Data portability rights are hot in EU legislation. Although these rights are doomed to create conflicts with copyright, neighbouring rights and the sui generis right in databases, their relation to IP has largely remained unaddressed for now. The recent signing of the Digital Markets Act and the ongoing negotiations on the proposal for a Data Act present excellent opportunities to expand on the novel phenomenon. What is portability in the first place, and what does it mean in European law? Second, what do portability rights mean for IP? Leaning on the findings from two freely available research articles on portability in recent consumer protection law and on the Data Act proposal, this two-post contribution offers an overview and some food for thought. In this first part, the technical and legal concepts of portability are outlined, and portability in consumer law is briefly assessed. In a follow-up post, the focus is on portability and forthcoming “data economy” law. In both parts, the impact on IP is highlighted.
Portability for Dummies (and Lawyers)
Portability is, first and foremost, a technical concept. Pursuant to the Institute of Electrical and Electronics Engineers (IEEE), the term indicates either the ease with which software, a system or a component can be transferred from one application platform or from one hardware or software environment to another, or the capability of being moved between differing environments without losing the ability to be applied or processed. Similarly, the International Organization for Standardization (ISO) defines portability as the capability of a program to be executed on various types of data processing systems without converting the program to a different language and with little or no modification.
Starting from those technical definitions, the notion of portability made its way into the 2016 General Data Protection Regulation (GDPR). At that point, the notion began its second life as a legal concept. Article 20(1) GDPR notably provides for a double portability right for natural persons, comprising an entitlement to receive personal data concerning them from a controller, as well as an entitlement to have those data transmitted to another controller without hindrance.
Generally speaking, it is understood that attributing portability rights has the potential of avoiding or diminishing situations of lock-in: instances where one has no choice but sticking to a certain service provider because switching to another provider would procure unreasonable inconveniences from a technical or economical perspective. To some extent, granting portability rights overcomes the general lack of entitlements to revindicate or “claim back” data that are felt to have a certain bond with an individual or entity. In relation to objects subject to ownership, like tangible items, such an entitlement to revindicate (rei vindicatio) is commonly guaranteed as one of the prerogatives of the owner. By contrast, digital data are, as such, not undisputedly considered to be subjectable to ownership rights. Insofar as data sets do not incorporate, say, an original work of authorship, a phonogram, a protectable database or the like, they will not be protected by IP rights or other exclusive (AKA “proprietary”) rights either. And rightfully so, according to the majority view, because recognizing exclusive entitlements would massively overcomplicate things without fulfilling any justifiable socio-economic need.
The GDPR portability right is conditional upon requirements that relate to the way in which the data-to-be-ported were collected and processed. They are also construed as a one-off right to export data, not with a view to guarantee continuous, real-time access. In combination with the legislative design and other uncertainties about its modalities of exercise, these characteristics have caused the GDPR portability to have limited success in practice. Interestingly enough, that did not deter the European legislature from having another shot, or rather: another salvo. For now and for the foreseeable future, the EU is and will stay unfamiliar with a general-scope portability right applicable to all sorts of data. However, we did recently see piecemeal portability rights with targeted scopes mushrooming in proposed and enacted legislative instruments: the Digital Content Directive, the Omnibus Directive (modifying the Consumer Rights Directive – CRD), the Digital Markets Act and the Proposal for a Data Act.
Careful readers as yourself will note that the 2017 Regulation on Cross-Border Portability of Online Content Services was omitted from the list above. Why is that? Because portability denotes a different concept in that regulation. Instead of a revindication-like entitlement meant to prevent lock-ins, the term there refers to the right for subscribers of lawfully provided online content services, like audio-visual streaming services, to maintain access to those services during their temporary presence in another EU member state. This instance of homonymous use of buzzwords by the lawmaker is regrettable, as ambiguities and confusion are immanent. This is illustrated by one of the provisions in the Data Act proposal, as explained in part 2 of this post.
