Italy’s competition authority has settled a probe of Google focused on data portability after accepting commitments from the tech giant that look set to make it easier for users to take their data elsewhere, the AGCM said today.
The watchdog opened the investigation last summer, acting on a complaint by a local company which operates a direct marketing platform, called Weople. Its owner, Hoda, had complained Google’s data portability offer — aka Takeout — is extremely complicated and discourages users from porting their data elsewhere.
The Italian company has a commercial reason to want to smooth the path of data portability since the Weople service works by encouraging users to port data from third parties, such as social media platforms and loyalty card schemes, in order to populate so-called virtual data deposit boxes.
Per an explainer on its website, data deposited in virtual spaces on the Weople platform is encrypted and tokenized — a process Hoda claims renders personal data “anonymized” and “aggregated” — in order that it can be repurposed for targeted marketing, including the sending of personalized offers, without users’ personal data or identity being shared with advertisers. So Hoda is purporting to act as an identity-screening intermediary, albeit while processing user data itself.
The carrot offered to users to encourage them to share a copy of their data is a promise that they’ll get cut in on any ad revenue. The FAQ suggests up to 90% of any revenue generated off the data is returned to users in passive earnings.
Given the dominant role Google plays in several online market, such as the market for general search, access to data it holds on users was seen by Hoda as important for the development of its business.
Back in 2019 it started by asking Google to improve interoperability mechanisms to make it easier for users to port their data into its platform. But its complaint to the AGCM said the tech giant rebuffed its asks — pointing to its existing Takeout procedure as the only available route for porting data. Hence Hoda filing a formal complaint with the watchdog that Google was obstructing interoperability.
The regulatory oversight has now culminated in the AGCM accepting proposals from Google aimed at easing data portability.
Trio of commitments ahead of API
It’s not a formal finding that Google broke competition law by impeding interoperability. But the Italian authority said it believes the three commitments offered by Google resolve competition concerns.
Two of the commitments supplement what Google already offers with Takeout, while a third relates to a new direct (service to service) data portability offering that Google will make available to third party operators in the future.
The AGCM’s settlement decision provides more details of the commitments. One of which will see Google provide third parties with a URL they can embed in their own applications to help automate the Takeout process — making it easier for users to select and export their data via Takeout by linking them directly to their Takeout profile where one or more categories of Google user data will have been pre-selected in line with the third party’s preferences. A field for the frequency of data exports may also be pre-selected.
Google has also committed to make the data available as a single file in a standard machine-readable format via relevant cloud storage services. And Google users will receive a notification email once the down has finished — containing a link to the cloud storage service where the export file is hosted so they can more easily share it with third parties of their choice.
A second commitment by Google will see it make more detailed documentation available to third parties regarding data fields related to users’ web searches, Chrome browsing history and YouTube — with the aim of making exported data more useful to third parties.
Under the third commitment, it has pledged to provide early access (i.e. for testing before official release) to a new service-to-service direct portability API it’s developing. Per the AGCM, this API is expected to be ready in the first quarter of 2024 but under the early adopter program commitment third parties will be able to start testing what Google has in the works at least six months ahead of the full release in the case of some of its services (such as Google Search and YouTube).
The AGCM document specifies October 2023 as the start date for the early access to the API.
The first two commitments run for five years from their implementation dates. The third commitment is binding until Google releases the direct data portability API. An independent monitoring trustee will be appointed to monitor Google’s compliance.
In a press release announcing the settlement, the AGCM suggested the commitments from Google will see users benefiting by more easily being able to take their data elsewhere — ahead of what it couched as a key development next year, when the tech giant is set to release an API to automate the data portability process.
Reached for comment on the settlement, A Google company spokeswoman sent us this statement:
People should be able to use their data with the services that they like best. For over a decade we have offered people the ability to take out and transfer their data from more than 70 Google products. We continue to make investments in Takeout, the Data Transfer Project, and data portability more broadly in a way that improves user experience while protecting user privacy and security. We are pleased that the AGCM have accepted our commitments in this matter.
Data portability and the EU’s DMA
The commitments Google is making around data portability may have been extracted by the Italian watchdog but are likely to be linked to wider efforts to prepare its business for compliance with the pan-EU Digital Markets Act (DMA).
The regulation started to apply in May but designations are still pending and compliance for the first so-called “gatekeepers” won’t kick in until next Spring. Although the ex ante competition reboot is widely expected to apply to Google’s business in Europe.
The tech giant recently signalled it believes it operates at least one “core platform service” which will be regulated under the new regime.
The DMA applies a series of ‘dos and don’ts’ on the platform giants it applies to with the aim of rebalancing the competitive playing field online. Among these obligations is a requirement that gatekeepers support market contestability by enabling service switching (or multi-homing) via support for data portability linked to their core platform services.
Here’s a chunk of a relevant recital from the DMA:
[E]nd users, as well as third parties authorised by an end user, should be granted effective and immediate access to the data they provided or that was generated through their activity on the relevant core platform services of the gatekeeper. The data should be received in a format that can be immediately and effectively accessed and used by the end user or the relevant third party authorised by the end user to which the data is ported. Gatekeepers should also ensure, by means of appropriate and high quality technical measures, such as application programming interfaces, that end users or third parties authorised by end users can freely port the data continuously and in real time. This should apply also to any other data at different levels of aggregation necessary to effectively enable such portability.
This suggests the API that Google is developing for direct data portability is likely to be part of its response to DMA compliance — meaning it will be made available across the EU (at least). The Italian procedure thus looks like a stop-gap measure until the bloc’s big digital competition reboot kicks in next Spring. But in that regard it offers a taster of more major changes coming down the pipe for the most powerful digital players early next year.