Intermediaries do matter: voluntary standards and the Right to Data Portability // WINNERdownload pdf
This paper enlightens an understudied aspect of the application of the General Data Protection Regulation (GDPR) Right to Data Portability (RtDP), introducing a framework to analyse empirically the voluntary data portability standards adopted by various data controllers. The first section explains how the RtDP wording creates some “grey areas” that allow data controllers a broad interpretation of the right. Secondly, the paper shows why the regulatory initiatives affecting the interpretation of these “grey areas” can be framed as “regulatory standard-setting (RSS) schemes”, which are voluntary standards of behaviour settled either by private, public, or non-governmental actors. The empirical section reveals that in the EU, between 2000 and 2020, the number of such schemes increased every year and most of them were governed by private actors. Finally, the historical analysis highlights that the RtDP was introduced when many private-run RSS schemes were already operating, and no evidence suggests that the GDPR impacted significantly on their spread.