1. bookVolume 2021 (2021): Issue 3 (July 2021)
Journal Details
First Published
16 Apr 2015
Publication timeframe
4 times per year
access type Open Access

Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20

Published Online: 27 Apr 2021
Page range: 351 - 372
Received: 30 Nov 2020
Accepted: 16 Mar 2021
Journal Details
First Published
16 Apr 2015
Publication timeframe
4 times per year

Data portability regulation has promised that individuals will be easily able to transfer their personal data between online service providers. Yet, after more than two years of an active privacy regulation regime in the European Union, this promise is far from being fulfilled. Given the lack of a functioning infrastructure for direct data portability between multiple providers, we investigate in our study how easily an individual could currently make use of an indirect data transfer between providers. We define such porting as a two-step transfer: firstly, requesting a data export from one provider, followed secondly by the import of the obtained data to another provider. To answer this question, we examine the data export practices of 182 online services, including the top one hundred visited websites in Germany according to the Alexa ranking, as well as their data import capabilities. Our main results show that high-ranking services, which primarily represent incumbents of key online markets, provide significantly larger data export scope and increased import possibilities than their lower-ranking competitors. Moreover, they establish more thorough authentication of individuals before export. These first empirical results challenge the theoretical literature on data portability, according to which, it would be expected that incumbents only complied with the minimal possible export scope in order to not lose exclusive consumer data to market competitors free-of-charge. We attribute the practices of incumbents observed in our study to the absence of an infrastructure realizing direct data portability.


[1] C. Jones and C. Tonetti. Nonrivalry and the economics of data. American Economic Review, 110(9):2819–2858, 2020.Search in Google Scholar

[2] J. Krämer, P. Senellart, and A. de Streel. Making data portability more effective for the digital economy. CERRE Report, 2020.Search in Google Scholar

[3] I. Graef. Mandating portability and interoperability in online social networks: Regulatory and competition law issues in the European Union. Telecommunications Policy, 39(6): 502–514, 2015.Search in Google Scholar

[4] M. Wohlfarth. Data portability on the internet. Business & Information Systems Engineering, 61(5):551–574, 2019.Search in Google Scholar

[5] A. Sunyaev, N. Kannengießer, R. Beck, H. Treiblmaier, M. Lacity, J. Kranz, G. Fridgen, U. Spankowski, and A. Luckow. Token economy. Business & Information Systems Engineering, pages 1–22, 2021.Search in Google Scholar

[6] S. Mager and J. Kranz. Stimulating economic growth by unlocking the nonrival potential of data - Review, synthesis and directions for future research. Available at SSRN 3720114, 2020.Search in Google Scholar

[7] S. Zuboff. Big other: Surveillance capitalism and the prospects of an information civilization. Journal of Information Technology, 30(1):75–89, 2015.Search in Google Scholar

[8] I. Graef, J. Verschakelen, and P. Valcke. Putting the right to data portability into a competition law perspective. Law: The Journal of the Higher School of Economics, pages 53–63, 2013.Search in Google Scholar

[9] P. De Hert, V. Papakonstantinou, G. Malgieri, L. Beslay, and I. Sanchez. The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Computer Law & Security Review, 34(2):193–203, 2018.Search in Google Scholar

[10] T. Linden, R. Khandelwal, H. Harkous, and K. Fawaz. The privacy policy landscape after the GDPR. Proceedings on Privacy Enhancing Technologies, 2020(1):47–64, 2020.Search in Google Scholar

[11] J. Wong and T. Henderson. The right to data portability in practice: Exploring the implications of the technologically neutral GDPR. International Data Privacy Law, 9(3):173–191, 2019.Search in Google Scholar

[12] S. Turner, J. Galindo Quintero, S. Turner, J. Lis, and L. M. Tanczer. The exercisability of the right to data portability in the emerging Internet of Things (IoT) environment. New Media & Society, 2020.Search in Google Scholar

[13] Eurostat. NACE rev. 2 - Statistical classification of economic activities in the European community, 2008. Available at: https://ec.europa.eu/eurostat/web/nace-rev2/overview.Search in Google Scholar

[14] B. Willard, J. Chavez, G. Fair, K. Levine, A. Lange, and J. Dickerson. Data Transfer Project: From theory to practice, 2018. Available at: https://services.google.com/fh/files/blogs/data-transfer-project-google-whitepaper-v4.pdf.Search in Google Scholar

[15] I. Graef, M. Husovec, and N. Purtova. Data portability and data control: Lessons for an emerging concept in EU law. German Law Journal, 19(6):1359–1398, 2018.Search in Google Scholar

[16] P. Klemperer. Markets with consumer switching costs. The Quarterly Journal of Economics, 102(2):375–394, 1987.Search in Google Scholar

[17] DLA Piper. Data protection laws of the world, 2020. Available at: https://www.dlapiperdataprotection.com/system/modules/za.co.heliosdesign.dla.lotw.data_protection/functions/handbook.pdf?country=all, last accessed: November 25th, 2020.Search in Google Scholar

[18] M. E. Porter. The five competitive forces that shape strategy. Harvard Business Review, 86(1):25–40, 2008.Search in Google Scholar

[19] C. J. Hoofnagle and J. King. Consumer information sharing: Where the sun still don’t shine. Available at SSRN 1137990, 2007.Search in Google Scholar

