Although not perfect, browser data portability is a compelling case study for busting all of these myths.

Browsers are digital wallets

Browser users – basically everyone – are not a homogenous group.

For many users, the choice and setup of the browser is a deeply personal and personalised experience. Their tabs, bookmarks, favourites, reading lists, extensions and search histories are core to their experience of browsing and consuming online. But for others, the default browser will always do, straight out the box.

Privacy protection is another issue that can elicit a wide range of reactions, including anger and fear, general mistrust, apathy, and more positive value recognition.

Wherever a user sits on these overlapping spectrums, ongoing operational access to sensitive data by the browser can be critical to users’ experience online. For example, even the least engaged browser user may be relieved when their browser recalls their password for their Amazon shopping account. And a privacy conscious user may still be grateful to be offered up their payment card details at the checkout.

This is because browsers are not just a window to the web, with personalisation as an add on. Browsers now also double up as digital wallets, storing critical information that makes our online browsing and shopping experiences more efficient and convenient.

So when people choose to switch browsers – yep, you aren’t reading this on Netscape or Internet Explorer are you – it is important they have the option to take their useful data with them. Engaged users don’t want to start from scratch re-setting all of their bookmarks and personal touches. Nor does the average user want to start searching for their physical wallet every time they need to make a purchase, or resetting complex passwords for each website they return to.

A patchwork of solutions

Browser users don’t need to be aware of the concept of data portability, or be excited by their personal data rights. They just make a few extra clicks as they install and onboard with a new browser. This is how data portability works best: when it blends into the background, serving a higher purpose.

And browser switching is certainly not niche. On desktop devices, the market has tipped to a new winner several times over the last quarter of a century, meaning most people have changed the browser they use on their laptop or desktop computer at some stage. Switching rates have historically been lower for mobile browsers for a host of reasons, but even if just 16% have switched (according to a CMA survey of UK mobile browser users) then we could be talking about a billion people worldwide. And the introduction of choice screens, such as those imposed by the EU’s Digital Markets Act (DMA), are driving up consumer engagement, with browsers such as Opera, Brave and Vivaldi all reporting growth in user numbers since DMA implementation in 2024.

Although browser switching works relatively well, the browser data portability landscape could affectionately be described as a scruffy patchwork: it just about does the job; new patches keep getting added; but some gaps remain and each patch is different from the one before. But that variation doesn’t necessarily seem to matter a great deal. For a given user looking to switch – possibly every few years or less – it just needs to work for them, there, in that context. The fact that a different user switching between two other browsers on a different platform may be getting a completely different experience doesn’t really matter at all.

Desktop vs mobile

Browser data portability has worked pretty well on desktop for some time. The majority of browsers support the direct passive transfer of browser data without the user needing to handle any files themselves. This means that each browser on desktop is generally able to include a data import feature in their installation setup wizard. This all tends to work pretty seamlessly.

To illustrate, if someone wants to install Firefox on their laptop, they can import their data from Chrome as part of the set up process. After a few clicks (see screenshots below), Firefox is essentially able to reach into your local files and extract the data it needs.

On mobile devices, the desktop method for direct transfers isn’t possible due to browser sandboxing. But the options for moving data between browsers are increasing and improving on mobile, with very little fanfare.

For example, on the iPhone, users can export a zip file of their Safari data to their files, through a relatively quick and seamless UX accessed via the device settings. But as I have written before, data portability takes two. And we are now starting to see alternative browsers on iOS develop the necessary import functionality, including Chrome in January 2026, and Vivaldi last month.

The user journeys for the Safari exports and the alternative browser guided imports are pretty slick if you know where to look, and the transfer includes (subject to user choice) the full spectrum of useful data including bookmarks, history, passwords and credit card details.

There are further developments to suggest direct transfers will be supported on mobile in time. Google’s Data Portability API – yet to be fully explored by rival browsers to my knowledge – enables one off and ongoing direct transfers of a user’s Chrome data to third-party services, including history, bookmarks, reading lists and more. Apple has also recently announced a tool that will facilitate direct transfers of similar data scopes from Safari.

Security vs usefulness

Passwords and credit card details may just be up there with the most sensitive and dangerous data to expose to security threats. It also happens to be up there as some of the most practically useful information to share with your web browser. So there is an inherent tradeoff between the usefulness and security of browser data portability.

