A huge moment for online data empowerment, possibly
One short paragraph could be about to change the entire landscape and competitive dynamics for data in digital markets. In the EU at least.
The EU’s flagship Digital Markets Act (DMA) contains a rarely discussed provision for designated gatekeepers (aka big tech) to provide tools to facilitate effective data portability for their users (and for third parties authorised to operate on their behalf). The gatekeepers know who they are, and they have little more than six months to become compliant.
Whether or not we see a tidal wave of innovation emerging over the horizon from 6 March next year will depend on how big tech lawyers choose to interpret two key terms: ‘continuous’, and ‘real-time’.
This blog examines what compliance with those terms ought to mean, and sets out The Coalition for Online Data Empowerment’s (CODE’s) minimum expectations for ‘effective portability of data’ in this context.
Article 6(9) of the Digital Markets Act
The European Union is undoubtedly winning the global race to regulate big tech. Through passing of its landmark Digital Markets Act, the EU is the first jurisdiction to impose rules on the largest digital platforms to protect competition in key online gateways such as app stores, marketplaces, web browsers and search.
We now know that the new rules introduced by the European Commission must be implemented by the designated gatekeeper companies by 6 March 2024, while similar interventions in the UK could still be at least a year away at that point. There are seven companies that will need to meet this deadline (see the ‘X’ below from European Commissioner Thierry Breton), with Booking expected to follow soon after.
One area where the EU appears to have stolen the biggest lead amongst global regulators is in relation to data portability. Through Article 6(9) of the DMA, EU citizens will be able to transfer data from core platforms services operated by designated gatekeepers directly to third parties on a continuous and real-time basis:
‘The gatekeeper shall provide end users and third parties authorised by an end user, at their request and free of charge, with effective portability of data provided by the end user or generated through the activity of the end user in the context of the use of the relevant core platform service, including by providing, free of charge, tools to facilitate the effective exercise of such data portability, and including by the provision of continuous and real-time access to such data.’
The European Commission is taking a particularly hands-off approach to the DMA, placing full responsibility onto the gatekeepers to work out what compliance looks like. This approach has a range of advantages for the Commission, including the ability to legislate quickly, but it has the downside of increased likelihood of circumvention by the gatekeepers. Where there is some perceived degree of subjectivity involved, or there are different options available to them, the gatekeepers will naturally tend towards doing as little as possible to avoid enforcement and penalty.
When it comes to Article 6(9), we expect some interesting interpretations of ‘continuous’ and ‘real-time’ to emerge.
Why does continuous and real-time matter?
This part of the provision is absolutely critical to its meaning. In its absence, we could expect gatekeepers to build tools to support one-off transfers of user data from a gatekeeper platform to a third party. This would be similar to what is already possible for user-led data downloads through subject access requests. While this could potentially support additional switching between like-for-like platforms, the wider knock-on benefits for competition and innovation would round to zero.
Outside of platform switching, individuals’ behavioural data carries its greatest economic value where it is available as an unbroken time series, and while it is sufficiently recent that it is still relevant. The terms ‘continuous’ and ‘real-time’ are central to securing these characteristics, and doing so is essential to the long-term potential of the personal data economy, and for the future growth of CODE’s members.
So what does continuous mean?
According to various dictionaries, something is continuous if it is ongoing without interruption through space or time. In the context of the DMA and access to data, we can assume that time is the dimension being referred to.
Simple then? At the request of a user or a third party acting on their behalf, the gatekeeper will allow for an ongoing and uninterrupted flow of user data from their servers to the specified and authorised third party’s servers. This must surely have been what the authors of the Act intended, or otherwise why would they have used those words?
But can we be confident this is the interpretation that each of the gatekeepers will adopt? Not likely.
At the less optimistic end of the spectrum, some gatekeepers might look to stretch the meaning of the word continuous, or even apply it to a different process or concept altogether. For example, by providing users and authorised third parties with continuous access to the tools, rather than the data itself. This would be stretch of the English language, but most importantly it would entirely undermine the intended effects of the provision as users would be put off by needless friction and hassle. This outcome would be unacceptable for CODE and our members, and surely also for the Commission.
There is perhaps a middle ground that might be more palatable for all parties involved, at least as a first solution. In the absence of a continuous flow of data, ‘effective portability of data’ can only be achieved if users can authorise third parties to access their data for an ongoing period of time, so that the third parties can then access the tool on a continuous basis without the need to keep seeking repeated consent and permissions from the user or platform.
This would not be the optimal solution, but it would be a significant improvement on the status quo. In determining how to respond to such an approach, CODE would need to assess two other factors.
The first would be how long the authorisation could be provided for. Anything less than 90 days (the current period for open banking in the UK) would not be sufficiently different from the status quo to drive positive change. CODE believes that users should be in charge of setting the time period manually, up to a period of 12 months.
The second is what is meant by ‘real-time’, which is discussed below.
