To reduce situations of economic lock-in, EU law increasingly grants portability rights: entitlements for beneficiaries to “claim back” certain data that they provided or created, and/or to have those data transferred directly from one party to another party of the beneficiary’s choice. As a follow-up to a previous post about the concept of portability and its emergence in personal data protection and consumer law, this second part focusses on portability rights and IP in two forthcoming instruments of “data economy law”: the Digital Markets Act and the proposal for a Data Act.
Portability & the Digital Markets Act
In an unprecedented attempt to slay the big tech giants, formerly known as GAFAM, beyond the cumbersome means provided by competition law, the European legislature has recently signed the yet-to-be-officially-published Digital Markets “Act” – DMA. (In fact, it is a Regulation, as “acts” are not included in the exhaustive list of types of legislative instruments that the EU legislature can enact pursuant to Treaty Law – quibblers gotta quibble.) Pursuant to the DMA, the European Commission will be empowered to designate undertakings as “gatekeepers” if they have significant impact on the internal market, provide “core platform services” that are an important gateway for users, and enjoy or are likely to enjoy an entrenched and durable position. These criteria will be presumed to be fulfilled when certain quantitative thresholds are met, calculated on the basis of annual turnover and the like. Once designated, gatekeepers must refrain from listed practices that are considered unfair and that the Commission may further specify, on penalty of monster fines.
Pursuant to the DMA, gatekeepers can be subjected to a duty to enhance the ability of end users to switch to another provider, as well as their ability to effectively port their data to that provider. Targeted gatekeepers would also have to offer free tools to provide access to that data (articles 6(6) and 6(9)). At first sight, the wording of the Regulation might suggest that it merely requires gatekeepers to ensure the effectiveness of existing portability rights. Its objectives go further, though. Indeed, the DMA installs (or rather, entitles the Commission to install) completely new portability rights to the benefit of users of the platform services of designated gatekeepers.
DMA-based novel portability rights could go well beyond the GDPR and consumer protection portability rights outlined in the previous post: they would apply to all user-generated and user-uploaded data alike, whether personal or non-personal, and include a right to continuous and real-time access. Nonetheless, the DMA cannot escape criticism. Users of big tech platforms, like Facebook, Google, Amazon, presumably, will soon be rightfully entitled to expect portability of their data. But what about users of minor platforms? Is it justified that there will be a differential treatment between providers of similar service providers and, equally important, between users of similar services? Alternatively, one could argue that the DMA indirectly lays down the minimum of what users can reasonably expect from similar platform services. And where article 8(1)(b) Digital Content Directive lays down that traders must provide consumers with digital services that possess the qualities and performance features that are “normal” for services of the same type and which the consumer can “reasonably expect”, there might even be some leeway for arguing that a lack of portability could induce liability, save in case of an express and separately accepted deviation pursuant to article 8(5)…
Exercising DMA portability rights could result in IP infringements in the same way as under the consumer directives discussed in the first part of this post. In addition, further conflicts with copyright, neighbouring rights and the sui generis right could arise. First, direct transfers of consumer data from one platform to another will entail acts of reproduction and ofttimes also acts of communication to the public. Who should these operations be imputed to, to what extent are these acts exempted from rightholders’ consent pursuant to harmonized exceptions, and are the safe harbour rules for hosting services applicable here?
Second, data eligible for portability could incorporate IP-protected matter held by the platform provider itself, like software, works of authorship, or databases that are original or result from substantial investments. Similar as what has been argued about the GDPR in this respect, the DMA should probably be interpreted in such way that gatekeepers cannot invoke their own IP rights to deny portability requests because that would risk eroding their right. However, it would arguably be a bridge too far to subsequently allow competing platform providers to make use of that subject-matter. Given the lack of a legal basis for compulsory licence schemes for these situations, the equilibrium between portability and IP is yet to be determined.
Portability & the Data Act
Finally, the European Commission’s last digital-economy-related exploit is the launching of a proposal for a regulation that will go by the name of the Data Act. Meant to tear down barriers that prevent optimal sharing and allocation of data in the internal market, as well as to enhance “user empowerment”, the “Act” will heavily impact the ever-growing economy in data transactions, if enacted as proposed. Importantly, the DA Proposal marks the (provisional) end of the debate around the potential creation of ownership in data, or a new IP right for “data producers”. In line with the majority in doctrine, recital 5 of the Proposal confirms that the EU legislature is indeed moving away from the slumbering idea of introducing new exclusive rights of that kind.
