The big tech platforms designated as ‘gatekeepers’ by the European Commission are building data portability tools in the EU in response to the Digital Markets Act (DMA), with a compliance deadline looming on 7 March. This blog sets out my plans to get all those tools into the hands of UK consumers by the end of this year, and ideally with global application.
But first, a bit of praise for Google…
Google quietly brings data portability to the UK
Google has released its new data portability API into a public beta testing phase for developers. In parallel, it has published details on its user-facing support site of the associated new feature that will allow users to transfer a copy of their data to a third party.
Just as CODE has been campaigning for, Google has revealed that it will make this new feature available for users in the United Kingdom and all members of the European Economic Area (EEA). Despite the lack of fanfare, this is a huge development for competition and innovation the UK digital economy.
While some have been preparing their solutions secretively behind closed doors, or ranting about how competition is actually bad for consumers, Google has been speaking to us openly and constructively about its plans, and seemingly listening to our feedback.
We still have significant concerns about the way that all the gatekeepers (including Google) are implementing the data portability requirement of the DMA, in particular in relation to the lack of ‘continuous and real-time access’, but that’s now a conversation we are having with the European Commission.
This blog is all about geography. On this subject Google has passed with merit. It has chosen to go beyond the bare minimum, and it deserves some credit for making this positive move. Google clearly recognises the value to its users and to its ecosystem of data transfers, and I would therefore expect they will have plans in place to make the tool globally available once it has bedded in and is realistically the final product.
We look forward to continuing the positive engagement we have had with Google on this issue as our members test and provide detailed feedback on the design of the API.
Now back to complaining
Perhaps all the designated ‘gatekeepers’ will choose to follow Google’s positive example by making the tools available outside the EU. There is certainly some cause for optimism with Meta, which has also adopted a constructive approach with us. Meta already has an existing feature for transferring photos and videos to other services which is available globally. It would seem natural that any extension to the scope and capability of that tool would also have global application.
But in case some of them cynically choose to isolate their tools for EU users only, I have a plan to force the UK into the mix. The laws to support this outcome are already in place, but they have been lying dormant until other stars aligned:
The General Data Protection Regulation (GDPR), which gives UK data subjects the legal right to data portability through direct transfers of data from one controller to another.
Competition law, which prohibits abusive conduct by dominant businesses that serves to restrict competition that they face.
Enforcement of data portability has fallen into regulatory no man’s land between these laws for years now, with neither the UK’s data protection authority (the ICO) nor its competition regulator (the CMA) feeling sufficiently empowered to act within their existing legal frameworks. But from 7 March, as the big tech gatekeepers attempt to comply in some form with the Digital Markets Act, they will also unwittingly give the ICO and CMA the green light they have needed.
First though, they would need to receive a complaint. I’ve got that one covered.
GDPR and the right to data portability
The GDPR granted data subjects (or ‘people’ as I like to call them) eight rights in law. One of these, which most people are totally unaware of, is the ‘right to data portability’. This important right is enshrined in Article 20 of the GDPR which states ‘In exercising his or her right to data portability … the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.’
The supporting information in Recital 68 para 10 also confirms that ‘Where technically feasible, the data subject should have the right to have the personal data transmitted directly from one controller to another.’
Although there have been a few well-meaning initiatives over the years (by the government and some not-for-profits) to put this legal right into practice, there are very few circumstances where direct transfers of personal data from one data controller to another are supported. It is noteworthy that Open Banking, the one strong example of data portability in operation, was initially instigated by the CMA in the UK. It is rightly proud of that world-leading intervention and the global impact it is now having.
Most data controllers seem to think that providing the ability to download a copy of personal data is sufficient. At best, some companies make a brief reference to the right to data portability in a privacy policy, but with no specific explanation or tool provided to act on it. If you do make a request, you are likely to get one of the following outcomes:
a) Response to say something to the effect of “You are able to download a copy of your data. You can then send your data to another service provider of your choosing.”
b) No response.
While these outcomes are equally frustrating, controllers might be able to mount a credible defence for approach a) if taken to court. This hypothetical defence is buried in Recital 68 of the GDPR, which states: ‘The data subject’s right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.’
Now, this is almost certainly not a complete get out clause, as of course the data could be sent directly to another data controller through various existing channels including email, or some arrangement involving buckets and clouds. But it could arguably be used to push back against the development of purpose-built data transfer APIs, maintained by the primary data controller with processes in place for enabling trusted data recipients to connect to it. That’s unfortunate, as that is of course exactly what is needed to make data portability a useful activity.
So here is the good bit. As of 7 March, that pesky Recital 68 in the GDPR will totally evaporate for Amazon, Apple, ByteDance (TikTok), Google, Meta, and Microsoft. As they launch their tools to comply with Article 6(9) of the DMA, they will as a matter of fact be maintaining processing systems which are technically compatible with recipient data controllers in the EU. No additional systems or technology would need to be built to make those tools available in the UK.
By not allowing UK users to access their new data portability tools, the gatekeepers would be clearly and immediately in breach of their existing data protection obligations in the UK. Bang to rights.
The UK may have left the European Union, but I argue that the gatekeepers will need to implement Article 6(9) of the DMA in the UK or risk the wrath of the increasingly active ICO.
