Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique

47 Pages Posted: 9 Oct 2012 Last revised: 28 Oct 2015

See all articles by Peter Swire

Peter Swire

Georgia Institute of Technology - Scheller College of Business; Georgia Tech School of Cybersecurity and Privacy; Cross-Border Data Forum

Yianni Lagos

Ohio State University (OSU) - Michael E. Moritz College of Law

Date Written: May 31, 2013

Abstract

In its draft Data Protection Regulation, the European Union has announced a major new economic and human right – the right to data portability ('RDP'). The basic idea of the RDP is that an individual would be able to transfer his or her material from one information service to another, without hindrance. For instance, consumers would have a legal right to get an immediate and full download of their data held by a social network such as Facebook, a cloud provider, or a smartphone app.

Although the idea of data portability is appealing, the RDP as defined in Article 18 of the draft Regulation is unprecedented and problematic. Part I explains Article 18, whose text appears to require software and online service providers to create what we call an 'Export-Import Module,' or software code that exports data seamlessly from the first service to the second service. The requirements would apply globally, for any entity that sells to an E.U. resident.

Part II critiques the RDP in light of the teachings of E.U. competition and U.S. antitrust law. Competition law has long addressed the problems of lock-in and high switching costs that form a chief justification for the RDP. The RDP, however, applies to small enterprises, where there is essentially no risk of lock-in. In contrast to competition law, the RDP applies to all online services even where there is no market power and no barrier to entry. Article 18 more generally is in conflict with the rules in competition law about exclusionary conduct – it creates a per se prohibition where competition law would apply a rule of reason approach. Competition law would consider the many efficiencies that result from a service provider deciding which functions and formats to include in its products, which undergo rapid innovation.

Part III shows that Article 18 also suffers serious difficulties as a matter of privacy or data protection law. Proponents have claimed the RDP is a new fundamental human right, aiding the individual’s autonomy for online activities. No jurisdiction has experimented with anything resembling the proposed Article 18, however, casting serious doubt on its status as a new human right. Among other difficulties, Article 18 poses serious risks to a long-established E.U. fundamental right of data protection, the right to security of a person’s data. Previous access requests by individuals were limited in scope and format. By contrast, when an individual’s lifetime of data must be exported 'without hindrance,' then one moment of identity fraud can turn into a lifetime breach of personal data. Part IV shows that Article 18 goes far beyond previous legal rules that specifically address interoperability.

In conclusion, the novel RDP is justified by the supposed benefits to consumers. As drafted, however, the RDP likely reduces consumer welfare, as articulated after long experience in competition law. It also creates risks to privacy that are not addressed in the current text. The RDP deserves far more scrutiny before becoming a mandate that applies globally to software and online services.

Keywords: data portability, privacy, data protection, antitrust, software, intellectual property, interoperability, fundamental rights, human rights

Suggested Citation

Swire, Peter and Lagos, Yianni, Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique (May 31, 2013). 72 Maryland Law Review 335 (2013), Ohio State Public Law Working Paper 204, Available at SSRN: https://ssrn.com/abstract=2159157 or http://dx.doi.org/10.2139/ssrn.2159157

Peter Swire (Contact Author)

Georgia Institute of Technology - Scheller College of Business ( email )

800 West Peachtree St.
Atlanta, GA 30308
United States
(404) 894-2000 (Phone)

Georgia Tech School of Cybersecurity and Privacy ( email )

Atlanta, GA 30332
United States

Cross-Border Data Forum

Yianni Lagos

Ohio State University (OSU) - Michael E. Moritz College of Law

55 West 12th Avenue
Columbus, OH 43210
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
2,499
Abstract Views
15,234
Rank
10,393
PlumX Metrics