The challenge of portability and GDPR

The right to data portability is both the simplest and the most complicated right; On one hand, it is simple by its definition: the right to retrieve your data for yourself or to input them on another service. But on the other hand it is a complicated topic by its implementation:

  • Only certain data concerned in the data portability scope
  • data should be transferred by a structured, commonly used and machine-readable format
  • mandatory requester identification
  • a process changing from one structure to another

How to make this right more accessible and easier for the user?


Making use of the right to portability enables first to transfer the data of a person, a user, from a platform to another. For example: you have a 800 titles playlist on Spotify and can transfer this playlist to deezer, another streaming music platform. The data concerned by this right are thoses the user provides, and only those ones (Example: your first name, address…) A data created by the controller (the person who defines the terms of the data processing) won’t be concerned by this right (for example: data created from machine learning) Make use of the right to portability enables also for the user to retrieve his data on the storage platform of his choice, for his personal use. The data files provided by the controller have to be commonly used and machine-readable format (ideally Json, XML and CSV).


Even if this right seems to not be merely enforced, it’s an understated right, infrequently mentioned, and not very considered by the controllers By the way, when it is set up, this right is not highlighted and is often stated at the bottom of the tabs. Frequently, when it is proposed to the users to make use of it, we are observing a bad implementation of this right by the controllers, whether through access or process. When finally, a user makes use of this right, controllers often don’t do their parts.They take their time to respond to the request, nor give all the data that they should and often, neither give them in a format that does not meet the legal requirements. As a result, there is often poor interoperability between files and dumps when the user wants to transfer data from one service to another. All that aside, the process does not make the user experience very pleasant. In fact, the user has to make a request, whose models are hard for a layman to find, he also has to authenticate himself, and prove that he's the one making the request.


As we can see on the following tab, while only 39% of the data controllers mention this data portability right in their privacy policy, none of them respect the legal requirements for the data transfers and extraction.

making reference to the right to data portability in privacy policiesActually Respect the legal requirements
Percentage/numbers of controllers39%0/4


With all these constraints, the right to data portability is not well enough known by the general public, and is often forgotten, which reassures data controllers and encourages them not to promote it further

But the real problem is not here. It goes much further.

In fact, the failure to promote this right enabled internet giants to dominate the web, by proposing better services and having a monopoly on data. The failure to promote this right enabled Facebook, Amazon or Google to keep their users and not to see them move to other platforms that could have offered a similar service with a more user and privacy friendly data processing system.

The failure to promote the right to portability made the internet of today, with few choices and a monopoly of the giants...


The challenge is to give this right the place it deserves.

In an Internet where the choice of products is unlimited, is it normal to have a very limited choice of platforms?

The answer is obviously no, and that's what the right to data portability is all about today and for the years to come. The challenge is also to make a better user experience, with the same process for all, the same data files, infinite interoperability, transferable dumps on all platforms and quick responses from controllers.

The challenge also resides in the data itself. The question is no longer which data are concerned, but why not all of them?

As the GDPR excludes the data processed on other legal basis than the data subject consent and the execution of a contract from the data portability scope, it does not prohibit the performance and the portability of data processed on other legal basis. To that end, another objective is that the right to portability should apply to all data, from any legal basis, whether or not provided from the user.


Today the right to portability is a total mess. Although it is a right enshrined in the various texts relating to data processing and data protection, it is nonetheless poorly used and rarely respected. A right which gives such opportunities for users, which empowers users in a data internet that is totally dominated by the controllers can't stay in the shadows.

It's obviously up to the controllers to change their mindset, by making this right more accessible and easier to use, but it is also up to users to have the desire to change things, to claim this right and make use of it in order to build a new internet landscape, to change the current ecosystem and build a new one with more perspectives, more choices and to see the emergence of platforms offering all kinds of services, more respectful of users data.

Make data portability great again !

Customer PNG