Inferensys

Glossary

Right to Portability

The right of a data subject to receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
DATA SUBJECT RIGHTS

What is Right to Portability?

The Right to Portability is a statutory data subject right empowering individuals to obtain and reuse their personal data across different services in a secure, structured format.

The Right to Portability, codified in Article 20 of the GDPR, is the right of a data subject to receive their personal data from a data controller in a structured, commonly used, and machine-readable format (such as CSV or JSON). This right strictly applies to data provided by the individual and processed by automated means based on consent or a contract, enabling seamless transmission to another controller without hindrance.

Technically fulfilling this right requires privacy request orchestration to extract data from disparate silos while excluding inferred or derived data. The process must ensure interoperability between competing platforms, distinguishing raw provided data from corporate assets, and often leverages secure API-based direct transfer mechanisms to prevent data exposure during transit.

Right to Portability

Key Characteristics of Data Portability

The right to data portability empowers data subjects to obtain and reuse their personal data across different services. It mandates that data be provided in a structured, commonly used, and machine-readable format, enabling seamless transfer from one data controller to another without hindrance.

01

Structured & Machine-Readable Format

The core technical requirement of the right to portability is the format of the data export. Data must be provided in a format that is structured (organized in a predefined way), commonly used (not proprietary or obscure), and machine-readable (easily parsed by software).

  • Recommended formats: JSON, CSV, XML, and Parquet for tabular data.
  • Unacceptable formats: Scanned PDFs, image files of text, or proprietary binary blobs.
  • Goal: Enable direct, automated ingestion by another data controller's systems without manual reformatting.
02

Scope: Data 'Provided By' the Subject

The right is not a blanket export of all data an organization holds. It applies specifically to personal data provided by the data subject to a controller, and processed by automated means based on consent or a contract.

  • Included: Actively submitted data (e.g., name, email, uploaded photos) and passively observed data (e.g., raw search history, location logs, heart rate telemetry).
  • Excluded: Inferred data and derived data created by the controller's proprietary algorithms (e.g., a user's credit score, a health risk profile, or a churn prediction).
  • Legal Basis: Article 20 of the GDPR and Section 1798.100 of the CCPA/CPRA.
03

Direct Transmission Between Controllers

Where technically feasible, the data subject has the right to request the direct transmission of their personal data from one controller to another, bypassing the subject entirely. This creates a technical mandate for interoperability.

  • Mechanism: Requires secure, authenticated APIs for controller-to-controller data transfer.
  • Standardization: Industry efforts like the Data Transfer Project (DTP)—founded by Google, Meta, Microsoft, and Twitter—provide open-source frameworks for this direct transfer.
  • Constraint: The sending controller is not obligated to adopt a specific technical system but must implement a reasonable, secure method for direct transfer when requested.
04

Technical Interoperability & API Design

Fulfilling portability requests at scale demands a robust Privacy Request Orchestration layer and well-designed APIs. The export must be a complete, faithful representation of the data, not a summary.

  • API Design: RESTful endpoints that authenticate the subject, query all relevant data stores (via Data Lineage for PII), and package the response in a standardized schema.
  • Security: Strong identity verification is critical before executing a transfer to prevent unauthorized data exfiltration.
  • Volume Handling: Systems must handle large exports (e.g., years of location history) without timing out, often using asynchronous jobs with a status-check endpoint.
05

Distinction from the Right of Access

Data portability is a distinct and supplementary right, not a replacement for the general Right of Access. They serve different purposes and have different technical requirements.

  • Right of Access (Art. 15): Provides a human-readable copy of all personal data and metadata (purposes, recipients, retention periods). The goal is transparency.
  • Right to Portability (Art. 20): Provides a machine-readable subset of data for reuse. The goal is interoperability and user control.
  • Key Difference: An access request might yield a PDF report, which is insufficient for portability. A portability request must yield raw, structured data.
06

Limitations & Third-Party Rights

The right to portability is not absolute. It is constrained by the rights and freedoms of others, which creates complex technical challenges in multi-user datasets.

  • Third-Party Data: Exports must not adversely affect the rights of other individuals. Data containing joint personal information (e.g., a messaging thread) requires technical filtering or consent from the third party before inclusion.
  • Security Risk: Portability hubs become high-value targets for attackers. A compromised portability API can lead to mass data exfiltration.
  • Trade Secrets: The right does not compel a controller to reveal proprietary algorithms or trade secrets, which is why inferred data is explicitly excluded from the scope.
RIGHT TO PORTABILITY EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about the data subject's right to receive and transmit their personal data in a structured, machine-readable format under global privacy regulations.

The right to data portability is a statutory entitlement under Article 20 of the GDPR and similar global privacy frameworks that empowers a data subject to receive their personal data from a controller in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance. The right applies exclusively to data processed by automated means and is contingent on the processing being based on consent or a contract. Technically, fulfillment requires the controller to extract all relevant PII from source systems, serialize it into interoperable formats such as JSON, CSV, or XML, and deliver it via a secure channel—either directly to the data subject or, where technically feasible, through a direct controller-to-controller transfer. The right is distinct from the right of access under Article 15; portability focuses on data reuse and interoperability, not merely transparency. Controllers must respond within one month, with the possibility of a two-month extension for complex requests, and cannot charge a fee unless the request is manifestly unfounded or excessive.

REGULATORY COMPARISON

GDPR vs. CCPA: Right to Portability

A technical comparison of data portability requirements under the European Union's General Data Protection Regulation and the California Consumer Privacy Act.

FeatureGDPR (Art. 20)CCPA/CPRA (§ 1798.105)

Legal basis for portability

Data subject right; applies when processing is based on consent or contract

Consumer right; applies to personal information collected directly from the consumer

Scope of data covered

Personal data provided by the data subject and observed data generated by their activity

Personal information collected from the consumer, excluding inferred or derived data

Required format

Structured, commonly used, and machine-readable format (e.g., JSON, CSV, XML)

Portable and readily usable format to the extent technically feasible

Direct transfer to another controller

Timeframe for response

1 month (extendable by 2 months for complex requests)

45 days (extendable by 45 days if reasonably necessary)

Verification requirement

Reasonable measures to verify identity; no disproportionate effort standard

Verifiable consumer request; must match data already maintained

Exemptions

Does not apply to processing necessary for public interest or official authority

Does not require retention of data beyond business purposes or re-identification of de-identified data

Penalty for non-compliance

Up to €20 million or 4% of global annual turnover

Up to $7,500 per intentional violation; $2,500 per unintentional violation

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.