The draft EU Data Protection Regulation would create a new human and economic right — the Right to Data Portability (RDP). The basic idea of the RDP is that individuals would be able to transfer their electronic information, such as a Facebook friend lists or iTunes music, from Facebook or Apple to a competitor, without hindrance.
The idea of the RDP is very appealing. From a market efficiency perspective, it can address the lock-in problem, the worry that high switching costs will strand consumers with a legacy system that is not as good as a new system. From the human rights perspective, the RDP is proposed as a way to enhance a person’s online identity, to give individuals control over “their” content.
I blogged about my initial concerns with RDP here on Concurring Opinions in April and May. Now, the full law review article is posted on SSRN: http://ssrn.com/abstract=2159157. The full version deepens the antitrust critique from the initial blog posts. It adds a big new section on the RDP as a fundamental/human right under EU law. That privacy discussion explores the risks to an existing EU right to data protection — the right to data security. When an individual’s lifetime of data must be exported “without hindrance,” then one moment of identity fraud can turn into a lifetime breach of personal data. In addition, the article addresses more general issues of interoperability, building on sources including Lotus v. Borland and the recent Interop book by John Palfrey and Urs Gasser.
My basic take is that the RDP is much more appealing as a concept than it is as proposed legislation in the Regulation. I think the RDP will be a Big Deal if enacted — its mandates will apply to any ap, consumer software or online service that uses standard formats. Because the Regulation also extends its jurisdiction to any company that sells to EU citizens, the RDP would become a new and significant global software mandate. I think these issues deserve a lot more attention than they have received.