Global Portability Regulatory Round-Up
A couple of times a year, I like to update you all on the regulatory landscape for data portability. My hope in providing updates is to put on your radar developments that you otherwise may not have been aware of – and to drive home that data portability is on the rise and continues to gain traction around the world.
At DTI, our audience is global. And diverse. Some of you may find these developments interesting based on your business interests, while others are more interested from an academic and trend-identifying standpoint. Or perhaps you live in one of the impacted jurisdictions. No matter what your interest in the topic, it’s safe to say that regulators continue to pay increased attention to data portability. Below, I highlight a few notable developments in various countries around the world. I’ve provided some context on these developments, however additional research may be necessary for a full understanding.
Canada
In Canada, the Competition Bureau released in May an annual plan for 2025-2026 to help implement its 2024 Strategic Vision. Notably, as part of these efforts, the Bureau plans to continue to “promote the benefits of data portability (the ability to move personal data safely between different online services) and support policies that give consumers more power over their data in the digital world.” This work builds on Canada’s existing work on data portability in 2024, which included reporting on research regarding the potential of data port ability to unlock competition and empower consumers in the digital economy–as well as its 2018 Digital Charter Foundation, which listed Portability as one of Canada’s established national policy priorities.
Separately, in February 2025, in an effort to better understand how data portability and its technological solutions mesh with current securities regulations, the Canadian Securities Administration (CSA) government invited industry participation in its new data portability studies in the investment market. Its first project, which closed in May 2025, revolved around a discussion paper that considered “Know-Your-Client (“e-KYC”) solutions, and gave the public an opportunity to comment on a range of topics, including:
- The demand for and benefits of data portability solutions,
- The use of data portability in mitigating investor risk,
- Privacy and security concerns arising from increasing data portability,
- The technological standards and innovations related to data portability,
- Possible regulatory barriers affecting development of data portability solutions, and
- Whether the discussion should shift to testing technological tools or business strategies, while simultaneously allowing eligible businesses to pilot those innovations in a “controlled space” and within defined timeframes.
Companies are receiving direct feedback from CSA staff throughout the testing process, with more information on what’s next forthcoming from the government.
Australia
In 2024, the Australian government announced a “reset” of its Consumer Data Right (CDR) and broader privacy reforms. That CDR reset and expansion is ongoing, and data portability is a key component of it.
In March 2025, amendments to the CDR Rules took effect which extended the operation of CDR to the non-bank lenders sector and included a timetable for when CDR data sharing obligations commence for relevant non-bank lenders. More information on the specifics of the reforms and guidance for companies is available in the Australian government’s compliance guide for businesses (updated July 2025).
Regulatory enforcement has also intensified in Australia, with the Australian Competition and Consumer Commission issuing the largest CDR fine to date in June. And as recently as June 2025, the Australian antitrust watchdog also continues to publish a set of exemptions for data portability requirements for specific companies.
South Korea – Rollout of MyData System
In 2024, South Korea announced its policy direction and plans, one of which was to promote the expansion of data portability rights in order to “bring tangible benefits to the people.” To enable this end goal, in March 2025, South Korea’s Personal Information Protection Commission (PIPC) officially implemented a MyData framework (South Korea’s open and portable data service), following its 2023 amendment to the Personal Information Protection Act (PIPA). The result is that individuals could ask entities that control and process their personal data to transmit such information to other parties; it also marked the launch of a national platform enabling individuals to port personal data from public and financial institutions to third-party MyData providers.
Now, in mid-2025, the PIPC is actively expanding MyData beyond the finance and public sectors. In June 2025, it released a public consultation on amendments to broaden data portability across all sectors, intending to embed this right into its Enforcement Decree of PIPA. Public comments will close on August 4, 2025. Based on translations of original government documents, the new amendments will apply to large-scale data controllers, broaden the scope of transferable personal data and introduce secure transfer methods such as encrypted file downloads and API integration. They also regulate third-party requests by permitting automated data access only through certified specialized agencies.
Upcoming expansion of data sectors under MyData are already underway for healthcare, telecom, and energy—and later phases are contemplating transport, education, employment, real estate, welfare, distribution, and leisure. In 2025, the Korean government is also expected to continue building standards, platforms, and sandboxes to achieve its goals.
The TL;DR: with consultations underway and new regulatory developments, South Korea is building a full-fledged MyData ecosystem across a number of critical services. Backed by amendments to PIPA, it allows people to directly request transfers and is being expanded to cover all sectors. The government is standardizing formats, supporting innovation through sandboxes, and building a national support platform to make data portability seamless, secure, and user-friendly. South Korea’s coordinated approach is a comprehensive one and could serve as a blueprint for other countries aiming to align port ability ambitions with operational rollout.
