I. INTRODUCTION
In the digital world, the data accumulated by individuals on online platforms, social media networks, and digital service providers has become an economic and personal value referred to as “digital identity”. In this context, the “Right to Data Portability,” introduced into the legal world by the European Union General Data Protection Regulation (“GDPR”), is one of the important regulations that strengthens the data subject’s control over their data.
Since Turkey’s Law No. 6698 on the Protection of Personal Data (“KVKK”) was prepared based on the European Union’s old Directive 95/46/EC, there is no explicit provision in the KVKK regarding the right to data portability regulated by Article 20 of the GDPR. However, both the current decisions of the Competition Authority and the requirements of digital markets make it essential to understand the legal nature and scope of this right.
II. DEFINITION AND PURPOSE OF THE RIGHT TO DATA PORTABILITY
The right to data portability, in its most basic form, is the right of the data subject to retrieve the personal data they have provided to a data controller in a structured, commonly used, and machine-readable format or, to the extent technically feasible, to request that this data be transmitted directly to another data controller.
The fundamental purpose of establishing this right is to prevent the data subject from remaining dependent on the platform or data controller they use and to ensure their freedom to change service providers by transferring their data as they wish. This allows individuals to switch to competitors offering better services without fear of losing their data, creating a competitive environment that improves service quality in the market.
III. SCOPE AND TYPES OF DATA PORTABILITY RIGHTS
The right to data portability is not an absolute right and can only be exercised under certain conditions. In doctrine and GDPR practice, this right is divided into two types based on its implementation:
1. Indirect Portability (Right to Receive Data)
This is when the data subject downloads their data from the data controller. Here, the data controller’s obligation is to provide the data in structured and processable formats such as Excel, CSV, or XML, rather than in formats that are difficult to process, such as PDF. This is because the aim is for the data subject to be able to reuse this data elsewhere.
2. Direct Portability (Right to Transfer Data)
Provided that the technical infrastructure is suitable, it is the transfer of data directly between two data controllers (sender and recipient) without the need for the individual’s intervention. This method is particularly useful in banking or social media platform transitions.
IV. LIMITS OF TRANSFERABLE DATA: THE DISTINCTION BETWEEN PROVIDED AND GENERATED DATA
The most critical issue in determining the scope of this right is which data can be transferred. According to legal assessments, not all data can be subject to this right:
- Provided Data: Data that the data subject has personally provided (name, email, contact details, etc.) or data generated during the use of a service (search history, location data, heart rate measured by a smartwatch, etc.). This data falls within the scope of portability.
- Inferred/Derived Data: New and value-added data produced by the data controller from raw data using its own algorithms, analytical capabilities, and technical know-how. For example, a “credit risk score” created by a bank based on a customer’s spending history or a “disease risk profile” generated by a health application from user data are derived/inferred data. As these data constitute the data controller’s trade secrets and intellectual property, they are excluded from the scope of portability.
This distinction ensures a balance between protecting companies’ innovation and analysis investments and individuals’ data sovereignty.
V. THE RELATIONSHIP BETWEEN DATA PORTABILITY AND COMPETITION LAW
In digital markets, data is the most important input for undertakings. If a dominant undertaking refuses to share its data with competitors or technically prevents portability, this may constitute an abuse under competition law.
- Essential Facility: If access to a data set is essential to operate in the market and no alternative to this data exists, the dominant undertaking may be required to open this data to its competitors.
- Exclusionary Conduct: If a dominant undertaking technically hinders data portability with the aim of locking users into its own platform, this may constitute a competition violation.
The right to data portability is considered a legal tool with a two-sided effect in economic analyses:
1. Competition-Supporting Effects
- Reducing Switching Costs: The fear of losing data when switching from one platform to another (switching cost) keeps users locked into their current service provider. The right to portability breaks this lock-in effect by reducing this cost.
- Facilitating Market Entry: New ventures can enter the market more quickly and overcome network effects more easily thanks to users’ ability to easily transfer their data from the old platform.
2. Potential Negative Effects and Concerns
- Decreased Investment Incentives: Companies being forced to share the data they collect with competitors may reduce their appetite for investment and innovation in data collection and processing.
- Cost Burden: Establishing the technical infrastructure required for data portability is costly. While this may not be an issue for large technology companies, it can create a barrier to market entry for small businesses.
VI. RELATIONSHIP BETWEEN DATA PORTABILITY AND OTHER LEGAL INSTITUTIONS
1. Relationship with the Right to be Forgotten
Exercising the right to data portability does not result in the automatic deletion of data from the old data controller’s system. After transferring their data to a new platform, the data subject must separately request the deletion of their data from the old platform. In other words, while portability ensures that the data is copied, the destruction of the original data is a matter for the “Right to be Deleted/Erased (Right to be Forgotten)”.
2. Third-Party Rights
Data sets requested for transfer, such as email history or messaging records, may inevitably contain data belonging to third parties. Legally, when exercising the right to data portability, it is essential that the rights and freedoms of third parties are not infringed upon. In this regard, the new data controller receiving the data must only retain this “third-party data” for the personal use of the relevant person and must not use it for their own commercial marketing activities.
VII. CONCLUSION
The right to data portability is a modern legal tool that increases the freedom of individuals and their ability to act as customers in the digital economy. Although it does not yet have a legal basis in Turkish law, due to the European Union harmonization process and the practical requirements of digital markets, it is considered a requirement of prudent business practice for data controller companies to make their systems interoperable and to keep data in returnable formats.
From a competition law perspective, this right performs a strategic competitive function by minimizing users’ switching costs between service providers, thereby eliminating lock-in effects and lowering barriers to market entry. However, the potential for this right, which aims to facilitate market entry, to dampen the enthusiasm of enterprises for investment and innovation due to high technical compliance costs reveals that its implementation has a two-sided and complex economic impact on market dynamics.
In future legal regulations, establishing a delicate balance between protecting companies’ trade secrets and individuals’ freedom to transfer their data is essential for ensuring legal certainty.
