> It otherwise seems unreasonable to require data-holders (/"controllers") to pay the costs of this "direct transfer", esp. re building and maintaining an API.
Consider it a cost of collecting the data in the first place.
You're assuming that they are deriving additional value from it. That isn't universal, but the law is.
Eg., consider me uploading some image files for processing and then downloading them. The website keeps those images only insofar as I wish, and never analyses them or derives value from them beyond what I permit -- and suppose the default is to permit nothing.
Then it seems odd. Since this is more like taking my shoes to be repaired. It would be onerous to require repair shops to send them elsehwere.
I think the theory is if the data controller does not derive value from storing the data they should not do so. In spotify's case they plainly do. Without user created playlists they would be up a creek.
Consider it a cost of collecting the data in the first place.