Our regular regulatory roundup
I often picture the global data portability ecosystem as an incomplete jigsaw puzzle. Each new portability regulation or initiative is another piece to be added. But when the pieces are designed independently in each legal jurisdiction – the EU, the UK, Japan and so on – the chances of them all automatically fitting together to form a pretty picture are low.
That’s where I believe DTI has an important role to play that arguably no other organisation is capable of. Our advice and global perspective can help shape the pieces so that they fit together and form a single vision, so that the ‘tabs’ from one intervention slot into the ‘blanks’ of another. Or in other words, we can help to promote international interoperability. To do that, we need to keep up to date with global developments.
This newsletter sets out some of the main regulatory developments for the technology sector most relevant for our audience, including highlighting the ones we are engaging with directly.
United Kingdom
I would of course list the UK first because I am biased. But in any case, it deserves headline billing this time around as authorities prepare to deploy the powers granted by two new Acts of Parliament: The Data (Use and Access) Act (aka “the DUAA”) and the Digital Markets, Competition and Consumers Act (aka “the DMCCA”).
- The DUAA gave the UK Government enabling powers to introduce Smart Data Schemes like Open Banking in other sectors of its choosing. The Department of Business and Trade has since published a Smart Data Strategy in March 2026, which lists digital markets as one of the priority sectors to be pursued. In parallel, following a call for evidence on the Smart Data opportunities in digital markets last summer (to which we responded), the Department for Science Innovation and Technology (DSIT) published in May 2026 a summary and decision on next steps. DSIT indicated that the Government will consult “shortly” on the overall design of a digital markets scheme.
- Through the DMCCA, Parliament handed the Competition and Markets Authority (CMA) strong new powers to regulate large digital services where they are judged by the CMA to have Strategic Market Status (SMS). The CMA has investigations open, at different stages of development, in relation to various parts of Google’s, Apple’s, and Microsoft’s businesses. Within its investigation into Google’s General Search and Search Advertising services, which is the furthest forward, the CMA has consulted on Conduct Requirements that would oblige Google to maintain availability for its Data Portability API in the UK, and effectively peg the UK to any further advancements in the API resulting from the EU’s implementation of the Digital Markets Act (DMA). The CMA hinted in a recent press release that this Conduct Requirement will come into force in the “coming weeks”.
Also, published this week, is a consultation from DSIT on empowering people through data intermediaries. This follows a call for evidence last year that DTI responded to. In addition to consideration of legislative options for removing barriers to data intermediaries, the consultation seeks views on a non-statutory authorisation scheme, with an industry run certification process. The consultation notes that “Authorised intermediaries could be listed on a public register or permitted to display a recognised trust mark, providing a visible signal to individuals and data controllers that they meet agreed standards.”
DTI is engaging extensively with each of these developments, where we are pressing the importance of our Data Trust Registry as a key component for achieving international interoperability of smart data schemes, while also acting as a signal of credibility for listed services, which includes many data intermediaries.
For any UK-based readers, I encourage you to attend the Smart Data Forum next week, where these developments will be a key topic, with DTI’s Data Trust Registry shortlisted for the Trust, Consent and Governance Award. Hopefully I will see some of you there!
European Union
Although the EU is further along this regulatory journey than the UK, the implementation of targeted data portability regulations is still relatively early. There have been several developments over the past year that have moved the regulatory dialogue forwards:
- The DMA one year review: in 2025, the European Commission ran a consultation as part of its one year review of the DMA. Here is our response. In its follow up Report, the Commission rightly sought to highlight the data portability provisions in the DMA as one of its success stories, where visible progress has been made and innovative new services are starting to reach consumers. Also noteworthy was the Commission’s signal in its Staff Working Document that it will be, as a matter of priority, “monitoring whether certain AI services should be designated as virtual assistants” and therefore brought within the scope of the DMA.
- Joint guidelines on the interplay between the DMA and the GDPR: in Q4 2025, the European Data Protection Board and the European Commission consulted on draft joint guidelines on the interplay between these two regulations. With respect to data portability, the document sought to clarify the complementary nature of DMA Article 6(9) and the GDPR Article 20, as well as setting out some more granular expectations regarding compliance with DMA Article 6(9), such as appropriate third-party onboarding procedures.
- The Data Act: this legislation came into application in September 2025, bringing in direct transfer data portability provisions for suppliers of Internet of Things connected devices and for cloud storage providers. Despite being new, it is already facing changes through the Digital Omnibus package. Aimed at simplifying and consolidating parts of the EU’s digital regulatory framework, the package contains some tweaks to regulations that could affect existing data portability rules at the margins. For example, targeted exemptions to the Data Act’s cloud switching requirements for smaller businesses, and removing the requirement (currently in the Data Governance Act) for mandatory reporting and labelling of data intermediation services. Some concerns have been raised over the Omnibus, including by researchers over potential limits to data donations.
DTI has been frequently engaged with the European Commission on all of these topics, including responding to the consultations. We are now watching closely to see whether the DMA will be the catalyst for portability of AI ‘virtual assistant’ conversation histories, and whether the Data Act encourages more IOT companies to participate proactively in the data portability community.
