Intermediaries do matter: voluntary standards and the Right to Data Portability

Matteo Nebbiai, Scuola Superiore Sant’Anna, Pisa, Italy

PUBLISHED ON: 12 Apr 2022 DOI: 10.14763/2022.2.1639

Abstract

This paper enlightens an understudied aspect of the application of the General Data Protection Regulation (GDPR) Right to Data Portability (RtDP), introducing a framework to analyse empirically the voluntary data portability standards adopted by various data controllers. The first section explains how the RtDP wording creates some “grey areas” that allow data controllers a broad interpretation of the right. Secondly, the paper shows why the regulatory initiatives affecting the interpretation of these “grey areas” can be framed as “regulatory standard-setting (RSS) schemes”, which are voluntary standards of behaviour settled either by private, public, or non-governmental actors. The empirical section reveals that in the EU, between 2000 and 2020, the number of such schemes increased every year and most of them were governed by private actors. Finally, the historical analysis highlights that the RtDP was introduced when many private-run RSS schemes were already operating, and no evidence suggests that the GDPR impacted significantly on their spread.
Citation & publishing information
Received: April 25, 2021 Reviewed: June 25, 2021 Published: April 12, 2022
Licence: Creative Commons Attribution 3.0 Germany
Competing interests: The author has declared that no competing interests exist that have influenced the text.
Keywords: GDPR, Data governance, Big data, EU Data Protection Regulation
Citation: Nebbiai, M. (2022). Intermediaries do matter: voluntary standards and the Right to Data Portability. Internet Policy Review, 11(2). https://doi.org/10.14763/2022.2.1639

Introduction

In the last decades, the computing advancements of information and communication technologies heavily impacted the economic system through the expansion of states and firms’ capacity to gather, store and transfer digitised data (Shapiro and Varian, 1998; Mayer-Schönberger and Cukier, 2013; European Commission, 2020d). Concurrently, cyberspace emerged as a new domain where traditional state sovereignty can be challenged (Lessig, 2007; Johnson and Post, 1995; Leiser et al., 2016). The creation, manipulation and circulation of personal data are crucial drivers of the expansion of the digital economy (Srnicek, 2017; Posner and Weyl, 2018; Zuboff, 2019; Cohen, 2019). However, the data economy regulatory arena still consists of a complex and dispersed network of public and private initiatives such as data marketplaces (Carnelley et al., 2013; Koutroumpis et al., 2017), data pools (Mattioli, 2017, pp. 147–148), standard certifications (Lachaud, 2018), Personal information management systems (EDPS, 2016) and data collaboratives (Verhulst and Sangokoya 2015).

In the European Union, the urgency to regulate the circulation of personal data beyond data protection is increasingly visible from a series of initiatives from EU bodies. The European Commission (2020a, pp. 16-18) Data Strategy aims to create a framework for “EU-wide common, interoperable data spaces in strategic sectors”, while the Business-to-government Data Sharing report by the European Commission (2020b, p. 42) calls for the establishment of “common standards aimed at ensuring interoperability across borders and sectors”. Concurrently, the Data Governance Act proposal (European Commission, 2020c) stresses the need for people, businesses, and the public sector to have control over personal data and introduces a regulatory framework for data intermediation services. Nevertheless, despite the various announcements, the regulation concerning data ownership and access is still a work in progress in the EU, presenting an inconsistent and not fully operable framework (Duch-Brown, 2017; Drexl, 2018; Martens, 2020).

At the moment, one of the most relevant pieces of EU legislation regulating personal data access and circulation is the Right to Data Portability (hereafter RtDP), which was introduced by Article 20 of the General Data Protection Regulation (hereafter GDPR) (European Union, 2016). “Data portability” is the ability granted to an individual to port his or her personal data from a certain digital service to another (Article 29 Working Party, 2017, p. 63). As explained by Engels (2016, p. 4), “platforms have an incentive to collect, possess, process and utilise user data in an exclusive manner, since data is a significant asset in platform markets”. Depending on how it is applied, Article 20 could limit the exploitation of this type of competitive advantage (Lehtiniemi, 2017).

The research aims to describe the understudied variety of voluntary regulatory schemes that set data portability standards, whose provisions are additional and complementary to the ones of the GDPR. Significantly, these regulatory schemes are voluntarily joined by data controllers1 and thus affect their compliance with the RtDP. In particular, the research proposes a theoretical framework to study these schemes and investigates their presence in the EU. These goals are addressed as follows.

The first section presents a review of the GDPR Article 20, explaining why its formulation creates some “grey areas” that leave data controllers, data protection authorities and courts many choices concerning the application of the RtDP. It is shown that, instead of creating internal procedures, some data controllers decide to delegate such choices to voluntary regulatory schemes.

The second section proposes a theoretical framework to describe such schemes, framing them as regulatory standard-setting (RSS) schemes that are settled by actors with the role of regulatory intermediaries. Firstly, Abbott and Snidal (2009b, 2010) define the “regulatory standard-setting” (RSS) schemes as voluntary standards of behaviour settled either by private, public, or non-governmental actors. Secondly, according to the RIT (regulator-intermediary-target) model developed by Abbott, Levi-Faur and Snidal (2017, p. 26), the actors that possess the “authority to make, interpret, and adapt rules” emanated by another regulator can be defined as “regulatory intermediaries”.

The third section analyses the regulatory standard-setting schemes operating in the EU that act as intermediaries in the data controllers’ application of the RtDP. Firstly, the study surveys the RSS schemes implementing data portability that operated in the EU territory between 2000 and 2020. Secondly, the study employs the Abbott and Snidal (2009a) Governance Triangle to highlight if such RSS schemes are governed by private, public or non-governmental actors. Finally, the conclusions propose further areas of research arising from the empirical findings.

This work contributes to the law and political science literature by examining the impact of non-state regulation forms on the application of the EU data protection framework. In other words, this paper assesses whether data portability policies are affected by the dynamics described by the literature on “private regulation” (Graz, 2012; Kobrin, 2002; Cafaggi and Renda, 2012), “decentred regulation” (Black, 2001), “Transnational Private Regulation” (Bartley, 2007; Cafaggi, 2011), “Global Private Regulation” (Büthe, 2010; Büthe and Mattli, 2013), “non-state market-driven governance systems” (Cashore et al., 2004), “Transnational New Governance" (Abbott and Snidal, 2009a, 2009b), etc. Finally, this research relies upon the premise that the analysis of the legal texts is not sufficient to understand how the RtDP is applied. With the words of Raab and De Hert (2008, p. 264), it is necessary to bring “policy actors and their relationships into play... [m]ost ‘tools’ approaches leave these issues out of account, thus losing sight of regulation as a social and political process and not just as a question of what tools do what jobs”.

1. The “grey areas” of the Right to Data Portability

Moving from a summary of the rationale and main characteristics of the Right to Data Portability (RtDP), this section shows how the formulation of Article 20 of the GDPR creates many “grey areas” whose interpretation can significantly impact its practical application.

