Am I alone in thinking he isn't entirely correct? To my understanding with GDPR (I'm no expert, just on the developer end trying to adhere to it), he has all the right to get a copy of the data, as well as have that data be transferred to another controller.
He does, however have no say in the exact data transfer protocol used for the transfer. If Spotify wants to disable an api and shut down production resources, I don't see how a GDPR request can compel them otherwise. As long as they prepare all the data, and allow for the transfer, then they are complying with GDPR. Even if the API at some point existed, it doesn't mean they are required to maintain it.
The other side of this is that Spotify's answers were perhaps too earnest in detailing why. When arguing it is against their ToS, it doesn't really fly with GDPR anymore, because that implies they have everything in place, but they don't want to. They could have just said "we'll compile all the data and facilitate a transfer on your behalf", and the user really wouldn't have the slightest case.
So to sum up, my take is that both are wrong. Spotify in arguing its against their ToS (it doesn't fly). And the emailer arguing that they are entitled to Spotify enabling their api (they aren't).
Afaik GDPR says where it's technically feasible. The interpretation of technically feasible may vary, but given that the API was live for some time, it could be said it is feasible.
That being said I am no lawyer and I don't know what I'm talking about.
That is more or less why I wrote the things I wrote. By arguing it was against their ToS, they implied it was technically feasible. It however doesn't mean it isn't also technically infeasible, so I still believe Spotify could take a big fat dump of the data in any format they chose, zip it up and send it to the other controller, and it would be within the GDPR requirements.
If people think that GDPR grants consumers the right on which services exist and how data should represented etc, then I think they are misinformed.
Spotify could have answered with "That API is no longer available, but we will facilitate the transfer of an archived version of the data", and... I mean, what clause of GDPR does he have to complain or demand they do anything different?
He does, however have no say in the exact data transfer protocol used for the transfer. If Spotify wants to disable an api and shut down production resources, I don't see how a GDPR request can compel them otherwise. As long as they prepare all the data, and allow for the transfer, then they are complying with GDPR. Even if the API at some point existed, it doesn't mean they are required to maintain it.
The other side of this is that Spotify's answers were perhaps too earnest in detailing why. When arguing it is against their ToS, it doesn't really fly with GDPR anymore, because that implies they have everything in place, but they don't want to. They could have just said "we'll compile all the data and facilitate a transfer on your behalf", and the user really wouldn't have the slightest case.
So to sum up, my take is that both are wrong. Spotify in arguing its against their ToS (it doesn't fly). And the emailer arguing that they are entitled to Spotify enabling their api (they aren't).