The path forward for AI personal data portability
Last week, I published a piece in Tech Policy Press entitled “We Need to Control Personal AI Data So Personal AI Cannot Control Us.” In it, I argue that providers of AI services can and should make personal data available to users to transfer and to delete. And building on DTI’s expertise with data portability, I offer five principles for portability in the context of AI:
- Users should be able, at their request, to download personal data from AI services, and to request the direct transfer of personal data between AI services. This data should be in a structured, machine-readable, well-documented format.
- User-directed portability should focus on personal data, and should not extend to training data, model weights, or other elements of AI services not specifically related to the user initiating data transfer; however, personal data used to customize the actions of the AI service should be included as within scope.
- Data portability tools and interfaces should adhere to an open, interoperable technical specification to allow users to easily transfer personal data directly between AI services on a reciprocal basis.
- AI services, including generative services, AI agents, and tools, should communicate with other services through open protocols and should not impose unduly restrictive terms on data interfaces to ensure that users have their choice of products or services.
- Where data is transferred directly between service providers at a user’s request, all parties should employ reasonable, well-documented frameworks and practices for security vetting of the other party to the transfer, including organizational policies regarding data privacy, data security, end user transparency, and authentication of transfer parties and end users.
These principles are built on our experiences with portability as an organization over the past few years, and my own experience with this topic for nearly a decade now. I’ve been laying the groundwork for AI portability principles for some time now, publishing blog posts at DTI on this topic since the fall of 2023, and engaging in countless conversations with stakeholders from industry, civil society, academia, and government. In today’s piece, I’m not going to repeat the arguments I’ve made in past blog posts and in the Tech Policy Press piece. Instead, I want to offer some thoughts on why this work is a priority for us, and what the path ahead looks like.
In some ways our work on portability of personal data in AI isn’t novel, but rather a natural extension of advancing portability in any other sector of technology. It directly flows from our mission, to build a healthy ecosystem supporting simple and secure data transfers. As with all of our scope, here we will strive to be the foremost expert on substantive questions regarding the implementation of portability, so that we can be a resource to both government and industry; and we will bring stakeholders together as best we can to support and align tools and protocols used in portability implementations. For the same reason portability is important in other contexts – its contributions to individual privacy and data protection, its benefits for competition and user choice, and others – it is important in AI.
In other ways, AI makes the portability calculus quite different. Notably, portability in AI is likely to be both easier and also more immediately, and in some ways more deeply, valuable. It may be easier to import data without needing to align on a shared data model. Adapters make up a key part of the Data Transfer Project codebase, translating export and import APIs in the formats they are offered through a consistent data schema to allow hub-like transfer modality, in contrast to developing separate, pairwise transfer tools between every conceivable export and import endpoint. But if importers are assumed to be able to take data in any format and simply figure it out, that entire challenge simply … disappears.
Portability in AI is likely also to prove valuable on a near-term timeline, in a couple respects. The first is with AI as a personal data consumer: access to more personal data (such as, for example, a user’s contacts) can drive more personalization, and thus more value for AI tools. The second, then, is AI as a personal data generator, specifically in conversations with users. This data can be highly personal, and highly valuable for understanding what a user is looking to do (or to buy). These potential sources of value for both user and business are also, clearly, potential sources of harm – thus trust in the context of AI portability is of critical importance as well.
Outside the context of AI, portability is of increasing importance in regulatory environments all around the world, as our periodic global round-up posts illustrate. As those same governments look to AI, and to persistent concerns in privacy and competition, assuredly these worlds will collide, and DTI is prepared to help build the path forward.
Speaking of which – I wanted to share a little about what comes next for us on this. Personally, I’m focused on two separate pieces: spreading the word, and bringing together the players. I will be appearing on podcasts and writing guest posts in other publications to take these ideas to new audiences, and presenting at conferences, including MyData 2025 in Finland next month. And I intend to bring together champions for portability working at key AI companies to build alignment on approaches, and encourage collaboration on user-facing portability tools as well, because engaging with users is a critical piece of trust-building in AI, and technology in general.
Trust is another key workstream for DTI. As we build out our trust registry pilot, seeking to make it easier for businesses to establish trust for data portability, our eyes are looking not only to trust considerations in data portability in AI as previously mentioned, but also to the potential explosion of AI agents, all seeking to transfer highly personal data, all needing to establish trust in order to limit personal privacy and security risks. I’m not sure yet what DTI’s role will be in that space, but I am sure that our expertise will be valuable in the months and years ahead.
I wrote in November 2023 that the future of AI would be personal and portable, and that the open question was whether or not it would be empowered. I strongly believe DTI’s efforts on portability for personal data in AI will be fundamental to that challenge.