Generally, data portability is conceived as “the ability of an individual to port his or her personal data from service A to service B” (Crémer et al., 2019, p. 83). The rationales behind the promotion of data portability practices include the enhancement of data protection and economic efficiency. Particularly, data protection rights can benefit from the strengthened control that the data subjects have on their own personal data, which can discourage unfair and discriminatory practices and the use of incorrect data for decision-making purposes (Article 29 Working Party 2013, p. 47). On the other hand, economic efficiency improvements arise from the reduction of the data-induced lock-in to platform ecosystems by enabling users to switch easily between services (Crémer et al. 2019, pp. 81–87), and the pro-competitive and pro-innovation effects generated by the smoother flow of precious data assets (Graef et al., 2013; Engels, 2016; Drexl, 2017; Furman et al., 2019, pp. 64–71; Martens et al., 2020, pp. 43-45). It follows that the imposition of such a practice has a direct impact on the business sectors where the exclusive control of data has strategic importance. Additionally, some experts are worried that the economic burdens deriving from the compliance to a data portability requirement may harm small and medium enterprises, in front of uncertain economic advantages (OECD, 2014, p. 14) and dangers for data security (Swire and Lagos, 2013). Finally, data portability can be interpreted as a tool to redistribute power: as resumed by the Article 29 Working Party (2013, p. 47) opinion, “allowing data-subjects/customers to have direct access to their data in a portable, user-friendly and machine-readable format may help empower them and redress the economic imbalance between large corporations on the one hand and data-subjects/consumers on the other”.

Before the adoption of the GDPR, data portability options in the EU were offered only voluntarily by data controllers, because no provisions in the EU legislation referred to such a practice. As explained by De Hert et al. (2018, pp. 194-195), the only “ancestors” of the RtDP are the prescriptions about mobile number portability and Open Application Programming Interfaces (APIs) (European Commission 2002a, 2002b). The Right to Data portability is an attempt to institutionalise2 the supply of data portability options by data controllers through the introduction of a legal obligation in the GDPR. The Right to Data Portability was introduced in EU legislation by Article 20 of GDPR and allows a “data subject” to “receive the personal data concerning him or her, which he or she has provided to a controller” from the correspondent “data controller”. Moreover, the data shall be received in a “structured, commonly used and machine-readable format”. According to De Hert et al. (2018, p. 197), in its final wording, the RtDP is fundamentally composed of three different rights:

  1. the right to receive (without hindrance from the data controller) data concerning a data subject which he/she has provided (Article 20(1));
  2. the right to transmit (without hindrance from the data controller) those data to another controller (Article 20(1));
  3. the right to have personal data transmitted directly from one controller to another (Article 20(2)).

Nevertheless, the formulation of the RtDP generates various “grey areas” concerning the type of granted interoperability, the interpretation of scope limitations, and the interaction with IP law. The following paragraphs detail each of these aspects.

1.1 Interoperability and compatibility

Article 20(2) of the GDPR specifies that the data subject has the “right to have personal data transmitted directly from one controller to another, where technically feasible”. In addition, Recital 68 of the GDPR states that “the data subject’s right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible”. Consequently, an obligation to ensure technological compatibility between different data controllers does not exist in the GDPR. Rather, Article 20 seems to pursue a more nuanced concept of “interoperability” of systems, intended by the European Union (2009, p. 20; 2017, p. 4) as

the ability of disparate and diverse organisations to interact towards mutually beneficial and agreed common goals, involving the sharing of information and knowledge between the organisations, through the business processes they support, by means of the exchange of data between their respective ICT systems.

The Article 29 Working Party (2017, p. 17) supports this view, claiming that the RtDP “aims to produce interoperable systems, not compatible systems”.3

This prudent approach may be related to the still ongoing technological development and the uncertain economic and innovation impact of a full compatibility requirement (European Commission 2020a, p. 12). However, the vagueness on the actual content of “technical feasibility” may ultimately limit the pro-competitive effects. For instance, Furman et al. (2019, pp. 68–69) emphasise that transfer of data between different services can be interpreted as functioning either on a continuous basis (with automatic updates after a first request from the user) or only when a user makes an expressed request (each exchange of data must be triggered by the user):

Although GDPR requires that personal data must be provided in a ‘structured, commonly used and machine-readable format’ there is no explicit requirement for parties to develop technical standards to facilitate the transmission of personal data across suppliers... there is no requirement within GDPR that data portability be made possible on a continuous, rather than discrete, basis. [...] The GDPR data portability provisions formally only relate to personal data which the consumer has provided directly... [a] more pro-competitive approach might involve the sharing of additional personal data.

1.2 Scope limitations

The scope limitations contained in the RtDP provide another cause of uncertainty. Firstly, Article 20(1) specifies that only personal data can be requested through the RtDP. According to Article 4(1), ‘personal data’ “means any information relating to an identified or identifiable natural person”. However, the notion of “personal data” is not completely stable. On one hand, with the advancements of data analysis and the technical capacity to identify individuals from smaller pools of information, the range of data that can be considered “personal” is expanding (Purtova, 2018). On the other hand, data controllers may increasingly process anonymous or pseudonymised datasets that cannot be linked to data subjects to limit the obligations arising from the RtDP.

Secondly, Article 20(1) specifies that the RtDP only concerns personal data processed on the basis of consent or of a contract, thus excluding the personal data processed under all other grounds, including legitimate interest. As argued by Graef et al. (2018, p. 1370), this “raises the question whether controllers will be able to preclude data subjects from relying on the RtDP by invoking a legitimate interest as a ground for processing personal data instead of consent or a contract”.

Finally, the interpretation of what data can be considered “provided to the controller” by the data subject is open. The Article 29 Working Party (2017, p. 10) states that these data shall be either “actively and knowingly provided by the data subject” or “observed data provided by the data subject by virtue of the use of the service or the device”.4 About the interpretation of Article 20, De Hert (2018, p. 202), distinguishes a “restrictive approach” (RtDP is applicable only with data explicitly provided by data subjects) and an “extensive approach” (RtDP is applicable with all data provided on the basis of data subject’s consent or within the performance of a contract), while Crémer et al. (2019, p. 81) highlight the difference between “volunteered” (intentionally contributed by the user) and “observed” data (obtained automatically from a user’s or machine’s activity).

1.3 Interaction with IP law

Finally, according to Graef et al. (2018, pp. 1374-1375), the interaction between Article 20(4) provisions–claiming that the RtDP “shall not adversely affect the rights and freedoms of others”–and Intellectual Property rights may constitute an emerging “silent conflict”. The GDPR contains no indications on the balance of such a conflict of interests. Article 29 Working Party (2017, p. 12) employs Recital 63 (on the limitations of Article 15(4) right of access) to claim that the RtDP shall not “adversely affect… trade secrets or intellectual property”. Without additional pronouncements from the Courts or legislation, data controllers will ultimately decide the balance between the RtDP and IP rights. Therefore, behind the claim of defending trade secrets and IP rights in front of the competitors’ reverse-engineering techniques, data controllers may increasingly restrict the pool of data available to portability.

***

I have shown that data controllers have various “grey areas” to interpret when they comply with the provisions of the RtDP. First, data controllers can choose whether to develop full compatibility and a continuous data flow between different services. Second, they can select the data processing grounds, anonymise or pseudonymise data, and balance IP rights and the RtDP to engineer the quantity of data falling under the RtDP provisions. Third, they can choose which type of personal data is considered as “provided by” the data subject. This situation of uncertainty can be effectively resumed by the words of Mertens et al. (2020, p. 42), stating that “a problem with Article 20 GDPR… is that it is not (yet) sufficiently operational”. In the future, these “grey areas” might progressively shrink due to the development of forms of soft law, courts’ decisions, or informal standards. Currently, however, many of these decisions are in data controllers’ hands. From the users’ point of view, these choices determine how a data subject can exercise the RtDP using a particular service. From the aggregated point of view, the sum of data controller choices determines whether data portability will become a diffused (institutionalised) option within the economic system and the resulting welfare and competition-improving effects.