What counts as ‘real-time’?
Even if continuous were to be implemented as per its literal definition, which is technically feasible and we expect what was intended by lawmakers, the same cannot really be said for ‘real-time’.
Real-time is used in many contexts but rarely ever actually means precisely what is said. In computing, there is always some sort of time lag between actions and flows of information. These will typically be in the orders of milliseconds, and identifiable only by computers, but lags exist that are deemed acceptable.
So the question for this provision of the DMA is what sort of time lag can be considered acceptable from a compliance perspective, in order for the transfer of the information to feel sufficiently immediate for the user and relevant for its onward use cases.
As noted above, there is a strong interdependence between the interpretations of ‘real-time’ and ‘continuous’.
If the gatekeepers are making available a constant ongoing flow of data to third parties, then the lag would also presumably be constant, and the delays would be largely driven by the amount of time it takes for different systems and computers to speak to each other, so possibly matters or seconds or milliseconds.
But if gatekeepers are implementing tools that require repeated downloads (rather than an ongoing flow) then the time lag will be driven predominantly by the maximum cadence that the downloads can be made. If they can only be made once per week, for example, then some of the data being accessed will be a week old. This would be too much of a stretch for the interpretation of real-time, both from the perspectives of the user and the third party.
Alternatively, if the maximum cadence was three downloads per day, then the lag would be around 8 hours. One could see gatekeepers arguing with a straight face that such data transfers were at least ‘near real-time’ in this context.
So where does that leave us?
There appear to be three distinct strategies that gatekeepers could adopt as they determine their implementation strategy:
A) Continuous and real-time data access (full compliance): tools that enable constant flows of data from the gatekeeper to a third party, with a small lag of somewhere between milliseconds and a few minutes, depending on technological constraints. It is likely the authorisation could be provided for a specified maximum period of time (e.g. multiples of months), in order to protect the user from bad actors. This option is objectively the most accurate interpretation of the provision, both in terms of the legal wording and its intended effects.
B) Continuous authorisation for third-party data access (partial compliance): tools that enable users to give authorisation for a third party to access their data on a continuous basis, meaning that the user does not have to keep repeatedly giving their consent for the third party to download their data. The effectiveness of this solution would be heavily dependent on the maximum time period the authorisation could be provided for, and the cadence the third party could make downloads at during this window. With authorisation for 180 days and downloads permitted on a daily basis, for example, we could expect to see genuine benefits for users and for onward use cases in the personal data economy. Would this strictly be continuous or real-time? No, but it would represent very meaningful progress.
C) Continuous user access to data portability tools (non-compliant): much like with subject access requests today, users could be provided with access to the new data portability tools on a continuous basis, with the ability to make repeated requests for data transfers, though presumably with some limitations on cadence of such requests. Any variation of this option, whereby the user has to take repeated actions to obtain or transfer a continuous time series of their data, will fail to deliver any meaningful benefit beyond the status quo.
The legal meaning and intent of Article 6(9) of the DMA is clear, and only a constant flow of data with a lag of up to a few seconds could represent full compliance with the provision. However, CODE is ready to take a pragmatic approach, and we will engage constructively with all gatekeepers that are bringing meaningful progress with, at the very least, continuous authorisation.
What about outside the EU?
While we wait to see how the gatekeepers will implement this requirement, we also wait to see where they will make the new tools available. Will they open it up solely to EU users, or also extend to other jurisdictions?
There will be a few factors taken into consideration for this decision, such as:
To what extent do they perceive data portability as a risk to their business?
Are similar requirements expected in other jurisdictions inevitable?
Can they head off or influence interventions in other jurisdictions by extending these tools voluntarily?
How are their systems set up, and will it be technically easier and cheaper to limit to the EU, or to extend it to other jurisdictions?
We expect the gatekeepers will have different perspectives of these issues, and as a result some may implement globally, while others will limit to the EU only. All that we can do in the meantime is push for ambitious and decisive action elsewhere in the world, to make a global solution more likely.
As a newly appointed member of the UK’s Smart Data Council, CODE is doing just that.
Now it's a waiting game
The gatekeepers’ lawyers will have given their advice, and teams have presumably been tasked with building the technical solutions and designing the user interfaces. For now, we wait.
Even without any direction from the European Commission, it is fairly clear to objective observers what outcomes the provision is intended to deliver. But interpretation is being left to the gatekeepers, so we can assume that alternative interpretations might be tested.
While we will of course continue to push for full compliance with this provision for as long as it takes, CODE is willing to engage constructively with any platform that is developing tools that will make a genuine positive impact on data portability. As a minimum that must mean third parties being authorised by users to make repeated downloads for an extended period of time, which would not be continuous or real time access, but it would be a damn good start.
CODE will ensure that anything less than this catches the attention of the Commission’s enforcers, quite possibly on a continuous and (near) real-time basis.
Comments