Data portability - it’s not rocket science
In an era of extraordinary technological progress – with driverless taxis navigating our roads and pop stars performing in space – any suggestion that it may not be technically feasible for one organisation to transfer data directly to another deserves far closer scrutiny.
Since 2018, technical feasibility has been treated by many organizations in the EU and the UK as a legal loophole in an obligation to support data portability through direct transfers. This element of the GDPR Article 20 has never had much bite, because the words have no single clear meaning.
This has long been a bugbear of mine, as has regulators’ and legislators’ heads-in-the-sand approach to the issue (most recently in the draft guidelines on the interplay between the DMA and the GDPR). However, when I learned that the problem is being exported to the US through State legislation such as Utah’s Digital Choice Act, I decided it was time to revisit the topic.
The term ‘where technically feasible’ was added to the direct transfer component of GDPR Article 20 for very understandable reasons. Unlike the DMA, which applies to a small number of very large technology companies, the GDPR has wide application to data controllers in the EU of all different shapes and sizes. From farmers, to factories, to florists, the data portability provisions of the GDPR will likely apply if data controllers process personal data on the basis of consent or performing a contract. So, quite reasonably, authors of the GDPR inserted a carve out for organisations that would find it challenging to implement.
Unfortunately, this carve out is open to different interpretations, and has consequently acted as a barrier to effective data portability implementation and enforcement throughout the European Union and the UK ever since.
What does ‘technically feasible’ mean?
The Collins English Dictionary felt like an obvious starting point for my research: it defines feasible as “able to be done or put into effect; possible”.
Finding the consensus for a commonly used phrase is also a strong use case for Large Language Models (LLMs), given they have been trained on the entire Web archive:
-
ChatGPT told me that “Technically feasible means that something can be accomplished using existing or attainable technology, skills, and resources, even if it may be difficult, expensive, or impractical for other reasons. In other words: it’s possible in theory and in practice from a technical standpoint.”
-
Along similar lines, Gemini explained “When someone says a project is technically feasible, they mean it is actually possible to build or implement with the technology, tools, and expertise currently available.”
One critical area of uncertainty that these two responses subtly highlight is whether or not direct transfers need to be feasible with the technology and skills currently held by an organisation, or whether technical feasibility also takes into account the technology that could be relatively easily procured or built within a reasonable time frame.
Official EU guidance on the right to data portability adopted in 2016 sheds some light on the baseline requirements for the technical feasibility of direct transfers, which are:
- Communication between two data controllers’ systems is possible;
- The transmission can take place in a secure way; and
- The receiving system is technically in a position to receive the incoming data.
These do not appear to set a high bar.
Practical interpretations
There are numerous practical solutions available for facilitating direct transfers of data that can meet the above criteria. The official guidance itself provides some examples, including secure messaging, an SFTP server, a secured WebAPI, or a WebPortal, going on to emphasise that data subjects should be enabled to use personal data stores, PIMS, and other trusted third-parties.
Since that guidance was written a decade ago, a myriad of affordable options have emerged online for secure cloud storage, as well as commercial services that are dedicated to supporting secure transfers of large files (such as WeTransfer). The Data Transfer Project (DTP) has also demonstrated the art of the possible when organisations collaborate to develop interoperable, reciprocal, and scalable portability solutions based on common data models. Although not all organisations will have the resources to invest in large scale portability initiatives like the Data Transfer Project (DTP), many of the alternatives are far less complex, where any barriers to implementation must surely be non-technical (e.g. cost or lack of business incentive).
Rather than focusing too much on the relatively straightforward question of when direct transfers of any kind are technically feasible (answer=almost always), I am more interested in considering when it is technically feasible to deliver effective data portability e.g. through a scalable solution such as the DTP or via a purpose-built API. I’ve illustrated my thinking below by describing six plausible scenarios a data controller could find itself in where they cannot immediately support a transfer request. In each case, I’ve indicated the extent to which the barriers are technical in nature.
At one end of the spectrum, if organisations already have direct transfer tools such as an API at their disposal but choose to restrict their use for data portability in some way, then it would appear any barriers to effective data portability in these cases are non-technical (such as assertions of regulatory obstacles to implementation).
At the other end of the scale, many organisations (probably a very long tail) may simply not have the technical knowhow, software, or bandwidth required to facilitate data exports in a secure and efficient manner. Technical feasibility will be a barrier to effective data portability in these circumstances. Somewhere in the middle, there will be many organisations that do not currently have data transfer tools or technology available to them, but they could realistically build or acquire them in time.
While it might be tricky to know where to draw the line on technical feasibility from a legal standpoint, let’s put things into perspective with a reminder of some of the amazing things that are technically feasible in 2026:
- Space tourism with re-usable rockets
- Driverless taxis
- Laboratory grown meat
- 3D bioprinting of human organs
- Direct communication from brains to computers
How about user-led data transfers? Well, let’s just say it’s not rocket science.