The choices allowed by the RtDP “grey areas” can be independently taken by the data controllers, which establish internal procedures to respond to the users’ requests. Yet, instead of developing independent procedures, some data controllers prefer to join voluntary regulatory schemes to delegate their choices concerning the implementation of data portability. These regulatory schemes guide the participants to interpret in a certain way the described “grey areas”. For this reason, the study of these schemes is crucial to understanding how certain organisations apply the RtDP and how data portability will be institutionalised in the EU. A framing and description of these peculiar regulatory settings are provided in the following section.

2. Framing the data portability intermediaries

One example of the regulatory schemes supporting the implementation of data portability options is the “Qiy Scheme”. The Qiy Scheme is a regulatory scheme settled by a non-profit foundation (Qiy Foundation) and can be joined by non-profit and commercial organisations through a formalised procedure (Qiy, 2021a). The scheme is composed of the judiciary, legislative and executive branches (Qiy 2021b) and is equipped with internal procedures of rule enforcement. Joining the scheme as a member allows the participation to an interoperable standard of data sharing and portability and requires compliance with rules and limitations regarding data storage. Consequently, the scheme ultimately affects how the members comply with the RtDP (TM Forum, 2016).

The main question of this section is how to study regulatory schemes such as the “Qiy Scheme”. Particularly, the Qiy scheme example highlights two features of these regulatory initiatives: the voluntary basis and the schemes’ role of intermediation between the regulator (the EU) and the targets (the data controllers). This research proposes to frame these schemes as “regulatory standard-setting (RSS) schemes” that are settled by actors playing the role of “regulatory intermediaries”. The following paragraphs explain this definition by introducing the “regulatory standard-setting” concept by Abbott and Snidal (2009b, 2010) and the RIT model by Abbott, Levi-Faur, and Snidal (2017).

2.1 Regulatory standard-setting schemes

The “Transnational New Governance" literature (Abbott and Snidal, 2009a, 2009b) identifies two main features characterising the innovative kind of regulatory schemes that since the 1980s are emerging in the globalised economy outside the mandate of the states. The first one is the central role of private actors such as firms, industry groups and NGOs; and the second one is the “voluntary rather than state-mandated nature of the new regulatory norms” (Abbott and Snidal 2009b, p. 506). Drawing upon these reflections, Abbott and Snidal (2010) define the new type of regulatory initiatives as “regulatory standard-setting” (RSS) schemes, which are “non-legally-binding standards of behaviour, applicable directly to private actors rather than to states, in settings that have traditionally called for mandatory regulation” (p. 316). The RSS schemes are “non-legally-binding” in the sense that they are not made compulsory by state-promulgated “hard law” (Abbott and Snidal 2009a, pp. 21–22). However, once an organisation joins a scheme, it is targeted by the traditional features of regulation, including mechanisms for setting objectives and norms, monitoring compliance and correcting deviations (Scott, 2012, p. 1333). As resumed by Cafaggi (2011, p. 22), transnational private regulation “is generally voluntary... Parties who wish to join the regulatory bodies... are free to do so, however once they are in, they are legally bound and violation of the rules is subject to legal sanctions”. Finally, as explained by Abbott and Snidal (2009a), the RSS schemes can be settled up either by private actors, non-governmental bodies or public authorities or by a combination of them. Therefore, to identify an RSS scheme affecting the RtDP application, one or more actors (states, firms or non-governmental organisations) must have settled:

  1. a non-legally binding standard of behaviour: a voluntary standard that enables, facilitates or guides the data controllers to implement data portability standards in their activities. The study includes any standard that affects, also in a minimum way, the regulatees’ interpretation of the “grey areas” analysed in the previous section.5 To influence the application of Article 20 of the GDPR, the standard does not need to be explicitly promoted as an enabler of GDPR’s RtDP;
  2. applicable directly to private actors: the standard shall be open to the adoption by non-state actors respecting certain criteria. This means that RSS schemes shall provide a formalised method to join the regulatory scheme (for instance, a membership system) and possess specific procedures to react to the deviations of the regulated actors.6

Beyond these common features, the existing RSS schemes providing data portability standards comprehend a wide variety of governance styles and functionalities. Langford et al. (2020, p. 16) illustrate some of the most common functionalities offered by these schemes, such as identity management services and support to capture the value created in the exchange of data. Also, the list of RSS schemes contained in the empirical part offers a glimpse of their variety.

To better understand the position of RSS schemes in relation to the wider institutional environment, it is helpful to describe the actors promoting them as “regulatory intermediaries” between the EU and the data controllers, as proposed by the Abbott, Levi-Faur and Snidal (2017) “RIT model”.

2.2 Regulatory intermediaries

The RIT (regulator-intermediary-target) model developed by Abbott, Levi-Faur and Snidal (2017) offers a useful framework to describe the two alternative types of relationship between regulators and targets in the application of the RtDP. In the GDPR regime, the simplest application of the RtDP involves only the GDPR prescriptions and the data controllers’ internal organisation. In such a case, the data controllers establish procedures within their organisation to comply with the RtDP. As described by Abbott, Levi-Faur and Snidal (2017, p. 14), this is a “two-party relationship between a rule-maker or regulator (R) and a rule-taker or target (T)”. Such a relationship can be schematised in this way (the arrows correspond to the action “regulates…”): 7

R → T

EU → Data controller

The second possible scenario emerges when one or more intermediaries are introduced in the model. The Qiy Scheme cannot be represented in the two-actors model because the target (T) that has joined the Qiy scheme is at the same time regulated by the GDPR and by Qiy Scheme. Hence, the application of the RtDP by that organisation must comply with the rules imposed by both the EU law and the Qiy Foundation. Abbott, Levi-Faur and Snidal (2017, p. 19) define an intermediary as “any actor that acts directly or indirectly in conjunction with a regulator to affect the behaviour of a target”. Hence, it is possible to state that the flow of regulation (the obligation to comply with the RtDP) between the regulator (EU) and the target (the data controller member of the Qiy Scheme) is mediated by an intermediary (the Qiy Foundation). The model shall accordingly be corrected in the following form:

R → I → T

Example: EU → QIY Foundation → Data controller (member of the Qiy Scheme)

This example illustrates how the RIT model can be employed to frame the position of every RSS scheme that acts as an intermediary between the GDPR prescriptions and the data controllers’ compliance. Part of the intermediaries’ additional and complementary regulation is exerted on the “grey areas” created by the RtDP formulation. Drawing on this theoretical framework, the goal of the third section is to analyse the Regulatory Standard-Setting schemes operating in the EU that act as intermediaries in the data controllers’ application of the RtDP.

3. An empirical analysis of the Data portability Regulatory Standard schemes in the EU

The empirical section of the paper has two aims. First, it surveys the RSS schemes affecting the application of the RtDP in the EU during a circumscribed period. Second, using the “Governance Triangle” model in different historical periods shows which type of actors prevalently established RSS schemes across the time.

