I guess the relevant section also quoted in the original post by Confiks ("the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible") may be up for interpretation, and as a result not everyone might have provide such an API. But this specific case, we can be sure that it most definitely was technically feasible, as the feature used to work before their ToS change and it merely stopped working because they wanted to block SongShift.
You don't have to provide an API to transfer between accounts on the same platform, but you do need to provide a way to get all your data off the service, which another service can use to import.
The API was already implemented and shut off. He did not as them to implement the API, he asked them to turn it back on and there is a large difference.
Am I alone in thinking he isn't entirely correct? To my understanding with GDPR (I'm no expert, just on the developer end trying to adhere to it), he has all the right to get a copy of the data, as well as have that data be transferred to another controller.
He does, however have no say in the exact data transfer protocol used for the transfer. If Spotify wants to disable an api and shut down production resources, I don't see how a GDPR request can compel them otherwise. As long as they prepare all the data, and allow for the transfer, then they are complying with GDPR. Even if the API at some point existed, it doesn't mean they are required to maintain it.
The other side of this is that Spotify's answers were perhaps too earnest in detailing why. When arguing it is against their ToS, it doesn't really fly with GDPR anymore, because that implies they have everything in place, but they don't want to. They could have just said "we'll compile all the data and facilitate a transfer on your behalf", and the user really wouldn't have the slightest case.
So to sum up, my take is that both are wrong. Spotify in arguing its against their ToS (it doesn't fly). And the emailer arguing that they are entitled to Spotify enabling their api (they aren't).
Afaik GDPR says where it's technically feasible. The interpretation of technically feasible may vary, but given that the API was live for some time, it could be said it is feasible.
That being said I am no lawyer and I don't know what I'm talking about.
That is more or less why I wrote the things I wrote. By arguing it was against their ToS, they implied it was technically feasible. It however doesn't mean it isn't also technically infeasible, so I still believe Spotify could take a big fat dump of the data in any format they chose, zip it up and send it to the other controller, and it would be within the GDPR requirements.
If people think that GDPR grants consumers the right on which services exist and how data should represented etc, then I think they are misinformed.
Spotify could have answered with "That API is no longer available, but we will facilitate the transfer of an archived version of the data", and... I mean, what clause of GDPR does he have to complain or demand they do anything different?