Portability as a Consumer Contract Remedy
Although omitting any literal reference to portability, the 2019 Digital Content Directive (DCD) and Omnibus Directive grant natural persons acting for purposes outside their profession (consumers) a portability right, enforceable upon their professional co-contracting party (the trader), that relates to any content, other than personal data, provided or created by the consumer when using the digital content or service supplied by the trader. It is incumbent upon the trader to make that ‘content’ available at the consumer’s request, free of charge, without hindrance, within a reasonable time and in a commonly used and machine-readable format. Exceptions apply, for instance for content irreversibly aggregated with other data and for content without utility outside the trader’s context. Unlike the GDPR, the Directives do not provide for a right to have the content sent directly to a new co-contracting party of the consumer’s choice.
The scope of this right is significantly narrowed by the fact that consumers can only invoke it in three very specific constellations following the termination of the agreement: either when they terminate for a major lack of conformity that cannot, will not, or cannot reasonably be expected to be brought into conformity within a reasonable time, free of charge and without significant inconvenience (articles 14 and 16 DCD), when they terminate because unilaterally imposed modifications, other than modifications necessary to preserve conformity, resulted in a major negative impact on the consumer’s enjoyment of digital content or a digital service supplied over a continuous period of time (article 19(3) DCD), or in the exceptional scenario where a consumer is entitled to a 14-day withdrawal period for a distance contract for the supply of digital content or a digital service and effectively invokes their right to withdrawal (article 13(6) CRD).
In other scenarios, harmonized consumer law does not guarantee portability of the consumer’s uploaded or user-generated data. Unless national law provides otherwise, this means that consumers will, for instance, not have a right to retrieve all non-personal data uploaded to or generated upon a social media platform, when they freely decide to cease their subscription. Similarly, the limitation to non-personal data and its corresponding exclusion of personal data (a theoretical distinction claimed to be unworkable in practice) imply that consumers are not entitled to claim back content that feature other people’s personal data, like user-generated photos or videos depicting friends, whereas such content can be very valuable to the consumer. Furthermore, issues are expected as to what it means for data to be excluded due to being “without utility”. In sum, the effectiveness of the portability right as a consumer contract remedy is likely to be even more limited than that in the GDPR.
In the (admittingly rare) instances where consumers are entitled to invoke their portability rights as part of a contract-law remedy, there is a high risk of conflicts with copyright, neighbouring rights and rights in databases. Lots of digital services enable users to create or upload protected subject-matter, either alone or jointly with other users. Think of social media or cloud storage services that involve uploading and sharing original texts, images, music or audio-visual clips. The Directives do not explicitly address such conflicts beyond an ironically general statement that the Digital Content Directive is “without prejudice” to IP (article 3(9) and recital 36).
When consumers exercise their portability right on IP-protected subject-matter, technical copies inevitably need to be made by the trader and/or the consumer. Given the very technical interpretation granted to the reproduction right, this would amount to a copyright violation if done without the permission of each rightholder involved, unless exceptions apply.
Arguably, consumers will often be able to take recourse to national law implementing the exceptions for lawful temporary reproductions and/or private use (articles 5(1) and 5(2)(b) InfoSoc Directive). Similarly, traders will often also be able to invoke the exception for temporary copies and to shield off liability in accordance with the safe harbour rules for hosting services in the e-Commerce Directive or the forthcoming Digital Services Act. But often does not mean always! “Ported” content could include software or databases, subject to different exceptions. The consumer’s acts of reproduction could have purposes beyond strictly private use. Digital services might not always classify as hosting services. And most importantly, exceptions only apply if reproductions are made from “lawful copies” (CJEU in ACI Adam, Copydan, HP Belgium and VOB), meaning that there will always be an infringement when retrieving subject-matter obtained without consent. It follows that, in the end, assessing whether exercising the portability right amounts to an IP infringement will inevitably always require a case-by-case analysis. Given this lack of ex ante legal security, it remains to be seen how the consumer’s portability right will work in practice.
This Part 1 post on data portability and IP is based on an article entitled “Copyright Meets Consumer Data Portability Rights: Inevitable Friction between IP and the Remedies in the Digital Content Directive”,  GRUR International 495 (open access thanks to the generous support of the Max Planck Institute for Innovation & Competition).