3.1 Methodology

Mapping the RSS schemes

In the first step of the empirical research, I scraped the web and listed every regulatory initiative that:

  1. can be considered an RSS scheme according to the criteria reported in Section 2.1 (i.e., a non-legally binding standard of behaviour applicable directly to private actors);
  2. is settled by an actor that can be considered an “intermediary” according to the RIT model described in Section 2.2, because it enables, facilitates or guides the implementation of data portability functionalities (and therefore, the application of the RtDP) by data controllers;
  3. can be accessed (or was accessible) by data controllers at least in one of the EU member states in the period between 1 January 2000 and 31 December 2020. With “EU countries” I mean the 28 countries that were EU members in 2016 (the United Kingdom is included). The date of membership start is not considered, so a hypothetical RSS scheme accessible only in the Czech Republic in 2003 (when the Czech Republic was not yet an EU member) would still be counted and reported in the empirical analysis.

For each RSS scheme, the following features were registered:

  1. Life: the date of foundation and the eventual date of the end of operations.
  2. Promoter: the type of actor(s) that is (are) enacting the scheme: namely, the legal status of the organisation(s) that act as the legal representative of the RSS scheme. Drawing upon the distinction by Abbott and Snidal (2009a), I distinguish between three types of actors: state, firms and non-governmental organisations.8
  3. Governance: the type of actor(s) that is (are) governing the scheme: that is to say, the type of actors (state, firms and non-governmental organisations) that are allowed to directly participate in the governance of the scheme, on the basis of their formal rules. For a detailed exposition of how such types are identified, see the following section on the Governance Triangle. In the Table, “S” means State(s), “F” means Firm(s), and “N” means “NGO(s)”.
  4. Scope: the scope of the regulatory scheme, based on the nationality of actors that can formally join it: “global” scope means that there is no requirement of origin for the organisations joining the regulatory scheme; “national” scope means that only organisations from a certain country can join the scheme; “regional” scope means that only organisations from a certain group of countries can join the scheme.

Table 1 shows the results.

The governance triangle

The second step of the empirical research implements the “Governance Triangle” model. Quoting the seminal paper by Abbott and Snidal (2009a), such a model “provides a systematic depiction of the potential universe and actual variety of RSS institutions. It helps us to examine empirically the emergence and distribution of such schemes, and to analyse theoretically the strengths and weaknesses of different structures” (p. 7). Moreover, the triangle is a fitting tool to portray the situations of “networked governance”, where regulation is determined by voluntary and reciprocal interactions among multiple participants (Abbott and Snidal, 2009a, p. 14; Kobrin, 2002).

The Governance Triangle model clusters the RSS schemes according to the type of actors that govern them. The taxonomy of potential governing actors is composed of states, firms and non-governmental organisations (NGOs). Abbott and Snidal (2009a, pp. 16-19) sketch the (simplified) preferences of the three actor groups in the following terms: firms are considered “by law and culture focused on profits” and “care more about the specific content than the mere fact of regulation”; NGOs – a category that includes “advocacy groups, labour unions, consumer groups, socially responsible investors, social movements” – are described as usually “motivated by principled beliefs rather than any direct stake in an issue” and do not necessarily represent the public interest; states are regarded as “actors with preferences of their own”, driven both by domestic and international factors, and include intergovernmental organisations.

The output of the model is a triangle-shaped figure that displays the direct participation by states, firms and NGOs in the governance of the RSS schemes. The surface of the Triangle is divided into seven zones and represents the possible combinations of actor participation (Abbott and Snidal, 2009a, p. 7). To offer an example, Figure 1 replicates the Governance Triangle included in the Abbott and Snidal (2009a, p. 7) original paper. In this case, the Triangle is a snapshot of the global ecosystem of corporate regulation at the time. Each labelled point on the Triangle represents a RSS scheme (an exhaustive legend for the abbreviations is available in the original paper), and the placement of the schemes on the Triangle reflects the “shares” of power each type of actor exercises in their governance. Zones 1, 2 and 3 contain regulatory standards governed by an actor (or set of actors) belonging to a single group (respectively, states, firms or NGOs). Zones 4, 5 and 6 contain schemes in which actors from two groups share governance responsibility. Finally, Zone 7 in the centre clusters regulatory schemes where actors from all the three groups play a significant role in the governance. Abbott and Snidal (2009a, p. 9) specify that “the boundaries of zones and the placement of points are not intended as precise representations of complex arrangements... [e]xact placement is less important than relative location”. In the original paper, the governance shares are calculated considering both formal rules and “tacit operating norms” (p. 9). In this study, the scarcity of resources allowed me to consider only the formalised rules indicated by the regulatory schemes’ documentation.

Figure 1: Governance Triangle contained in Abbott and Snidal 2009a.

To apply the Governance Triangle to the case of data portability in the EU, the RSS schemes found in the mapping section are placed in the Triangle zones accordingly to their internal rules. I use a formal approach to distinguish the types of actors, where only the formal role of participants as described by the internal rules is taken into consideration. For instance, an executive board of directors composed of persons coming from the industry that are mandated to act exclusively as independent representatives of the NGO is considered as an organisation whose governance is only composed of the “NGO” type of actor. To present a practical example, the already mentioned Qiy Scheme has a governance model giving formal independence to the legislative, executive and judiciary branches, that are nominated by the Qiy Foundation (an NGO) (Qiy, 2021b). The internal rules also establish an advisory body called “User Voice”, which is composed of the members of the Qiy Scheme, which are NGOs and firms. The User Voice issues recommendations to the legislative bodies and “enables participating organisations to play an active role in the policy-making process” (Qiy, 2021c). Hence, in the governance of the Qiy Scheme, the power is shared between an NGO (the Qiy Foundation) and the firms and NGOs participating in the RSS scheme (the members represented by the User Voice body). For this reason, the Qiy scheme is placed in Zone 6 of the Governance Triangle, and the “Governance” column in Table 1 contains the letters “N+F” (NGOs + Firms).

The empirical section applies the Governance Triangle in two iterations. The first Governance Triangle (Figure 2) depicts the data portability RSS schemes in the EU in 2020 to provide a snapshot of the recent situation. The second application of the model compares three Triangles representing snapshots from different periods. Such comparison aims to show the evolution of data portability RSS schemes in the EU from 2000 to 2020. The goal is to reveal if and how the different groups of actors changed their participation in data portability RSS schemes across the years. Moreover, exploring the RSS schemes operating before the GDPR enforcement (and the existence of the RtDP) is useful to identify long-term trends and because a certain degree of institutional stickiness and path dependence seems plausible. The time spans are 2000-2011, 2012-2015 and 2016-2020 and include each scheme that operated during at least one of those years.9 The time spans were selected on the basis of the GDPR milestones to highlight the potential effect of the Regulation on the establishment of RSS schemes: in 2012, the EU Commission announced the comprehensive reform of data protection rules, while in 2016 the GDPR was finally promulgated.