US State-level Legislation
In the United States, progress on data portability seems most likely to be steered by legislation at the State level. Utah and South Dakota have led the way, each enacting into law a “Digital Choice Act”, effective from July 2026 and July 2027 respectively. They require social media platforms to support direct data transfers to other services of all user data including the social graph. Several other States are following with similar Acts, including New York, Minnesota, South Carolina, Virginia, and California.
Although the legislative process still has some way to run, California’s version of the Digital Choice Act may turn out to be the most impactful. Aside from the mere fact it is California, which tends to suggest national application for tech regulation, it also includes new requirements for portability of AI contextual data such as conversation histories (as does Virginia’s). We view this as a high priority moving target, and while DTI as an organization does not engage in advocacy for or against legislation, we seek to contribute our expertise where it will help facilitate collective understanding, and are monitoring this closely.
South Korea
South Korea is one of the most advanced jurisdictions for empowering citizens to access and utilise their personal data, with its Personal Information Protection Commission (PIPC) announcing in April 2026 that citizens’ data portability rights would be extended to all major sectors of the economy.
Under the announced rollout timeline, individuals will be able to access their data directly from public institution websites starting in August 2026, with application to the private sector next year. As well as sectors for healthcare, telecommunications, and energy, South Korea’s MyData framework will also apply to various online platforms (above set quantitative thresholds) such as taxi-hailing services, e-commerce platforms, streaming platforms, and holiday lodging services.
Japan
On December 18, 2025, Japan’s long-awaited Mobile Software Competition Act (MSCA) – also known as the Smartphone Act – officially entered into force. Enforced by the Japan Fair Trade Commission (JFTC), this ex-ante regulatory framework is focused on supporting competition within and between Apple’s and Google’s mobile ecosystems.
With some similarities to aspects of the EU’s DMA, the MSCA establishes explicit data portability mandates. This has prompted an expansion in the geographic availability of some existing data portability tooling, such as Apple’s Account Data Transfer API, which now lists availability for users in the EU, UK and Japan.
We have recently held conversations with the JFTC to discuss these developments, as well as to share updates on our relevant projects such as our Data Trust Registry.
Australia
With some parallels to the UK, Australia has two routes that may eventually lead to data portability initiatives in the digital economy:
- Most immediately, there is the ongoing expansion of its Consumer Data Right (CDR) which, like the UK’s Smart Data programme, has its origins in the banking sector. It has subsequently rolled out to the energy sector, and is now expanding to non-bank lending services in July 2026. We spoke recently to the Australian Competition and Consumer Commission (ACCC) about its implementation of the CDR, highlighting some potential future overlap between our Data Trust Registry and the ACCC’s register of accredited data recipients.
- Australia is also expected to introduce legislation to establish a new ex ante digital markets competition regime, leading to codes of conduct for designated digital platforms. Described by some as a hybrid between the EU’s and UK’s approaches to digital markets regulation, the requirements may well include provisions for supporting data portability.
Given these developments, Australia appears to be a strong candidate for implementing data portability requirements for online platforms in the near future, though it is unclear at this stage whether it will adopt a sector wide approach via the CDR, or a more targeted approach through its planned ex ante digital competition regime.
Canada
Following many years of policy debate, Canada formally codified its Open Banking framework through Bill C-15, which received Royal Assent in March 2026. Critically, the Bill also amended Canada’s federal privacy law (PIPEDA) with the introduction of a new section on “Mobility of Personal Information”. This lays the foundations for Canadian authorities to introduce new data sharing frameworks in other sectors beyond banking.
Alongside these legislative developments, the Competition Bureau Canada published a comprehensive report in January 2026 entitled Your Data, Your Control, with extensive references to data portability in the digital economy. It was a pleasure to chat to the team behind the report in March this year about ongoing developments in Canada and how they connect with DTI’s mission.
India
I highlight India in this update for two significant non-developments on data portability.
First, the Digital Personal Data Protection Act (DPDPA) has been proceeding through a phased rollout, with full enforcement by May 2027. It is particularly noteworthy that the DPDPA, as India’s comprehensive data protection framework, does not include a GDPR-like right to data portability.
Second, India’s equivalent of the DMA - the Digital Competition Bill - has continued to stall, with focus shifting to further evidence gathering through a market study.
In contrast to some jurisdictions where data portability is a feature of privacy and competition legislation in parallel, India is not prioritising either regulatory route.
Brazil
Brazil has been progressing its Digital Markets Bill designed to tackle competition challenges in digital markets, as written about by Laís Martins and Megan Kirkwood for Tech Policy Press in February this year. In March, lawmakers approved an “urgency motion” enabling the Bill to skip some of the slower committee stages of review.
If passed, the Bill will give new powers to Brazil’s competition regulator, CADE, to designate platforms as an “economic agent with systemic relevance”, with a menu of interventions then available to it including imposing requirements for continuous and real-time data portability.
The Bill still has several legislative hurdles to clear, so we’ll keep a watching brief.
Chile
The new Data Protection Act In Chile, which brings in substantial alignment with the GDPR, will officially come into full effect in December 2026. Like the GDPR, the Act includes a right to data portability, which gives the data subject “the right to have their personal data transmitted directly from controller to controller where technically possible.” As has been the case in Europe, the final three words of that quote are likely to be impactful.
Get in touch if there are some developments in your part of the world that deserve to be on the next update.