[20] L. Thomas and C. J. Hoofnagle. Exploring information sharing through California’s ’Shine the Light’ law. Available at SSRN 1448365, 2009.Search in Google Scholar

[21] S. Grogan and A. M. McDonald. Access denied! contrasting data access in the united states and ireland. Proceedings on Privacy Enhancing Technologies, 2016(3):191–211, 2016.Search in Google Scholar

[22] J. L. Kröger, J. Lindemann, and D. Herrmann. How do app vendors respond to subject access requests? a longitudinal privacy study on ios and android apps. In Proceedings of the 15th International Conference on Availability, Reliability and Security, 2020.Search in Google Scholar

[23] J. Krämer. Personal data portability in the platform economy: Economic implications and policy recommendations. Journal of Competition Law & Economics, 2020.Search in Google Scholar

[24] J. Krämer and N. Stüdlein. Data portability, data disclosure and data-induced switching costs: Some unintended consequences of the General Data Protection Regulation. Economics Letters, 181:99–103, 2019.Search in Google Scholar

[25] P. Swire and Y. Lagos. Why the right to data portability likely reduces consumer welfare: Antitrust and privacy critique. Maryland Law Review, 72(2):335–380, 2013.Search in Google Scholar

[26] W. Lam and X. Liu. Does data portability facilitate entry? International Journal of Industrial Organization, 69:102564, 2020.Search in Google Scholar

[27] Council of European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016. Available at: https://eurlex.europa.eu/eli/reg/2016/679/2016-05-04.Search in Google Scholar

[28] G. Malgieri. Property and (intellectual) ownership of consumers’ information: A new taxonomy for personal data. Privacy in Germany - PinG, 2016(4):133, 2016.Search in Google Scholar

[29] Article 29 Data Protection Working Party. Guidelines on the right to data portability, 2017. Available at: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611233.Search in Google Scholar

[30] Bureau van Dijk. Orbis, 2020. Available at: https://orbis.bvdinfo.com/, last accessed: October 15th, 2020.Search in Google Scholar

[31] CMS. GDPR enforcement tracker, 2020. Available at: https://www.enforcementtracker.com/, last accessed: November 26th, 2020.Search in Google Scholar

[32] Alexa. Topsites in Germany - Ranking, 2020. Available at: https://www.alexa.com/topsites/countries/DE, last accessed: September 30th, 2020.Search in Google Scholar

[33] M. Bishop. The art and science of computer security. Addison-Wesley Longman Publishing, 2002.Search in Google Scholar

[34] M. Di Martino, P. Robyns, W. Weyts, P. Quax, W. Lamotte, and K. Andries. Personal information leakage by abusing the GDPR ’right of access’. In Fifteenth Symposium on Usable Privacy and Security (SOUPS), 2019.Search in Google Scholar

[35] The European Parliament and the Council of the European Union. Directive 2014/92/EU. Official Journal of the European Union, 2014. Available at: https://eurlex.europa.eu/eli/dir/2014/92/oj.Search in Google Scholar

[36] H. Hlavac. stargazer: Well-formatted regression and summary statistics tables, 2018. Available at: https://CRAN.R-project.org/package=stargazer.Search in Google Scholar

[37] W. Venables and B. Ripley. Modern applied statistics with S. Springer-Verlag, fourth edition, 2002.Search in Google Scholar

[38] M. Zhao, J. Grossklags, and P. Liu. An empirical study of web vulnerability discovery ecosystems. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1105–1117, 2015.Search in Google Scholar

[39] S. Mager and J. Kranz. Consent notices and the willingness-to-sell observational data: Evidence from user reactions in the field. Proceedings on the European Conference on Information Systems (ECIS), 2021.Search in Google Scholar

[40] C. Argenton and J. Pruefer. Search engine competition with network externalities. Journal of Competition Law and Economics, 8(1):73–105, 2012.Search in Google Scholar

[41] P. Constantinides, O. Henfridsson, and G. Parker. Introduction - Platforms and infrastructures in the digital age. Information Systems Research, 29(2):381–400, 2018.Search in Google Scholar

[42] European Commission. Special Eurobarometer 487a, 2019. Available at: http://dx.doi.org/10.2838/579882.Search in Google Scholar

[43] D. Hardt. The OAuth 2.0 authorization framework. RFC 6749, RFC Editor, 2012. Available at: http://www.rfc-editor.org/rfc/rfc6749.txt.Search in Google Scholar

[44] S. Landau and T. Moore. Economic tussles in federated identity management. First Monday, 17(10), 2012.Search in Google Scholar

[45] Data Portability Cooperation. Telecoms as the “secured data hub” for the digital society, 2019. Available at: https://www.dataportabilitycooperation.org/assets/Telecoms_Secured_Data_Hub.pdf, last accessed: November 27th, 2020.Search in Google Scholar

[46] S. Spiekermann and J. Korunovska. Towards a value theory for personal data. Journal of Information Technology, 32(1): 62–84, 2017.Search in Google Scholar

[47] B. Caillaud and B. Jullien. Chicken & Egg: Competition among intermediation service providers. RAND Journal of Economics, 34(2):309–328, 2003.Search in Google Scholar

[48] T. Urban, D. Tatang, M. Degeling, T. Holz, and N. Pohlmann. A study on subject data access in online advertising after the GDPR. In Data Privacy Management, Cryptocurrencies and Blockchain Technology, 2019.Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo