資料可攜制度之比較研究——以歐盟數位法案可攜性規定為中心

Abstract

隨著數位經濟發展，資料可攜制度成為平衡個人權益保護與資料流通的重要機制。歐盟近年來陸續通過《一般資料保護規則》（GDPR）、《數位市場法》（DMA）及《資料法》（DA）三部法案，建構多元化的資料可攜體系，惟各法案在制度設計上呈現顯著差異。本研究旨在分析歐盟多元資料可攜制度的制度特色、適用差異與協調問題。研究問題為：歐盟如何透過GDPR、DMA與DA三法建構功能分化的資料可攜制度，各制度間如何協調運作？ 本研究採比較法分析方法，逐一檢視三法案的立法目的，以及各法案中可攜規定的適用要件、存取機制、程序保障條件、利益平衡制度。研究發現，歐盟可攜制度從立法之初即呈現基本權保護與競爭政策工具的雙面特質，三法基於不同制度基礎發展出功能分化的體系：GDPR以基本權保護為基礎，透過賦予資料當事人個人資料可攜權，體現自主控制的憲法價值；DMA採非對稱監管模式，對守門人課予強行可攜義務，並將可攜性擴及商業使用者，以矯正市場競爭失衡；DA以契約法為基礎，創設法定存取共享權，並重新分配資料使用權，以建立使用者驅動的資料流通機制。 三法均採用「獲取方式」與「可識別性」兩種分類標準，界定可攜資料範圍，在促進資料流通與保護各方利益間建立平衡機制。然而，當三法規範範圍重疊時，歐盟採用「不影響條款」要求新法不得削弱GDPR保護標準，使資料持有者在處理混合資料集時，因無法判斷資料性質或分離資離，傾向優先確保符合GDPR，始提供資料存取。此種困境導致DMA與DA的可攜制度最終收束回GDPR嚴格同意框架，使新法追求資料開放流通的目的難以充分實現。

With the development of the digital economy, data portability frameworks have become crucial mechanisms for balancing personal rights protection and data circulation. The European Union has progressively enacted three legislative instruments: the General Data Protection Regulation (GDPR), the Digital Markets Act (DMA), and the Data Act (DA), establishing a diversified data portability system. However, these laws exhibit significant differences in their institutional designs. This study aims to analyze the institutional characteristics, application differences, and coordination challenges of the EU's multi-faceted data portability frameworks. The research question is: How does the EU construct functionally differentiated data portability systems through GDPR, DMA, and DA, and how do these systems coordinate with each other? This study adopts a comparative legal analysis approach, systematically examining the legislative purposes of the three acts, as well as the application requirements, access mechanisms, procedural safeguards, and interest-balancing systems of portability provisions in each law. The research finds that EU data portability frameworks have exhibited dual characteristics of fundamental rights protection and competition policy tools since their inception. The three laws have developed functionally differentiated systems based on different institutional foundations: GDPR is grounded in fundamental rights protection, embodying constitutional values of autonomous control by granting data subjects personal data portability rights; DMA adopts an asymmetric regulatory model, imposing mandatory portability obligations on gatekeepers and extending portability to business users to correct market competition imbalances; DA is based on contract law, creating statutory access and sharing rights and redistributing data usage rights to establish user-driven data circulation mechanisms. All three laws employ two classification standards—"acquisition method" and "identifiability"—to define the scope of portable data, establishing balancing mechanisms between promoting data circulation and protecting various stakeholder interests. However, when the regulatory scopes of the three laws overlap, the EU employs "without prejudice clauses" requiring new laws not to weaken GDPR protection standards. This causes data holders, when processing mixed datasets and unable to determine data nature or separate data types, to prioritize GDPR compliance before providing data access. This dilemma ultimately leads DMA and DA portability systems to converge back to GDPR's strict consent framework, making it difficult to fully realize the new laws' objectives of promoting open data circulation.