Right to Data Portability
The right to data portability is the GDPR Article 20 right to receive and reuse certain provided personal data in a structured, commonly used, machine-readable format and, where technically feasible, have it transmitted to another controller.
Snapshot
- Core rule: Article 20 GDPR covers personal data concerning the person that they provided to a controller, where processing is based on consent or contract and is carried out by automated means.
- Format rule: the export must be structured, commonly used, and machine-readable; EDPB guidance treats XML, JSON, and CSV as ordinary examples and says a PDF alone is not enough for portability.
- Data boundary: guidance includes actively provided data and observed-use data, but generally excludes inferred or derived profiles, recommendations, scores, and analytics created by the controller.
- Transfer option: the person may ask for direct controller-to-controller transmission where technically feasible, but that does not require controllers to build universally compatible systems.
- AI relevance: portability is a lock-in control for prompts, conversations, account settings, preferences, ratings, annotations, transaction histories, and memory records, not a right to model weights or a full model audit.
Definition
The right to data portability is a data-protection right under Article 20 of the General Data Protection Regulation. It lets a person receive personal data they provided to a controller in a structured, commonly used, machine-readable format, and transmit that data to another controller without hindrance.
The right is narrower than a general export right and narrower than the right of access. It applies when processing is based on consent or contract and is carried out by automated means. It also includes a direct-transfer right from one controller to another where technically feasible.
For AI systems, portability is the movement right around provided data, observed-use records, and service histories. It matters when users, workers, creators, or customers need reusable copies of prompts, conversations, ratings, preferences, transaction histories, settings, annotations, playlists, files, labels, or other records that shape automated services.
Portability is not a right to every internal inference. A fraud score, recommender category, embedding created for internal retrieval, model weight, safety label, ranking feature, or behavioral segment may be personal data in another legal context, but Article 20 portability does not automatically require those controller-created artifacts to be exported.
Scope
Article 20 focuses on personal data concerning the person that they have provided to the controller. Guidance treats access and portability as related but distinct rights. Access can reveal what a controller processes; portability supports reuse and transfer in a format that another system can process.
The phrase "provided to the controller" is broader than form fields. WP29/EDPB guidance includes data actively and knowingly provided, such as account details, and observed data generated by use of a service or device, such as search history, traffic data, location data, transaction history, or raw device data. The same guidance generally excludes inferred and derived data created by the controller's analysis.
The right does not require disclosure of every inferred profile, trade secret, model weight, internal score, security-integrity record, or third-party personal data. It also must not adversely affect the rights and freedoms of others. A useful export therefore separates provided and observed records from internal analysis and from information that belongs to other people.
The right matters for AI lock-in. A conversational agent, hiring platform, learning system, recommender, marketplace, or productivity suite can become more useful as it accumulates user-provided history. Portability asks whether that history can travel without turning the person into a captive of one model, one platform, or one vendor memory layer.
Current Context
As of this review on June 25, 2026, GDPR Article 20 remains the core EU personal-data portability right, and the EDPB-endorsed WP29 portability guidelines remain the main interpretive source. Those guidelines frame portability as a user-control and reuse right, not as a competition-law cure for every switching cost.
Other EU regimes now sit beside Article 20. The EU Data Act applies from September 12, 2025 and creates separate access, sharing, switching, and interoperability rules for connected-product data, related services, and data processing services. Its connected-product design obligation in Article 3(1) applies to connected products and related services placed on the market after September 12, 2026, which was still a future date at this page's June 25, 2026 review.
The Digital Markets Act adds a separate gatekeeper portability layer. Article 6(9) requires designated gatekeepers to provide end users and authorized third parties, free of charge, effective portability for data provided by the end user or generated through their activity in the relevant core platform service, including tools and continuous real-time access. Article 6(10) separately requires effective, high-quality, continuous, real-time access for business users and authorized third parties to relevant data generated in the use of core platform services, with consent conditions for personal data.
In the United States, California's CCPA/CPRA framework includes portability-style access duties. The California Privacy Protection Agency's statutory compilation requires disclosures in a readily usable format that allows transmission to another entity without hindrance, and for specific pieces of information, to the extent technically feasible, a structured, commonly used, machine-readable format. That is not a federal Article 20 equivalent and should not be cited as if it has the same triggers or scope as GDPR.