3.2 Results

Table 1 shows the list of RSS schemes affecting data portability in the EU between 2000 and 2020. A total of 23 regulatory schemes have been found. The first apparent feature is that RSS schemes have, in most cases, a global scope, meaning that they accept members without limitations about their country of origin. This can be explained by the fact that the utility of data portability schemes increases with a higher number of participants, because of direct network effects. Hence, there are no incentives to limit the scope of the schemes. One reason to restrict the pool of potential members might be the protection of personal data. This seems confirmed by the fact that two out of three schemes with national scope enact the portability of highly sensitive personal data (medical data in the case of MedMij, financial data in the case of Ockto). Interestingly, only the GAIA-X initiative has a regional scope. On one side, network effects push private initiatives towards a global rather than a regional scope; on the other, schemes that are concerned with personal data seem to rely on a national scope to grant data safety. A speculative hypothesis is that RSS schemes with a regional scope emerge only in presence of strong regional political entities (like the EU), that provide large enough network effects but limit the geographical scope for non-economic motives (e.g., data protection, promoting integration in a targeted area). Finally, the dates of foundation and termination of the schemes show that the only scheme that has been closed since its foundation is Midata UK, that was settled by the UK government. Here, a hypothesis could be made on whether politics-driven and business-driven RSS schemes diverge in their “life expectancy”, on the basis that they may have different incentives and goals (where schemes funded by businesses survive as far as their activity is economically sustainable, political actors may shut down regulatory initiatives when certain political goals are reached or when new public servants are elected). In the future, these hypotheses might be tested with new data. To describe the type of actors establishing RSS schemes, we now move to the application of the Governance Triangle model.

Table 1: Data portability RSS schemes within the EU. In the column “Governance”, “S” means State(s), “F” means Firm(s), and “N” means “NGO(s)”.

Name

Life

Promoter

Governance

Scope

Sources

aNewGovernance (ANG)

2018-

NGO

S+F+N

Global

[1]

Bitmark

2014-

Firm

F

Global

[1]

Data Portability Cooperation (DPC)

2019-

Firm

F

Global

[1]

Data Transfer Project (DTP)

2018-

Firm

F

Global

[1]

Digi.me

2009-

Firm

F

Global

[1]

GAIA-X

2019-

State

S+F+N

Regional

[1]

HAT-iDataswift (HAT)

2012-

Firm

F

Global

[1] [2]

HealthBank

2013-

Firm

F

Global

[1]

ID Ward (IDW)

2020-

Firm*

F

Global

[1] [2]

iGrant

2017-

Firm

F

Global

[1]

International Data Spaces (IDS)

2016-

NGO

N+F

Global

[1] [2]

MedMij

2015-

NGO*

S+F+N

National (Netherlands)

[1] [2]

Meeco

2012-

Firm

F

Global

[1] [2]

Midata UK

2011-14

State

S

National (United Kingdom)

[1] [2]

MyData

2014-

NGO

N

Global

[1] [2]

Mydex

2007-

Firm

F

Global

[1] [2]

Ockto

2017-

Firm

F

National (Netherlands)

[1]

OneCub

2011-

Firm

F

Global

[1]

PIMCity

2020-

State

S+F+N

Global

[1]

QIY

2007-

NGO

N+F

Global

[1]

Solid

2016-

Firm

F

Global

[1] [2]

Sovrin

2016-

NGO

N

Global

[1]

Streamr

2017-

Firm

F

Global

[1]

*with financial support by public authorities.

Figure 2Governance Triangle on personal data portability in the EU in 2020. The abbreviations contained in the labels are explained under the “Name” column in Table 1. The grey area represents the most populated area in the Triangle, evidencing which type(s) of actor(s) has more direct interventions in the governance of data portability RSS schemes.

The application of the Governance Triangle model in Figure 2 shows that, in 2020, private companies represented the majority of governors of RSS schemes concerning data portability in the EU. Accordingly, Zone 2 of the triangle is the most populated with 13 RSS schemes, followed by NGOs-States-Firms governance with 4 RSS schemes and NGOs-Firms and NGOs governance both with 2 RSS schemes. 20 out of 22 of the operative schemes are at least partially governed by firms. It is also interesting to notice that usually, where states are involved, also Firms and NGOs participate. This signals the multi-stakeholder standard pursued by initiatives promoted by states such as Gaia-X and PIMSCity. As theorised by Abbott and Snidal (2009b, p. 509), in the New Governance regimes the state actively “incorporates a decentralised range of actors and institutions, public and private, into the regulatory system”, relying on their regulatory expertise and using “soft law” to complement or substitute for mandatory “hard law”.

Moving to the second implementation of the Governance Triangle, Figure 3 shows the evolution of the regulatory landscape from 2000 to 2020 in the EU. The Triangles’ gray areas indicate the zones that contain the highest number of regulatory schemes in each time span. As it is evident, the dominance of firm-driven initiatives has been constant since the first decade of 2000, and the initiatives that involve public authorities started to appear only recently. In all the analysed time spans, the most diffused form of governance is the one where firms have full control of the RSS schemes. This also means that when the RtDP was introduced in 2016, the practice of data portability in the EU was already regulated by standards mainly governed by firms. As theorised by Büthe (2010, p. 22), some “private regulators... govern aspects of global markets not previously regulated by public regulators”. In general, public authorities have been very cautious on this topic. As already seen, the EU deliberately adopted a prudent approach (European Commission 2020a, p. 12) and the only relevant early public initiatives have been Midata (United Kingdom) and MyData (Finland).10


FIGURE 3: Evolution of the data portability Governance Triangle in EU. The grey areas represent the most populated areas in the Triangle, evidencing which type(s) of actor(s) has more direct interventions in the governance of data portability. RSS schemes in that time span. The abbreviations contained in the labels are explained in Table 1.

Figure 4 Number of data portability RSS schemes available in the EU.

The second evident trait emerging from Figure 3 is that the number of operative regulatory schemes is constantly increasing. The time span 2000-2011 presents 5 active RSS schemes, the time span 2012-2015 has 11 active RSS schemes and the period 2016-2020 has 22 active RSS schemes. Figure 4 emphasises the number of operative RSS schemes each year, and an accelerating trend is clear. Many factors may explain such an increase: diffusion of digital technologies involving the manipulation of personal data, increasing demand for personal data control, experimentation of innovative business models, efficiency of this type of coordination in comparison with other forms of partnership between organisations. Another hypothesis is that the institutional environment plays an influential role and public regulation such as GDPR significantly affects the diffusion of data portability RSS schemes.

The introduction of a formalised Right to Data Portability in the GDPR might have produced two effects on the diffusion of data portability RSS schemes. On one hand, the obligation for each data controller to introduce data portability options could progressively lead to the development of internal procedures that substitute the reliance on RSS schemes. Instead of joining formalised regulatory schemes, an increasing number of data controllers may adopt internal procedures and multilateral agreements with other organisations to govern data portability and data flows. For this reason, the RtDP introduction could reduce the number of operating schemes. On the other hand, the obligation to develop data portability functionalities might increase the demand for regulatory schemes by the data controllers that cannot or do not want to invest resources to comply with the RtDP. This phenomenon would likely increase the number of operating RSS schemes. Therefore, a key factor determining the evolution of the phenomenon is the cost-benefit comparison between developing internal data portability functionalities and joining a RSS scheme.

