. It suggests that lessons can be drawn from EU competition law to limit the potential adverse consequences of the right to data portability particularly for small and medium-sized enterprises. It also asserts that EU competition rules, especially Article 102 TFEU and the essential facilities doctrine, can complement data portability by facilitating mandatory access to specific data.
Keywords: The General Data Protection Regulation; article 20 of the GDPR; article 102 TFEU; data; data controller; the right to data portability; API; controller to controller transfer; competition law; essential facilities doctrine; network effects; Data Protection Directive