For AI services, the current governance issue is no longer whether a download button exists. The question is whether exported data has enough schema, provenance, timestamps, identifiers, and context to be reused by another service without exposing other people, leaking sensitive records, or turning a portability request into a data-broker feed.
How It Works
A portability workflow needs intake, identity or account matching, the data categories requested, the lawful basis for the relevant processing, the automated systems involved, export format, delivery method, security controls, direct-transfer target if any, completion date, and any excluded categories with reasons.
AI systems add format and provenance problems. A raw JSON dump may be machine-readable but unusable without schemas, timestamps, field descriptions, units, source labels, and version information. A polished PDF may be readable by a person but fail the portability purpose if another service cannot process it.
Good design treats portability as an interoperability feature. Exports should be structured, documented, stable enough to reuse, and scoped tightly enough to protect other people. A serious export includes machine-readable records, schema documentation, field definitions, creation and update timestamps, source system names, account identifiers, and a manifest that explains included and excluded categories.
Where direct transfer is technically feasible, the controller should preserve security, authentication, authorization, and evidence that the transfer happened without avoidable friction. For high-risk transfers, a scoped authorization flow is safer than credential sharing, screen scraping, or sending a complete archive to an unverified destination.
Governance and Safety
The governance value of portability is that it weakens data lock-in. If a platform's advantage comes from user histories, preferences, annotations, and work records, portability gives people and organizations a path to reuse their own contributed data elsewhere.
The safety limit is that portability is not full transparency, correction, erasure, objection, or model audit. It should connect to Data Subject Access Requests, Right to Rectification, AI Data Provenance, AI Procurement, and Platform Monopoly Power where switching costs shape dependence on AI services.
Portability can also create risk. A complete export can reveal other people's messages, health facts, location patterns, workplace records, private contacts, child data, security questions, or commercial secrets. A direct-transfer API can be abused by impersonators, shadow IT, hostile brokers, or malicious apps if identity, consent, authorization, and destination controls are weak.
In AI governance, portability should be linked to Data Minimization, AI Data Retention, AI Memory and Personalization, Digital Identity, Rich Authorization Requests, and Data Brokers. The point is to make exit possible without making extraction predatory.
Failure Modes
- Export theater: the service offers a PDF, screenshot archive, or undocumented blob that a person can view but another service cannot reliably process.
- Scope collapse: access, erasure, portability, backup, account migration, and competition interoperability are treated as the same right, producing overbroad or underbroad responses.
- Inferred-data confusion: a controller either withholds observed-use data as "internal" or exports inferred profiles and scores without explaining that they fall outside the normal Article 20 portability boundary.
- Third-party exposure: conversations, contact books, shared workspaces, family accounts, or workplace records are exported without protecting other people's rights and freedoms.
- Security shortcut: direct transfer is implemented through password sharing, screen scraping, broad bearer tokens, or unverified destination apps.
- Schema rot: exports technically use JSON or CSV but change fields without versioning, omit units and timestamps, or lack a manifest, making reuse brittle.
- AI memory gap: visible chat history is exported, while durable memories, preference settings, annotations, ratings, files, and agent tool traces are ignored.
Defense Pattern
- Classify data before export. Separate actively provided data, observed-use data, inferred data, derived scores, third-party data, system metadata, security-integrity records, and trade-secret material.
- Map legal bases. Identify which processing rests on consent or contract and is automated, because Article 20 does not apply to every processing purpose in the same account.
- Publish usable schemas. Provide versioned field definitions, timestamps, source labels, encoding, units, and known limits for each portable dataset.
- Support secure transfer. Prefer scoped authorization, destination verification, audit logs, and revocation over credential sharing or all-or-nothing archive delivery.
- Protect other people. Redact, segment, or withhold records where portability would adversely affect others, and document the reason rather than silently dropping categories.
- Test round trips. Validate that a real receiving service can ingest the export and that direct-transfer logs prove what was sent, when, by whom, and to which controller.