Among the seven loosely interconnected topics in the Proposal, two chapters are expected to establish new entitlements that bear traits of data portability rights. Chapter II would grant private and business users of IoT products, like smart kitchen devices, smart TVs, smartwatches, drones, cars… a licensable right vis-à-vis “data holders” to access and use all use-generated data. This proposed right is the subject of extensive debate. And rightfully so, because its scope of application was construed very broadly, its private enforceability was left unaddressed and various provisions are open for very diverging interpretations.
Exercising the IoT data access right will sometimes involve subject-matter covered by IP rights, either held by the data holder or a third party. The DA Proposal itself only regulates clashes with the sui generis right in databases. Although framed as a “clarification”, article 35 essentially provides for a carve-out of that right for all databases “containing data obtained from or generated by the use of an IoT product or related service”. Here, one may wonder whether it would not be sufficient to just provide that database producers are not entitled to enforce their right in a manner that undermines the effectiveness of the portability right.
Although the sui generis right is the most likely candidate for conflicts, portability of IoT data could clash with other IP rights, too. A data set or individual elements could be protected by copyright, for instance, or contain fixations of sounds or audio-visual matter protected by producers’ rights. In relation to these instances, the DA Proposal leaves us with the laconic statement that “intellectual property rights should be respected” in handling IoT data (recital 28). Here again, it seems fair to conclude that a balancing exercise will be due when data holders refuse to make IoT data available by reference to their own IP rights. In light of IoT portability as a means to enhance competition, the Max Planck Institute for Innovation and Competition offers an interesting start for a balanced solution in its position paper (reported here): data holders would only be entitled to deny portability requests to protect IP that stimulate creativity, like copyright, but not to protect IP rights that are purely investment-focussed.
Besides IoT data, cloud data would also become portable under the DA. Indeed, proposed chapter VI would install duties upon “providers of data processing services” to facilitate their costumers’ switching to competing providers, by removing “commercial, technical, contractual and organisational obstacles”. This duty fell prey to particularly peculiar legislative design choices, hazy terminology and a lack of guidance on its operationalization. Nonetheless, it is understood that private and business costumers would have a one-off right to demand either the transfer of all data imported or generated by them and all applications and “digital assets” to which they had access to, in or via the service, to another provider, or to receive all this on a device of their choice.
Other limitations aside, this novel right would only apply to services that enable “on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources” (cloud services), so that many social media platforms are excluded from its scope. Besides, they would need to be granted by virtue of a contractual agreement that exhaustively lists all portable data, and there is an exclusion for online content services comprising either an audio-visual media service or the provision of access to, and use of, works and other IP-protected matter. This exclusion probably results from the erroneous assumption that the Cross-Border Portability Regulation already guarantees a similar portability right for those services, as commented in part 1 of this contribution. Last, the relationship between cloud portability and IP rights was left ignored in the Proposal, as well as in a substantial part of legal doctrine. Nonetheless, the proposed cloud portability right risks conflicting with copyright, neighbouring rights and rights in databases in similar fashions as those in the consumer contract directives or the DMA.
At a webinar immediately after the publication of the DA Proposal, an eminent German professor was reported to have shouted in despair: “But these new rights, what are they!?” And that is an excellent but vexed question, indeed. Do they vest ownership rights, properly speaking? Or do they perhaps constitute novel IP rights in data? Although article 4(6) of the Proposal hints towards an exclusive ability for users to dictate how data holders are or are not entitled to make further use of their IoT data, the aims of the Proposal clearly invite those questions to be answered in the negative for both portability rights. Then should we consider them as contract-based rights? By requiring cloud providers to insert portability into their agreements with costumers (article 23(1)) instead of granting costumers a right to portability straight-away, the cloud portability right indeed seems to have been construed in that fashion, at first sight. However, this would mean that costumers would not be entitled to portability if their agreement does not contain all of the prescribed information, unless if they can get a court order ex post compelling providers to facilitate portability anyway, due to infringement of the DA. That detour goes against the legislature’s objective of facilitating switching by empowering costumers (recital 72). In a teleological interpretation, the cloud portability right should therefore be considered a statute-based right, just like the IoT access right.
What all this teaches us, is that the DA is expected to introduce new portability rights, but that the provisions on these rights are still open for much improvement. Despite the Proposal’s silence on private enforcement, it can be argued that it would bestow individuals and businesses with statute-based rights, enforceable upon specific economic actors through private courts when necessary. Although this is not data ownership, this could mean one step towards a similar outcome. Once it is accepted that certain data is subject to a subjective right, indeed, it is only a short step towards accepting that such a right constitutes an asset in its rightholder’s estate and that it might, for instance, be inherited, auctioned by court order upon bankruptcy, given as security, subjected to limited property rights, or otherwise monetized…
This Part 2 post on data portability and IP is based on a working paper entitled “The Data Act: Start of a New Era for Data Ownership” (8 September 2022) available via SSRN.