Definition
Data portability is the right or ability of individuals to receive their personal data from a data controller in a structured, commonly used, and machine‑readable format, and to transmit that data to another controller without hindrance. It is intended to promote user control over personal information and to facilitate competition among service providers.
Overview
The concept of data portability is most prominently codified in Article 20 of the European Union’s General Data Protection Regulation (GDPR), which entered into force in May 2018. Under the GDPR, a data subject may request the transfer of personal data that has been provided to a controller, provided that the data is processed based on consent or a contract, and that the transfer is technically feasible.
Data portability has since influenced other legislative frameworks, including the California Consumer Privacy Act (CCPA) and Brazil’s Lei Geral de Proteção de Dados (LGPD), which contain analogous provisions. In practice, data portability is implemented through APIs, export functions, or standardized data formats such as JSON, CSV, or XML. Its adoption aims to:
- Enhance consumer choice by lowering switching costs between digital services.
- Encourage competition and innovation among service providers.
- Increase transparency about the data that organizations hold.
- Support broader interoperability of digital ecosystems.
Technical challenges include ensuring data accuracy, preserving context (e.g., metadata), handling proprietary formats, and mitigating security risks during transfer. Legal challenges involve interpreting the scope of “provided by the data subject,” determining the applicability of the right to non‑personal data, and reconciling portability with other obligations such as confidentiality or intellectual property rights.
Etymology/Origin
The term combines “data,” referring to information processed or stored by computers, with “portability,” derived from the Latin portare (“to carry”). The phrase emerged in the early 2010s within privacy‑by‑design discussions and was formally introduced into law by the GDPR during its drafting phase (2015‑2016). The notion reflects a broader shift toward granting individuals enforceable rights over their digital footprints.
Characteristics
| Characteristic | Description |
|---|---|
| Legal Basis | Grounded in data‑protection statutes (e.g., GDPR Art. 20, CCPA §1798.100). |
| Scope of Data | Applies to personal data that the individual has supplied to the controller, or that has been generated from that data by the controller, where processing is based on consent or contract. |
| Format Requirement | Must be provided in a structured, commonly used, machine‑readable format (e.g., JSON, CSV). |
| Transfer Mechanism | The controller may transmit data directly to another controller at the request of the data subject, subject to technical feasibility and security safeguards. |
| Exclusions | Data that is publicly available, anonymized, or protected by intellectual‑property or trade‑secret rights may be excluded. |
| Security Measures | Controllers must implement appropriate safeguards to prevent unauthorized access or alteration during the transfer. |
| Interoperability Goal | Promotes the use of open standards and APIs to facilitate seamless data exchange between services. |
| User Control | Empowers individuals to manage, edit, or delete their data after receipt, though deletion rights are distinct from portability. |
Related Topics
- General Data Protection Regulation (GDPR) – EU regulation that enshrines the right to data portability.
- Data Subject Rights – Collection of rights granted to individuals under data‑protection laws (access, rectification, erasure, restriction, objection).
- Data Interoperability – The ability of different systems and organizations to exchange and make use of data cohesively.
- Privacy‑by‑Design – Framework that integrates privacy considerations, including portability, into system architecture from the outset.
- Open Standards & APIs – Technical specifications (e.g., RESTful APIs, OpenID Connect) that facilitate standardized data exchange.
- Digital Consumer Rights – Broader set of rights concerning digital services, including the right to be forgotten and consent management.
- Data Sovereignty – Legal concept concerning jurisdictional control over data, which can intersect with portability when cross‑border transfers occur.
This entry reflects the current understanding of data portability as established in international data‑protection legislation and technical practice up to 2026.