United Kingdom’s Smart Data Initiatives
On June 19, the Data (Use and Access) Bill was enacted into law, giving the UK government the necessary powers to implement Smart Data Schemes for digital markets through secondary legislation. Shortly thereafter, the UK government publicly confirmed its Smart Data agenda in its Modern Industry Strategy report, including its goal to drive innovation across digital markets by giving individuals the right and ability to share data with trusted third parties. DTI has reported on these and other UK developments in more detail in a recent blog post. Just yesterday, on July 28, the Department for Science, Innovation & Technology (DSIT) within the UK government announced a call for evidence on smart data opportunities in the digital market.
Malaysia Issues Supplemental Guidance on Portability
When we last updated you on Malaysia developments in October 2024, Malaysia’s Personal Data Protection Commissioner had recently opened and closed a public consultation outlining how the data portability right should be scoped and exercised.
Since then, Malaysia has released supplemental guidance on data portability, which clarifies that:
- There is a requirement to comply only if there is technical feasibility
- Entities may be required to comply with a common set of technical standards as specified by Commissioner
- The requirement is limited to only a prescribed set of personal data (personal data provided by the data subject *or data *processed by automated means).
- Entities are only required to transmit data belonging to the categories listed in a whitelist** **to be issued by the Commissioner or industry/ sector regulators.
- Required to comply within 21 days of receiving the request, or no later than 14 days after the initial 21-day period
- Data controllers may charge a reasonable fee to cover associated costs of complying with such requests.
Malaysia’s progress on data portability in 2025 reflects a methodical and consultative approach. Following the enactment of the Personal Data Protection Amendment Act in July 2024, the country has been phasing in new rights across three implementation waves. Most notably, the third phase—which came into force on June 1, 2025—introduced a formal right to data portability. Data subjects now have the right to request that their personal data be transmitted directly from one controller to another, subject to technical feasibility and data format compatibility. Malaysia’s rollout strategy reflects both ambition and pragmatism: build a right that works, make it actionable, and bring the public along in defining what meaningful portability should look like.
Other Developments of Note
Other developments since our last update in 2024 include the following:
- China Cybersecurity Regulations Address Data Portability: In September 2024, the State Council of China published regulations to enhance and clarify obligations for online platforms as they relate to network data security, personal information protection, and cross-border transfers. The regulations are formulated under existing Cyber Security law, Data Security law, and the Personal Information Protection Law (“PIPL”). The PIPL now sets out the specific conditions that must be met to exercise a data portability right: (1) verifying the true identity of the data subject; (2) the legal basis for processing the concerned personal information must either be consent or contract necessity; (3) the transfer is technically feasible; and (4) the transfer will not harm the legitimate rights and interests of others. The regulations also clarify that if the number of requests significantly exceeds a reasonable range, the network data handler may charge necessary costs of fulfilling the request.
- Chile Passes Data Protection Law: In November 2024, Chile passed a new Data Protection Act (DPA), updating its existing 1999 framework for the protection of personal data. The Act offers a new right to portability and applies to non-Chilean based companies that provide goods/services to individuals in Chile. It also establishes a new Chilean data protection regulator to oversee and enforce data protection laws. The Act is expected to be fully in effect by 2026.
- Monaco Strengthens Data Protection Laws, including Data Portability: Monaco modernized its data protection legislation with the adoption of a new law on December 3, 2024. Inspired by the GDPR, the right to portability, erasure, and right to restrict processing are significantly enhanced.
- Botswana Portability Right in Effect: Botswana’s Data Protection Act, which introduced a new data portability right similar to the GDPR’s, came into force on January 14, 2025. It applies to data controllers outside of the country if their activities involve Botswana residents.
- New Data Portability Right in Peru: A new data protection regulation, which modernizes and strengthens Peru’s existing Data Protection Law (PDPL), went into effect on March 30, 2025. It includes the right to data portability.
- Vietnam Passes New Personal Data Protection Law: Vietnam’s National Assembly passed Vietnam’s new Personal Data Protection Law (PDPL) on June 26, 2025. The landmark legislation, which is set to take effect Jan 1, 2026, is seen as a significant step forward from Vietnam’s existing 2023 Decree on Personal Data Protection and includes the right to data portability. Further government guidance is expected for businesses in the near future.
- New Zealand Moves Forward with Consumer Data Right: A Consumer Data Right has been on the legislative agenda for a number of years, and took a significant step forward in January when the parliamentary committee approved the Customer and Product Data Act 2025 (CPDA 2025). The bill received Royal assent in March and is now in force. At its core, it is a data portability framework that empowers consumers and boosts innovation.
- Brazil’s Regulatory Priorities Include Portability: In December 2024, Brazil’s National Data Protection Authority (ANPD) released a regulatory agenda for 2025-2026 with 16 various priorities laid out across four implementation phases. One of the priorities highlighted in Phase 1 includes clarifying data portability obligations as provided for in Article 18 of the Brazilian Data Protection Law (LGPD), which was enacted in 2020 and remains a core feature of the ANPD’s workplan. We can expect additional guidelines, standards, and developments related to data portability in the near future.
We hope you found this overview useful. Are you following other developments that you think should be on our radar? Feel free to reach out and let us know!