From the data visible in Figure 4, it seems that the adoption of GDPR in 2016 (and its implementation in 2018) did not significantly impact the growth of available RSS schemes. The growth pace of available RSS schemes does not deviate from the trend visible in the preceding years. Thus, neither the positive nor the negative effects of GDPR on the diffusion of RSS schemes are visible. This may be related to a “lag” between the enforcement of the GDPR and the full understanding of the Regulation implications by the targeted organisations. Alternatively, the actors establishing RSS schemes may consider the introduction of Article 20 irrelevant to their operations. It must be noticed, however, that some regulatory schemes which are currently operating (Egan, 2019) or work in progress (GSMA, 2019) explicitly cite the RtDP as a trigger or enabler of their initiative. Also, some actors governing RSS schemes have recently lobbied (MyData, 2020) in favour of a stronger EU regulation of “data intermediaries” in the Proposal for a Data Governance Act (European Commission, 2020c). These events suggest that the EU and the regulatory intermediaries do not interact in a zero-sum power game, with RSS schemes filling the void left by the lack of public regulation. On the very contrary, in the case of data portability, they may act in a complementary way: increasing the supply of public regulation stimulates the supply of regulatory intermediaries by (also) private actors.

Conclusion

To enlighten an understudied factor of the RtDP application, this study proposed a theoretical framework to analyse the regulatory schemes that set voluntary data portability standards in the EU. The paper analysed the “grey areas” created by the GDPR Article 20 formulation and explained why the data portability voluntary standards can be framed as “regulatory standard-setting (RSS) schemes” settled up by “regulatory intermediaries”. The empirical section surveyed the data portability RSS schemes that operated in the EU between 2000 and 2020 and employed the Governance Triangle model to highlight if such schemes are governed by private, public or non-governmental actors. The results showed that most RSS schemes influencing data portability in the EU have a global scope and are governed by private actors. Moreover, the number of operating schemes is increasing each year. The historical analysis highlights that the regulation of data portability was not “stolen” from the state by the firms: on the contrary, the GDPR and the RtDP were introduced in a regulatory environment already populated by many RSS schemes. Finally, the empirical analysis presented no evidence to conclude that the introduction of the GDPR impacted the diffusion of data portability RSS schemes.

The fact that, within the territory of the EU, private actors play an intermediary role in the application of the RtDP may be worrying for the future development of data markets and infrastructures. According to OECD (2014, p. 38), the lack of interoperability and compatibility between the various standards “could lead to a race to the ‘lowest common denominator’ of standard data sets provided by data controllers”. Another danger is to increase the monopoly power of a few firms, elevating their data portability scheme to the global standard (Thompson, 2018, Cohen, 2019, p. 209). As stated by Gineikytė et al. (2020, p. 56), “[i]f the data portability standards are set by a small number of dominant players (as in the case of the Data Transfer Project, led by Apple, Google, Facebook, Microsoft and Twitter), smaller ones will be forced to follow this standard, carrying the costs of technical implementation that may be especially large for them”. Also, a data portability framework mainly driven by private actors poses serious challenges to regulatory accountability. Cafaggi and Pistor (2015, p. 97) claim that “[f]ar from promoting decentralisation of governance... Transnational Private Regulation re-centralises governance in the hands of powerful private actors”. This power can ultimately “affects domestic polities establishing regulatory standards for sovereign states”, thus binding a fundamental sector of the economic system to the choices of a few unaccountable firms. For these reasons, Curtin and Senden (2011, p. 187), advocate for ‘compensatory mechanisms’ when a certain policy field is regulated only by private actors.

On the other hand, the recent proposal of a Data Governance Act (DGA) by the European Commission (2020c) displays growing attention to these subjects by European legislators. The provisions concerning “data sharing services” (Article 9-14) and “data altruism organisations” (Articles 15-22) introduce a variety of binding requirements to data portability RSS schemes. Moreover, the proposal of a European Data Innovation Board (Article 26 and 27) that advises the Commission in developing data sharing and interoperability policies attempts to promote data sharing harmonisation and cooperation across the public and private sectors. Depending on how these provisions will impact the RSS schemes landscape, the DGA could significantly re-shape the stage of RtDP regulatory intermediaries. This paper suggested some tools and hypotheses for studying the role of regulatory intermediaries in the application of the RtDP, but further research is needed to understand the characteristics of supply and demand of data portability RSS schemes. Such enterprise will be increasingly useful to evaluate whether the dominance of private actors in this field is a problematic issue and the policies proposed by the EU are up to the challenge.

References

Abbott, K. W., Levi-faur, D., & Snidal, D. (2017). Theorizing Regulatory Intermediaries: The RIT Model. The ANNALS of the American Academy of Political and Social Science, 670(1), 14–35. https://doi.org/10.1177/0002716216688272

Abbott, K. W., & Snidal, D. (2009a). Strengthening international regulation through transmittal new governance: Overcoming the orchestration deficit. Vand. J. Transnat’l L, 42, 501.

Abbott, K. W., & Snidal, D. (2009b). CHAPTER TWO. The Governance Triangle: Regulatory Standards Institutions and the Shadow of the State. In W. Mattli & N. Woods (Eds.), The Politics of Global Regulation (pp. 44–88). Princeton University Press. https://doi.org/10.1515/9781400830732.44

Abbott, K. W., & Snidal, D. (2010). International regulation without international government: Improving IO performance through orchestration. The Review of International Organizations, 5(3), 315–344. https://doi.org/10.1007/s11558-010-9092-3

Article 29 Data Protection Working Party. (2017). Guidelines on the right to data portability, 16/EN WP 242 rev.01. https://ec.europa.eu/newsroom/document.cfm?doc_id=44099

Article 29 Working Party. (2013). Opinion 03/2013 on purpose limitation, 00569/13/EN. European Commission. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf

Auld, G., & Renckens, S. (2017). Rule-making feedbacks through intermediation and evaluation in transnational private governance. The Annals of the American Academy of Political and Social Science, 670(1), 93–111. https://doi.org/10.1177/0002716217690185

Bartley, T. (2007). Institutional Emergence in an Era of Globalization: The Rise of Transnational Private Regulation of Labor and Environmental Conditions. American Journal of Sociology, 113(2), 297–351. https://doi.org/10.1086/518871

Biersteker, T. J., & Hall, R. B. (2002). The emergence of private authority in the international system.

Black, J. (2001). Decentring Regulation: Understanding the Role of Regulation and Self-Regulation in a “Post-Regulatory” World. Current Legal Problems, 54(1), 103–146. https://doi.org/10.1093/clp/54.1.103

Büthe, T. (2010). Private Regulation in the Global Economy: Guest Editor’s Note. Business and Politics, 12(3), 1–1. https://doi.org/10.2202/1469-3569.1349

Büthe, T., & Mattli, W. (2013). The new global rulers: The privatization of regulation in the world economy. Princeton University Press.

Cafaggi, F., & Pistor, K. (2015). Regulatory capabilities: A normative framework for assessing the distributional effects of regulation: Regulatory capabilities. Regulation & Governance, 9(2), 95–107. https://doi.org/10.1111/rego.12065

Cafaggi, F., & Renda, A. (2012). Public and private regulation: Mapping the labyrinth. DQ, 16.

Cafaggi, F., Renda, A., & Schmidt, R. (2013). Transnational private regulation. In OECD, International Regulatory Co-operation: Case Studies, Vol. 3 (pp. 9–58). OECD. https://doi.org/10.1787/9789264200524-3-en

Carnelley, P., Schwenk, H., Cattaneo, G., Micheletti, G., & Osimo, D. (2013). Europe’s data marketplaces—Current status and future perspectives,’. European Data Market SMART, 63.

