Digital Markets Act — Effective data portability

The forth­co­ming Art. 6(9) DMA con­ta­ins rules with a refe­rence to data por­ta­bi­li­ty. Here is the full text of the pro­vi­si­on for bet­ter comprehension:

The gate­kee­per shall not rest­rict tech­ni­cal­ly or other­wi­se the abili­ty of end users to switch bet­ween, and sub­scri­be to, dif­fe­rent soft­ware appli­ca­ti­ons and ser­vices that are acces­sed using the core plat­form ser­vices of the gate­kee­per, inclu­ding as regards the choice of Inter­net access ser­vices for end users.

Art. 6 (9) DMA

Objective of the regulation

This pro­vi­si­on is inten­ded to sup­ple­ment the regu­la­ti­ons on data por­ta­bi­li­ty accor­ding to Art. 20 GDPR. The­re, it is mere­ly a data sub­ject right wit­hout direct refe­rence to com­pe­ti­ti­on. The effects on the mar­ket posi­ti­on of a plat­form or even its con­te­st­a­bi­li­ty are at best side effects the­re. Simi­lar­ly, indi­vi­du­al aspects regar­ding the cir­cum­s­tances of data por­ta­bi­li­ty were still open.

This is now to be com­pen­sa­ted for by Art. 6 para. 9 DMA, which aims more at the data advan­ta­ge. Easier and more effec­ti­ve access is also inten­ded to impro­ve the con­te­st­a­bi­li­ty of the gate­kee­per and the inno­va­ti­on poten­ti­al of the digi­tal sec­tor. Accor­ding to reci­tal 59, real-time access by the end user is of par­ti­cu­lar importance.

Overview of the regulation

Art. 6 para. 9 DMA covers the end user’s own data access. Com­mer­cial users are not cover­ed. Their access to data is gover­ned by other pro­vi­si­ons of the DMA, in future by the Data Act as well as the gene­ral anti­trust pro­vi­si­ons and sup­ple­men­ta­ry sec­tor-spe­ci­fic bases for claims.

In con­trast to Art. 20 GDPR, the end users are not to recei­ve only the per­so­nal data con­cer­ning them. It includes all data pro­vi­ded by the end user or gene­ra­ted by his acti­vi­ty in con­nec­tion with the use of the rele­vant cen­tral plat­form ser­vice. This goes bey­ond per­so­nal data and may include, for exam­p­le, fac­tu­al data rela­ted to third par­ty uses (e.g. a con­nec­ted machi­ne) or usa­ge data of the plat­form itself.

Due to the cla­ri­fi­ca­ti­on at the end of the pro­vi­si­on, effec­ti­ve data por­ta­bi­li­ty also includes per­ma­nent real-time access of the end-user to the afo­re­men­tio­ned data. Artic­le 20 of the GDPR only sta­tes that the data sub­ject should “recei­ve” the data, which can also include the sen­ding of a file. Per­ma­nent real-time access includes imme­dia­te and direct access to the plat­form ser­vice. This is also clear from the third and fourth sen­ten­ces of reci­tal 59:

“Gate­kee­pers bene­fit from access to vast amounts of data that they coll­ect while pro­vi­ding the core plat­form ser­vices, as well as other digi­tal ser­vices. To ensu­re that gate­kee­pers do not under­mi­ne the con­te­st­a­bi­li­ty of core plat­form ser­vices, or the inno­va­ti­on poten­ti­al of the dyna­mic digi­tal sec­tor, by rest­ric­ting swit­ching or mul­ti-homing, end users, as well as third par­ties aut­ho­ri­sed by an end user, should be gran­ted effec­ti­ve and imme­dia­te access to the data they pro­vi­ded or that was gene­ra­ted through their acti­vi­ty on the rele­vant core plat­form ser­vices of the gate­kee­per. The data should be recei­ved in a for­mat that can be imme­dia­te­ly and effec­tively acces­sed and used by the end user or the rele­vant third par­ty aut­ho­ri­sed by the end user to which the data is por­ted. Gate­kee­pers should also ensu­re, by means of appro­pria­te and high qua­li­ty tech­ni­cal mea­su­res, such as appli­ca­ti­on pro­gramming inter­faces, that end users or third par­ties aut­ho­ri­sed by end users can free­ly port the data con­ti­nuous­ly and in real time. This should app­ly also to any other data at dif­fe­rent levels of aggre­ga­ti­on neces­sa­ry to effec­tively enable such por­ta­bi­li­ty. For the avo­id­ance of doubt, the obli­ga­ti­on on the gate­kee­per to ensu­re effec­ti­ve por­ta­bi­li­ty of data under this Regu­la­ti­on com­ple­ments the right to data por­ta­bi­li­ty under the Regu­la­ti­on (EU) 2016/679. Faci­li­ta­ting swit­ching or mul­ti-homing should lead, in turn, to an increased choice for end users and acts as an incen­ti­ve for gate­kee­pers and busi­ness users to innovate.”

Reci­tal 59 DMA

Access shall be free of char­ge for the end user. This wor­ding does not in prin­ci­ple pre­clude the plat­form from pur­suing fur­ther mone­ti­sa­ti­on stra­te­gies. After all, the pro­vi­si­on assu­mes that the end user could remain a cus­to­mer of the cen­tral plat­form ser­vice. Howe­ver, the prin­ci­ple of effec­ti­ve­ness must not be limi­t­ed in this respect.

The prin­ci­ple of effec­ti­ve­ness beco­mes par­ti­cu­lar­ly important in the details of data por­ta­bi­li­ty. This is becau­se the regu­la­ti­on does not spe­ci­fy a struc­tu­red, com­mon and machi­ne-rea­da­ble for­mat such as Art. 20 GDPR. This is based on a mar­ket stan­dard, which is not requi­red for Art. 6 (9) DMA. Rather, the gate­kee­per would have to enable every reques­ted data access within the frame­work of effec­ti­ve data por­ta­bi­li­ty and pro­vi­de the requi­red coope­ra­ti­on or pro­vi­si­ons free of char­ge. Effec­ti­ve­ness here depends on the — in each case con­cre­te-indi­vi­du­al — user per­spec­ti­ve. As soon as it is no lon­ger a mat­ter of data por­ta­bi­li­ty, the gate­kee­per may refu­se to cooperate.

Access must be gran­ted upon request. Con­ver­se­ly, this means that it is easier for the gate­kee­per not to always have to pro­vi­de access by default. Howe­ver, as soon as a request is recei­ved from a user or a third par­ty com­mis­sio­ned by the user, the gate­kee­per must pro­vi­de the full ran­ge of coope­ra­ti­on and pro­vi­si­ons requi­red for effec­ti­ve data portability.