On 7 March, I will attempt to transfer the data held on me (a UK data subject) by all of the designated gatekeepers, to a third-party service of my choosing. For each one that rejects or ignores me, I’ll be making a separate complaint to the ICO and requesting that it takes robust action to enforce my rights.
Competition law and an abuse of dominance
In addition to directly contravening data protection law, denying individuals their right to data portability would also have the effect of restricting the degree of competition that the big tech gatekeepers face.
Perhaps with the exception of ByteDance, there can be little debate that the gatekeeper companies hold a position of dominance in at least one market in the UK. In each case, a deliberate refusal to make their data portability tools available to UK consumers would look very much like an abuse of dominance under Chapter II of the Competition Act 1998.
The potential abuse would have clear anticompetitive effects that would harm competition and consumers in the UK:
By denying users their legal right to transfer their data directly to another service, the gatekeepers would be deliberately erecting barriers to switching or multihoming with a rival provider.
By denying users their legal right to transfer their data directly to another service, the gatekeepers would be protecting their positions in various digital advertising markets. Competition in digital advertising markets is heavily dependent on targeting, measurement, and attribution; all of which relies on access to high volumes of user data. By restricting the consented release of that data to third parties, the gatekeeper firms would be limiting competition on the merits, and preventing consumers from participating in the trade of their own data for the purpose of digital advertising.
By denying users their legal right to transfer their data directly to another service, the gatekeepers would be holding back potentially disruptive forms of innovation that could challenge the status quo. If consumers can transfer their data from various services to one place to create a single source of truth, they could unlock and create brand new innovative products that previously were not possible, or could only feasibly be created by those same gatekeeper companies.
On this basis, there is already a strong case to answer with respect to competition law. The more relevant question is whether it is the type of case that the CMA would find attractive at this moment in time. With new powers coming on the horizon, and plenty of work to be done in the meantime, the CMA will understandably not wish to open cases that risk dragging on endlessly.
But implementation of the DMA could change that calculation substantially. If the CMA launched antitrust enforcement against the gatekeepers in relation to data portability after 7 March, it would surely receive swift offers of commitments from the companies to deliver equivalence in the UK in return for closing the cases. It might not even need to formally open the cases if it sends enough of a signal that it is considering doing so.
If there were any doubts that this might be a fruitful avenue, we can look to the helpful precedent set by the Italian competition authority the AGCM. In 2022, the AGCM opened an abuse of dominance antitrust case against Google on exactly this issue, raising concerns that Google had abused a dominant position by hindering data portability rights as enshrined by the GDPR. In 2023, the AGCM accepted commitments from Google to improve its existing data access tool, while also signalling that it intended to introduce a new API to meet the DMA obligations. This case set an important precedent, showing that a breach of data protection law can also be enforced by an enthusiastic competition regulator. A point presumably not lost on Google.
Competition and data protection law in harmony
Through two published joint statements, close ongoing collaboration on Google’s Privacy Sandbox, and establishment of the Digital Regulation Cooperation Forum (DRCF), the CMA and the ICO have demonstrated a strong desire to work together in harmony on issues where their regimes overlap.
Data portability is unquestionably one of those issues, and it is a unique opportunity where there are truly no conflicts between their potential perspectives. Enabling people to move their data around between services is obviously a strong positive outcome for competition in digital markets, and it also just so happens to be a requirement in data protection law. A perfect marriage.
Helpfully, with the Data Protection and Digital Information Bill likely to gain Royal Assent in the next couple of months, the ICO will soon gain a set of secondary duties that must guide its enforcement of data protection law. This will include duties to have regard to the desirability of promoting innovation and competition. In other words, when assessing the pros and cons of enforcing the right to data portability, it will now be both allowed and expected to factor in the potential competition benefits from doing so. And those benefits are substantial.
If the ICO did take the lead, it could bring the CMA along as a supporting partner, mirroring the positive arrangement the two bodies have in place for Google’s Privacy Sandbox. One would expect the CMA would be extremely grateful if the ICO could take these interventions off its enormous to do list once the Digital Markets Regime gets up and running.
There is value in not waiting to be pushed
By making its data portability tool available in the UK, Google is removing the risk of getting into hot water with UK regulators, but it is also fundamentally doing the right thing by tens of millions of additional users.
There is still an opportunity for the other gatekeepers to do the same, and on their own terms. It is inevitable that they will all eventually be forced to enable data portability in the UK at some point in the next year or two. Doing so voluntarily, as Google is doing, would have a number of benefits:
The gatekeepers generally recognise that data portability is a positive thing and that their users will derive value from it as a feature. Deliberately holding back such a tool from their users without any justification could backfire.
The CMA has some strong powers incoming this year, and an impressive track record when it comes to data portability schemes. Hold back DMA implementation from UK users, and the CMA might implement something more onerous or costly.
Equally, the UK government is taking forward ambitious plans to launch Smart Data Schemes like Open Banking into other sectors. The gatekeepers could discourage such schemes capturing their markets if they already enabled data portability of some form.
Finally, by preventing non-EU users from accessing their new tools, the gatekeepers could needlessly undermine the growing credibility of the Data Transfer Initiative (DTI) as an authoritative voice in this space. Some might question the role of the DTI if any of its main backers and board members were deliberately acting contrary to its core objectives.
Let’s hope it doesn’t need to come to any of that.