An alternative is to think of data as dangerous chemicals.

You can acquire it and store it, but you have to follow some procedures : - do not expose your employees to it - do not leak it in the environment

It then falls to the company to make the cost/benefit analysis : is this chemical important enough to our process to justify these hasles.

The data export also does not need to be a perfect API, dump a huge json and let third party handle changes.

> It otherwise seems unreasonable to require data-holders (/"controllers") to pay the costs of this "direct transfer", esp. re building and maintaining an API.

Consider it a cost of collecting the data in the first place.

You're assuming that they are deriving additional value from it. That isn't universal, but the law is.

Eg., consider me uploading some image files for processing and then downloading them. The website keeps those images only insofar as I wish, and never analyses them or derives value from them beyond what I permit -- and suppose the default is to permit nothing.

Then it seems odd. Since this is more like taking my shoes to be repaired. It would be onerous to require repair shops to send them elsehwere.

I think the theory is if the data controller does not derive value from storing the data they should not do so. In spotify's case they plainly do. Without user created playlists they would be up a creek.

If they get no value from it they're free to delete it