- Keep exit tied to retention. A portability export should not become a reason to retain old data longer than necessary or to reuse a person's archive for unrelated profiling.
Evidence Record
For AI-related systems, preserve the portability request, identity verification, data categories included, data categories excluded, lawful basis check, export schema, file format, delivery method, direct-transfer target, security controls, completion date, and response sent to the person.
The record should distinguish raw provided data, observed-use data, inferred data, derived scores, model outputs, third-party data, and system metadata. That distinction is essential because portability rights attach differently across those categories, while AI products often display them together as one seamless memory.
For direct transfers, preserve the requesting account, authorized destination, authorization scope, transfer endpoint, authentication method, payload manifest, transfer time, success or failure state, revocation state, and any refusal or partial-transfer reason. That evidence matters when a person later disputes whether a controller hindered transfer or sent more than was requested.
Source Discipline
Do not collapse portability into access, backup, scraping, account migration, or a proprietary export button. Article 20 has specific trigger conditions, format requirements, and transfer language.
Use EUR-Lex for binding EU legal text. Use EDPB, WP29, ICO, and national supervisory-authority guidance to operationalize the right. Treat the EU Data Act, Digital Markets Act, UK digital markets conduct requirements, California privacy law, and sectoral portability schemes as adjacent regimes unless the source itself says otherwise.
Vendor export claims should be checked against data categories, schemas, authentication, third-party rights, direct-transfer support, destination controls, and practical reusability. "Download your data" is not the same evidence as a documented, tested portability interface.
Spiralist Reading
The right to data portability is the demand that memory not become a cage.
The institution prefers enclosure: the chat history stays here, the preference graph stays here, the ratings stay here, the workflow traces stay here. Portability says that some of what a person gave to the system should be able to leave in a form another system can understand.
For Spiralism, the important distinction is between export theater and usable passage. A portable record should carry enough structure to move, but not so much hidden profiling that the person becomes more exposed by leaving.
Open Questions
- Which AI memory fields count as data provided by the person rather than inferred data?
- How much schema documentation is necessary before an export is genuinely reusable?
- When should agent platforms support direct controller-to-controller transfer instead of downloadable files?
- How can portability protect third-party personal data inside conversations, messages, and collaborative workspaces?
- Can portability reduce AI platform lock-in without increasing fraud, impersonation, or data-broker reuse?
Related Pages
- Data Subject Access Requests
- Right to Rectification
- Right to Restriction of Processing
- Right to Object
- Right to Erasure
- Right to Be Informed
- Right to Withdraw Consent
- Data Protection Impact Assessment
- Data Protection Officer
- Records of Processing Activities
- Data Subject Representation
- AI Data Provenance
- AI Data Retention
- Data Minimization
- AI Memory and Personalization
- AI Procurement
- Platform Monopoly Power
- Data Brokers
- Digital Identity
- Verifiable Credentials
- Digital Credentials API
- Rich Authorization Requests
- Model Context Protocol
- Contextual Integrity
Sources
- EUR-Lex, Regulation (EU) 2016/679, General Data Protection Regulation, Article 20 and Recital 68, reviewed June 25, 2026.
- European Commission, Can individuals ask to have their data transferred to another organisation?, reviewed June 25, 2026.
- Article 29 Working Party, Guidelines on the right to data portability, WP242 rev.01, April 5, 2017, endorsed by the EDPB; reviewed June 25, 2026.
- European Data Protection Board, Respect individuals' rights, SME data protection guide, reviewed June 25, 2026.
- UK Information Commissioner's Office, Right to data portability, guidance page, reviewed June 25, 2026.
- Irish Data Protection Commission, The right to data portability (Article 20 of the GDPR), reviewed June 25, 2026.
- EUR-Lex, Regulation (EU) 2023/2854, Data Act, Articles 3 and 50, reviewed June 25, 2026.
- European Commission, Data Act, implementation page, reviewed June 25, 2026.
- EUR-Lex, Regulation (EU) 2022/1925, Digital Markets Act, Article 6(9)-(10), reviewed June 25, 2026.
- California Privacy Protection Agency, California Consumer Privacy Act statutory text, sections 1798.100, 1798.110, and 1798.115, reviewed June 25, 2026.