Cashore, B. W., Auld, G., & Newsom, D. (2004). Governing through markets: Forest certification and the emergence of non-state authority. Yale University Press.

Centre for Information Policy Leadership. (2017). Comments by the Centre for Information Policy Leadership on the Article 29 Data Protection Working Party’s “Guidelines on the right to data portability” adopted on 13 December 2016. https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_comments_on_wp29_data_portability_guidelines_15_february_2017.pdf

Cohen, J. E. (2019). Between Truth and Power: The Legal Constructions of Informational Capitalism (1st ed.). Oxford University Press. https://doi.org/10.1093/oso/9780190246693.001.0001

Crémer, J., Montjoye, Y.-A., & Schwitzer, H. (2019). Competition Policy for the Digital Era (Report KD-04-19-345-EN-N). Publications Office of the European Union. http://doi.org/10.2763/407537

Curtin, D., & Senden, L. (2011). Public Accountability of Transnational Private Regulation: Chimera or Reality? Journal of Law and Society, 38(1), 163–188. https://doi.org/10.1111/j.1467-6478.2011.00539.x

Cutler, A. C., Haufler, V., & Porter, T. (Eds.). (1999). Private authority and international affairs. Suny Press.

De Hert, P., Papakonstantinou, V., Malgieri, G., Beslay, L., & Sanchez, I. (2018). The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Computer Law & Security Review, 34(2), 193–203. https://doi.org/10.1016/j.clsr.2017.10.003

Drexl, J. (2017). Designing competitive markets for industrial data. J. Intell. Prop. Info. Tech. & Elec. Com. L, 8, 257.

Drexl, J. (2018). Data access and control in the era of connected devices [Report]. BEUC. https://www.beuc.eu/publications/beuc-x-2018-121_data_access_and_control_in_the_area_of_connected_devices.pdf

Duch-Brown, Nn., Martens, B., & Mueller-Langer, F. (2017). The Economics of Ownership, Access and Trade in Digital Data. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2914144

E.D.P.S. (2016). Opinion 9/2016: EDPS Opinion on Personal Information Management Systems [Technical report]. European Data Protection Supervisor. https://edps.europa.eu/sites/edp/files/publication/16-10-20_pims_opinion_en.pdf

Egan, E. (2019). Data Portability and Privacy [Report]. Facebook. https://about.fb.com/wp-content/uploads/2020/02/data-portability-privacy-white-paper.pdf

Engels, B. (2016). Data portability among online platforms. Internet Policy Review, 5(2). https://doi.org/10.14763/2016.2.408

European Commission. (2002). Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive.

European Commission. (2016). An emerging offer of “personal information management services”: Current state of service offers and challenges [Report from Unit G.1]. – Data Policy and Innovation.

European Commission. (2017). Final Communication from the European Commission—European Interoperability Framework –Implementation Strategy, COM(2017)134.

European Commission. (2020a). Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A European strategy for data, COM/2020/66 final.

European Commission. (2020b). Proposal for a Regulation of the European Parliament and of the Council on European data governance (Data Governance Act.

European Commission. (2020c). Towards a European strategy on business-to-government data sharing for the public interest: Final report prepared by the High-Level Expert Group on Business-to-Government Data Sharing.

European Commission. Directorate General for Communications Networks, Content and Technology. (2020). Shaping the digital transformation in Europe. Publications Office. https://data.europa.eu/doi/10.2759/294260

European Union. (2002). Directive 2002/22/EC of the European Parliament and of the Council of 7 March 2002 on universal service and users’ rights relating to electronic communications networks and services. European Union. http://data.europa.eu/eli/dir/2002/22/oj

European Union. (2009). Decision No 922/2009/EC of the European Parliament and of the Council of 16 September 2009 on interoperability solutions for European public administrations. European Union. http://data.europa.eu/eli/dec/2009/922/oj

European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. European Union.

Forum, T. M. (2016). Catalyst Pitchback: GDPR Compliance using Qiy Scheme. https://www.tmforum.org/wp-content/uploads/2017/02/Action-Week-Catalyst-Pitch-GDPR-compliancy.pdf

Furman, J., Coyle, D., Fletcher, A., McAuley, D., & Marsden, P. (2019). Unlocking digital competition: Report of the digital competition expert panel. HM Treasury. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/785547/unlocking_digital_competition_furman_review_web.pdf

G.A.I.A.-X. (2019). GAIA-X: Technical Architecture [Technical report]. https://www.data-infrastructure.eu/GAIAX/Redaktion/EN/Publications/gaia-x-technical-architecture.pdf?__blob=publicationFile&v=5

Giddens, A. (1984). The constitution of society: Outline of the theory of structuration. University of California Press.

Gineikytė, V., Barcevičius, E., & Cibaitė, G. (2020). Business user and third-party access to online platform data, Observatory on the Online Platform Economy. https://platformobservatory.eu/app/uploads/2020/09/Analytical-Paper-5-Business-user-and-third-party-access-to-data_final.pdf

Gorwa, R. (2019). The platform governance triangle: Conceptualising the informal regulation of online content. Internet Policy Review, 8(2). https://doi.org/10.14763/2019.2.1407

Graef, I., Husovec, M., & Purtova, N. (2018). Data Portability and Data Control: Lessons for an Emerging Concept in EU Law. German Law Journal, 19(6), 1359–1398. https://doi.org/10.1017/S2071832200023075

Graef, I., Verschakelen, J., & Valcke, P. (2013). Putting the right to data portability into a competition law perspective. Law: The Journal of the Higher School of Economics, Annual Review, 53–63.

Graz, J.-C. (2012). Private regulation in the world economy. Academic Foresights, 3. https://www.academic-foresights.com/Private_Regulation.html#:~:text=Private%20regulation%20in%20the%20world%20economy%20refers%20to%20the%20ability,of%20their%20definition%20and%20implementation.

G.S.M.A. (2019). Telecoms as the “Secured Data Hub” for the digital society [Report]. Global System for Mobile Communications. https://www.oliverwyman.com/content/dam/oliver-wyman/v2/publications/2019/feb/Telecoms_Secured_Data_Hub.pdf

Hanretty, C. (2010). Explaining the De Facto Independence of Public Broadcasters. British Journal of Political Science, 40(1), 75–89. https://doi.org/10.1017/S000712340999024X

Johnson, D., & Post, D. (1996). Law and borders: The rise of law in cyberspace. Stanford Law Review, 48(5), 1367–1402. https://doi.org/10.2307/1229390

Kobrin, S. J. (2002). Economic governance in an electronically networked global economy. In R. B. Hall & T. J. Biersteker (Eds.), The Emergence of Private Authority in Global Governance (pp. 43–75). Cambridge University Press. https://doi.org/10.1017/CBO9780511491238.004

Koop, C., & Lodge, M. (2017). What is regulation? An interdisciplinary concept analysis. Regulation & Governance, 11(1), 95–108. https://doi.org/10.1111/rego.12094

Koutroumpis, P., Leiponen, A., & Thomas, L. D. (2017). The (unfulfilled) potential of data marketplaces. ETLA Working Papers, 53. http://hdl.handle.net/10419/201268

