Author: Annalisa Ricchiuti, LL.M in Intellectual Property and Competition Law-Munich Intellectual Property Law Center (MIPLC), 2020-2021, [email protected]
Editor: Bobbie Smith, MA Geography University of Aberdeen 2016-2020 / Graduate Diploma in Law University of Exeter 2020-2022, e-mail [email protected]
2022 has been a fundamental year for data protection law. Last July, the European Parliament approved the Commission’s proposal for the Digital Services Act package (the Digital Services Act and the Digital Markets Act)[1] to create a safer place for users and consumers while keeping gatekeepers and intermediaries accountable for the data shared on their platforms. On 1 November 2022, the European Commission announced that the DMA entered into force.
On the contrary, the Commission’s proposed Data Act[2], forecasted the likelihood of how data flows for non-personal data will occur. The final draft of the Act was published last February and applies to data holders that make data available to recipients in the Union, to recipients to whom data are made available, and to public sector bodies and Union institutions.
The Data Act refers to data generated by the use of a product or related service (predominately IoT- related Data). It is extensive in scope, and incentives the flow of non-personal data in B2B and B2G relationships, as well as aims to drive impact on the Database Directive and the related sui generis right[3] (art 35) in all the cases the database contains generated data.
In a nutshell:
- for B2G relationship – on request, a data holder who is not small or micro-enterprise will have to make data available to a public sector body or a Union institution, agency, or body demonstrating an exceptional need to use the data requested (the conditions are laid down in Article 15c and are very broad);
- for B2B relationships – on request by a user, the data holder shall make available the data generated by the use of a product or related service to a third party, without undue delay, free of charge to the user, of the same quality as it is available to the data holder and -where applicable- continuously and in real-time.
Where a data holder must make data available to a third-party data recipient under this Act, it must do so under FRAND terms and transparently (as per chapters III and IV of the Act).
The European legislator aims to ensure users an easy way to claim access to their Data and benefit from Data portability. It is still unclear how the Act will impact companies’ trade secrets and how FRAND terms will be defined by the Courts (which is already quite an uncertain parameter when applied in Standard Essential Patents cases).
Industry specialists have raised concerns about how the Database Directive and the sui generis right (the substantial investment of the stakeholders involved) will be impacted; to which extent market players will have to design new products to be compliant with the Data Act; how companies will be able to provide the data continuously and in real-time; and how the conditions for data transfer to third countries will be determined in all the cases of absence of an international agreement.
While the Data Act fosters revolution in the flow of non-personal data, the data subjects’ portability right for personal data -and personal data matters in general – will still be regulated under the GDPR[4]. In this regard, the issue of portability has reared its relevance in a case in Italy involving Google and the Italian Competition Agency (AGCM) which construed the portability right contained in art. 20 GDPR alongside art. 102 TFEU[5].
In July 2022, AGCM opened an investigation[6] against Google for abuse of its dominant position. The action was taken after Hoda – the company that offers the Weople platform- reported Google’s breach of art. 102 TFEU hinders the user’s portability right pursuant to art 20 GDPR. “Weople” is an app that functions like a digital data vault by porting data from other platforms simultaneously while users are able to control the data they want to store/share with third companies for marketing purposes and – at the same time – monetize the sharing. The takeout system – adopted by Google in 2019 – rendered the portability process more difficult and is allegedly not idoneous for the full interoperability of Google’s services and other platforms similar to Weaople. While the assessment regarding Google’s dominant position will likely be positive, it will be interesting to see how the two articles -art 102 TFEU and art. 20 GDPR- would work in synergy in situations where the complaining party invokes the right granted by art. 20 GDPR is trafficking users’ data (notably, in 2019 Hoda was subject to the Italian privacy Garante investigations for providing this service).
The plaintiff’s business model should not constitute an obstacle to the application of the article and the exercise of the right of the data subjects. Pursuant to art. 20 GDPR, the data subject has the right to transmit the data where the processing is based on consent or on a contract pursuant to art.6 (for the performance of a contract to which the data subject is a party). The data subject shall be entirely free to determine when the data should be transferred from one provider to another. Notwithstanding the underlying reasons for this transfer that it might be in order to use another service easily or to monetize the data – which wouldn’t be relevant to art. 20 GDPR. Furthermore, the law ensures that such right shall be easily exercised by the data subject.
While art. 102 TFEU defends competition per se from market players’ abusive behaviours which could distort it ( and -by reflex- defend consumers’ interest; it is not even necessary to prove consumers’ arm in order to ascertain abuse of dominant position, as long as a de facto distortion of competition and dominance position are proved), the purpose and rationale of GDPR is the protection of data subjects’ interests. If consent is at the foundation of the lawfulness of the processing, why should scrutiny of such interest be required to ascertain the lawfulness of invoking the portability right?
In turn, why should a breach of the GDPR (and behaviour that harms the data subjects’ rights) not be considered as constituting an abuse of the dominant market player as long as the behaviour is de facto hindering other players from entering or keeping being present in the relevant market?
The overall value of the data economy reached € 300 billion already in 2016 and it keeps rapidly growing every year[7]. It is undeniable that data have an incredible value for both the market players and the data subjects who are entitled to exercise the rights related to them.
It is my opinion that measures taken by the European institutions and national Authorities are in the right direction in defending the Data portability right for the users and rendering the (non-personal) data flow easier for the market players. Although, whether the industry will be vigilant of the new toolkit to foster innovation and grant fair competition is to be determined with time, and examples of good practice.
Footnotes
[1] European Commission (n.d.). The Digital Services Act package | Shaping Europe’s digital future. [online] digital-strategy.ec.europa.eu. Available at: https://digital-strategy.ec.europa.eu/en/policies/digital-services-act-package.
[2] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022PC0068
[3] Directive 96/9/EC of the European Parliament and of the Council on the legal protection of databases (1996), OJ L77/20
[4] Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L119/1
[5] Consolidated version of the Treaty on the Functioning of the European Union – PART THREE: UNION POLICIES AND INTERNAL ACTIONS – TITLE VII: COMMON RULES ON COMPETITION, TAXATION AND APPROXIMATION OF LAWS – Chapter 1: Rules on competition – Section 1: Rules applying to undertakings – Article 102 (ex Article 82 TEC), OJ 115, 09/05/2008 P. 0089 – 0089
[6] L’AUTORITÀ GARANTE DELLA CONCORRENZA E DEL MERCATO. (n.d.). [online] Available at: https://agcm.it/dotcmsdoc/allegati-news/A552%20avvio.pdf [Accessed 30 Nov. 2022].
[7] Final results of the European Data Market study measuring the size and trends of the EU data economy, 02 May 2017, available on digital-strategy.ec.europa.eu. (n.d.). Final results of the European Data Market study measuring the size and trends of the EU data economy | Shaping Europe’s digital future. [online] Available at: https://digital-strategy.ec.europa.eu/en/library/final-results-european-data-market-study-measuring-size-and-trends-eu-data-economy [Accessed 30 Nov. 2022].
This article is written within the Academic Essay Project (AEP) organised by LAWELS. AEP aims to increase the number of quality academic writings on legal topics, encourage young lawyers to participate in academic writing, and lay the foundation of an online database on legal science. The team of legal editors and legal writers share their knowledge through high-end essays that we are publishing on our website and social media accounts for the world to read and learn from.
The articles on the LAWELS platform are not, nor are they intended to be, legal advice. You should consult a lawyer for individual advice or assessment regarding your own situation. The article only reflects the views of the author.