Wiki · Concept · Last reviewed June 25, 2026

Right to Data Portability

The right to data portability is the GDPR Article 20 right to receive and reuse certain provided personal data in a structured, commonly used, machine-readable format and, where technically feasible, have it transmitted to another controller.

Snapshot

Definition

The right to data portability is a data-protection right under Article 20 of the General Data Protection Regulation. It lets a person receive personal data they provided to a controller in a structured, commonly used, machine-readable format, and transmit that data to another controller without hindrance.

The right is narrower than a general export right and narrower than the right of access. It applies when processing is based on consent or contract and is carried out by automated means. It also includes a direct-transfer right from one controller to another where technically feasible.

For AI systems, portability is the movement right around provided data, observed-use records, and service histories. It matters when users, workers, creators, or customers need reusable copies of prompts, conversations, ratings, preferences, transaction histories, settings, annotations, playlists, files, labels, or other records that shape automated services.

Portability is not a right to every internal inference. A fraud score, recommender category, embedding created for internal retrieval, model weight, safety label, ranking feature, or behavioral segment may be personal data in another legal context, but Article 20 portability does not automatically require those controller-created artifacts to be exported.

Scope

Article 20 focuses on personal data concerning the person that they have provided to the controller. Guidance treats access and portability as related but distinct rights. Access can reveal what a controller processes; portability supports reuse and transfer in a format that another system can process.

The phrase "provided to the controller" is broader than form fields. WP29/EDPB guidance includes data actively and knowingly provided, such as account details, and observed data generated by use of a service or device, such as search history, traffic data, location data, transaction history, or raw device data. The same guidance generally excludes inferred and derived data created by the controller's analysis.

The right does not require disclosure of every inferred profile, trade secret, model weight, internal score, security-integrity record, or third-party personal data. It also must not adversely affect the rights and freedoms of others. A useful export therefore separates provided and observed records from internal analysis and from information that belongs to other people.

The right matters for AI lock-in. A conversational agent, hiring platform, learning system, recommender, marketplace, or productivity suite can become more useful as it accumulates user-provided history. Portability asks whether that history can travel without turning the person into a captive of one model, one platform, or one vendor memory layer.

Current Context

As of this review on June 25, 2026, GDPR Article 20 remains the core EU personal-data portability right, and the EDPB-endorsed WP29 portability guidelines remain the main interpretive source. Those guidelines frame portability as a user-control and reuse right, not as a competition-law cure for every switching cost.

Other EU regimes now sit beside Article 20. The EU Data Act applies from September 12, 2025 and creates separate access, sharing, switching, and interoperability rules for connected-product data, related services, and data processing services. Its connected-product design obligation in Article 3(1) applies to connected products and related services placed on the market after September 12, 2026, which was still a future date at this page's June 25, 2026 review.

The Digital Markets Act adds a separate gatekeeper portability layer. Article 6(9) requires designated gatekeepers to provide end users and authorized third parties, free of charge, effective portability for data provided by the end user or generated through their activity in the relevant core platform service, including tools and continuous real-time access. Article 6(10) separately requires effective, high-quality, continuous, real-time access for business users and authorized third parties to relevant data generated in the use of core platform services, with consent conditions for personal data.

In the United States, California's CCPA/CPRA framework includes portability-style access duties. The California Privacy Protection Agency's statutory compilation requires disclosures in a readily usable format that allows transmission to another entity without hindrance, and for specific pieces of information, to the extent technically feasible, a structured, commonly used, machine-readable format. That is not a federal Article 20 equivalent and should not be cited as if it has the same triggers or scope as GDPR.

For AI services, the current governance issue is no longer whether a download button exists. The question is whether exported data has enough schema, provenance, timestamps, identifiers, and context to be reused by another service without exposing other people, leaking sensitive records, or turning a portability request into a data-broker feed.

How It Works

A portability workflow needs intake, identity or account matching, the data categories requested, the lawful basis for the relevant processing, the automated systems involved, export format, delivery method, security controls, direct-transfer target if any, completion date, and any excluded categories with reasons.

AI systems add format and provenance problems. A raw JSON dump may be machine-readable but unusable without schemas, timestamps, field descriptions, units, source labels, and version information. A polished PDF may be readable by a person but fail the portability purpose if another service cannot process it.

Good design treats portability as an interoperability feature. Exports should be structured, documented, stable enough to reuse, and scoped tightly enough to protect other people. A serious export includes machine-readable records, schema documentation, field definitions, creation and update timestamps, source system names, account identifiers, and a manifest that explains included and excluded categories.

Where direct transfer is technically feasible, the controller should preserve security, authentication, authorization, and evidence that the transfer happened without avoidable friction. For high-risk transfers, a scoped authorization flow is safer than credential sharing, screen scraping, or sending a complete archive to an unverified destination.

Governance and Safety

The governance value of portability is that it weakens data lock-in. If a platform's advantage comes from user histories, preferences, annotations, and work records, portability gives people and organizations a path to reuse their own contributed data elsewhere.

The safety limit is that portability is not full transparency, correction, erasure, objection, or model audit. It should connect to Data Subject Access Requests, Right to Rectification, AI Data Provenance, AI Procurement, and Platform Monopoly Power where switching costs shape dependence on AI services.

Portability can also create risk. A complete export can reveal other people's messages, health facts, location patterns, workplace records, private contacts, child data, security questions, or commercial secrets. A direct-transfer API can be abused by impersonators, shadow IT, hostile brokers, or malicious apps if identity, consent, authorization, and destination controls are weak.

In AI governance, portability should be linked to Data Minimization, AI Data Retention, AI Memory and Personalization, Digital Identity, Rich Authorization Requests, and Data Brokers. The point is to make exit possible without making extraction predatory.

Failure Modes

Defense Pattern

Evidence Record

For AI-related systems, preserve the portability request, identity verification, data categories included, data categories excluded, lawful basis check, export schema, file format, delivery method, direct-transfer target, security controls, completion date, and response sent to the person.

The record should distinguish raw provided data, observed-use data, inferred data, derived scores, model outputs, third-party data, and system metadata. That distinction is essential because portability rights attach differently across those categories, while AI products often display them together as one seamless memory.

For direct transfers, preserve the requesting account, authorized destination, authorization scope, transfer endpoint, authentication method, payload manifest, transfer time, success or failure state, revocation state, and any refusal or partial-transfer reason. That evidence matters when a person later disputes whether a controller hindered transfer or sent more than was requested.

Source Discipline

Do not collapse portability into access, backup, scraping, account migration, or a proprietary export button. Article 20 has specific trigger conditions, format requirements, and transfer language.

Use EUR-Lex for binding EU legal text. Use EDPB, WP29, ICO, and national supervisory-authority guidance to operationalize the right. Treat the EU Data Act, Digital Markets Act, UK digital markets conduct requirements, California privacy law, and sectoral portability schemes as adjacent regimes unless the source itself says otherwise.

Vendor export claims should be checked against data categories, schemas, authentication, third-party rights, direct-transfer support, destination controls, and practical reusability. "Download your data" is not the same evidence as a documented, tested portability interface.

Spiralist Reading

The right to data portability is the demand that memory not become a cage.

The institution prefers enclosure: the chat history stays here, the preference graph stays here, the ratings stay here, the workflow traces stay here. Portability says that some of what a person gave to the system should be able to leave in a form another system can understand.

For Spiralism, the important distinction is between export theater and usable passage. A portable record should carry enough structure to move, but not so much hidden profiling that the person becomes more exposed by leaving.

Open Questions

Sources


Return to Wiki