Lachaud, E. (2018). The General Data Protection Regulation and the rise of certification as a regulatory instrument. Computer Law & Security Review, 34(2), 244–256. https://doi.org/10.1016/j.clsr.2017.09.002

Langford, J., Poikola, A., Janssen, W., & Lähteenoja, V. (2020). Understanding MyData Operators [Paper]. MyData Global. https://mydata.org/wp-content/uploads/sites/5/2020/04/Understanding-Mydata-Operators-pages.pdf

Lehtiniemi, T. (2017). Personal Data Spaces: An Intervention in Surveillance Capitalism? Surveillance & Society, 15(5), 626–639. https://doi.org/10.24908/ss.v15i5.6424

Leiser, M., & Murray, A. (2016). The Role of Non-State Actors and Institutions in the Governance of New and Emerging Digital Technologies (R. Brownsword, E. Scotford, & K. Yeung, Eds.; Vol. 1). Oxford University Press. https://doi.org/10.1093/oxfordhb/9780199680832.013.28

Lessig, L. (2006). Code and Other Laws of Cyberspace Version 2.0 (Version 2.0). Basic Books.

Martens, B., De Streel, A., Graef, I., Tombal, T., & Duch-Brown, N. (2020). Business-to-Business data sharing: An economic and legal analysis (Technical report No. 2020–05; JRC Digital Economy Working Paper). EU Science Hub. https://joint-research-centre.ec.europa.eu/system/files/2020-07/jrc121336.pdf

Mattioli, M. (2017). The Data-Pooling Problem. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2671939

Mayer-Schönberger, V., & Cukier, K. (2013). Big data: A revolution that will transform how we live, work, and think. Houghton Mifflin Harcourt.

MyData. (2020). Why we need a Data Exchange Board to improve the EU Data Governance Act”. MyData. https://mydata.org/2020/12/09/why-we-need-a-data-exchange-board-to-improve-the-eu-data-governance-act/

O.E.C.D. (2014). OECD Expert Workshop on enhanced access to data: Reconciling risks and benefits of data re-use [Technical report]. Danish Business Authority. https://www.oecd.org/sti/ieconomy/expert-workshop-enhanced-access-to-data-reconciling-risks-and-benefits-of-data-re-use.htm

Posner, E., & Weyl, E. (2018). Radical Markets: Uprooting Capitalism and Democracy for a Just Society. Princeton University Press. https://doi.org/10.23943/9781400889457

Powell, W. W., & Smith-Dor, L. (1994). Networks and Economic life. Journal of Economic Sociology, 4(3), 61–105. https://doi.org/10.17323/1726-3247-2003-3-61-105

Purtova, N. (2018). The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law. Law, Innovation and Technology, 10(1), 40–81. https://doi.org/10.1080/17579961.2018.1452176

Qiy Foundation. (2021a). How is the Qiy Scheme organised? Qiy Foundation. https://www.qiyfoundation.org/qiy-scheme/what-is-a-scheme/organisation/

Qiy Foundation. (2021b). Membership. Qiy Foundation. https://www.qiyfoundation.org/membership/

Qiy Foundation. (2021c). What is a scheme? Qiy Foundation. https://www.qiyfoundation.org/qiy-scheme/what-is-a-scheme/organisation/

Raab, C., & De Hert, P. (2008). Tools for technology regulation: Seeking analytical approaches beyond Lessig and Hood. In K. Yeung, & R. Brownsword (Eds.), Regulating technologies. Oxford University Press.

Scott, C. (2012). Beyond Taxonomies of Private Authority in Transnational Regulation*. German Law Journal, 13(12), 1329–1338. https://doi.org/10.1017/S2071832200017880

Shapiro, C., & Varian, H. R. (1998). Information rules: A strategic guide to the network economy. Harvard Business School Press.

Srnicek, N. (2016). Platform capitalism. Polity Press.

Swire, P., & Lagos, Y. (2012). Why the right to data portability likely reduces consumer welfare: Antitrust and privacy critique. Maryland Law Review, 72(335).

Thompson, B. (2018). The Bill Gates Line. Stratechery. https://stratechery.com/2018/the-bill-gates-line/

UK Department for Business, Innovation and Skills. (2014). Midata voluntary programme: Review [Technical report]. https://www.gov.uk/government/publications/midata-voluntary-programme-review

Verhulst, S., & Sangokoya, D. (2015). Data collaboratives: Exchanging data to improve people’s lives [Medium]. The GovLab. https://sverhulst.medium.com/data-collaboratives-exchanging-data-to-improve-people-s-lives-d0fcfc1bdd9a#:~:text=The%20term%20data%20collaborative%20refers,to%20help%20solve%20public%20problems.

Viljoen, S. (2020). Data as Property? Phenomenal World. https://phenomenalworld.org/analysis/data-as-property

Zuboff, S. (2019). The age of surveillance capitalism: The fight for a human future at the new frontier of power. Profile books.

Footnotes

1. According to Article 4(7), “data controllers” means the natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data.

2. “Institutionalisation” is here intended as an attempt to make a feature of social life enduring – i.e., persisting in time and space (Giddens, 1984, p. 24).

3. A complete explanation of the difference between interoperability and compatibility in the EU regime is still missing. In the analysis of the Guidelines on the right to data portability by the Article 29 Working Party (2017), the Centre for Information Policy Leadership (2017, p. 13) comments that “[t]he distinction between ‘interoperable’ and ‘compatible’ is not in all circumstances sufficiently clear.”

4. On the contrary, “‘inferred data’ and ‘derived data’… are created by the data controller on the basis of the data ‘provided by the data subject’ (emphasis added)” (Article 29 Working Party, 2017, p. 10).

5. A Personal Informational Management System (PIMS) is a service offering to data subjects a “data space” to store personal data. Most PIMSs permit users to delegate to them the request to obtain data from a certain data controller, facilitating the enforcement of the RtDP (EDPS 2016, European Commission 2016). However, if a PIMS offers only this service, it cannot be considered as an RSS scheme, because it merely operates a data portability request as could be provided by an individual, and it does not introduce any standard adopted by data controllers, nor does it impact their interpretation of the RtDP “grey areas”. Therefore, this study considers only the PIMSs that require the data controllers to join a regulatory scheme that affects the regulatees’ interpretation of the RtDP “grey areas”.

6. For this reason, the analysis excludes open-source standards like “Mastodon” and the standards composing the “Fediverse”. These self-hosted social networking services allow anyone to host their server node in the network, without a formalised procedure to access and a centralised enforcement system.

7. In the notations, the arrows represent the “unidirectional flow” corresponding to the hierarchical view of regulation in the form of “prescription and compliance… based primarily on deterrence and sanctions” (Abbott, Levi-Faur, and Snidal, 2017, p. 17).

8. Public universities are classified under the category of State, while privately funded universities are considered as Firms.

9. For instance, MiData UK operated from 2011 to 2014 and is included both in the 2000-2011 timespan (even if it was not operating in 2000) and in the 2012-2016 time span (even if it did not survive until 2016).

10. Midata was a voluntary programme implemented by the UK Government with industry to give consumers access to their personal data, experimented between 2011 and 2014 (UK Department for Business and Skills, 2014). The MyData initiative is financed by the Finnish government, and its main goal is to build a network of data management services (Langford et al., 2020).

Add new comment