The market seems to have naturally converged towards a tiered approach that supports the direct browser-to-browser transfer of less sensitive data such as bookmarks and histories, then with some additional user action to move more sensitive data such as passwords and credit card information. Whether it is the user needing to export data to files before manually importing, or interacting with a separate password management service, these added steps create friction for the user and affect the user experience. But this friction is also a positive trigger for users to think carefully about their choices and be certain that they know and trust the destination.

A tiered approach appears logical to me, and is consistent with the approach we have taken to our Data Trust Registry, which has different requirements depending on data sensitivity.

A patchwork that works

Browser vendors have done a decent job at enabling their users to take their data with them, pulling together this patchwork of transfer solutions without sector wide requirements or an overarching coordination body. It may not be perfect or standardised, and there will continue to be some tensions between security and user experience to work through, but that doesn’t seem to matter too much.

The fact is, data portability really does support browser switching in its purest form, and it works pretty well.

I’m looking forward to continuing down this rabbit hole I recently stumbled into, to see what role DTI might play in helping the industry tackle any future challenges as they arise.

“For four months, Marianne, I have had all this hanging on my mind, without being at liberty to speak of it to a single creature; knowing that it would make you and my mother most unhappy whenever it were explained to you, yet unable to prepare you for it in the least. It was told me,—it was in a manner forced on me by the very person herself, whose prior engagement ruined all my prospects…” 

Elinor’s torment only makes sense if the reader absorbs the sensitivity of a secret engagement. Many readers bounce off Regency novels due to having little engagement with sensibilities like these.

I use this example not just for the pun in the title of this piece (ok, 80% for the pun) but to illustrate that all personal data can be sensitive. We can’t decide that an engagement, just because it’s usually announced happily, is a non-sensitive piece of data. The history of startups and tech platforms shows that we’re terrible at recognizing this. Many companies have blithely revealed information about women to their stalkers. My first pregnancy, though a secret to everybody I knew due to miscarriage, was not a secret to advertisers online because my search terms were shared. Companies cannot make these decisions for people.

We’ve accepted privacy principles of “protect all data” well in some areas. It’s nearly required for personal data in transit, as we’ve built the expectation for TLS everywhere. “There is no such thing as non-sensitive web traffic”, says https://https.cio.gov/everything/ , and thus all Web traffic should be encrypted.

—

When we make the case for data portability, it is tempting to forget all this. When we ask companies to make data portability a user right, yet companies have very short lists of allowed destinations due to security barriers, it’s tempting to ask them to dismantle those barriers entirely.

Companies have legal and reputational liability when they let users share personal data via platform features. Companies are well aware of the many opportunities for fraud. For example, users convinced they’re sharing data with a reliable company may be fooled by an impersonation attack. And so companies do what companies do, and build complex protective systems of service identification, data protections, security reviews, OAuth scopes and sensitivity levels.

Those systems are:

• Very expensive to companies for both platforms and companies applying for access,
• Significant barriers to users actually porting their data,
• Often wrong about sensitivity level,
• Inconsistent internal to a platform,
• VERY inconsistent across the industry

Sensitivity levels are a data classification framework - broad groupings of kinds of data, linked to protection levels. It’s understandable that companies would try this approach for personal data, as companies already use this kind of framework for corporate data. A company can decide that its customer prospect list is “restricted” and its employee foosball chat is merely “private”. A company can decide that vendor X is secure enough to work with restricted data and vendor Y is secure enough to serve employee chat rooms. But does the same model work when companies apply it to personal data?

First, it’s much harder for companies to apply sensitivity levels to all personal data. A major recording artist’s music listening activity is more sensitive than my photos of my kids. My photos are more sensitive than my friend Jamie’s blood-glucose data (because he’s already donated it as a public research dataset). Any reasonable sensitivity classification of listen history, photos and medical data would reverse this ordering. Second, it always seems safer to put data in a more secure category. If some photo albums contain images of passports and drivers’ licenses, then all albums are considered the most sensitive. If some email folders contain password reset links, then all email folders are the most sensitive.

As a result, users are burdened by high protections. When a company forces users to protect their data too carefully, they take away choice and incentivize workarounds.

The workarounds are part of why a platform can have inconsistent security protections. Many photo sites, for example, have short lists of trusted partners who can access personal data APIs and do data transfers. On the big platforms, those partners are formally and consistently vetted to make sure they are trustworthy. However, because people do want to share their photos (to photo book printers, to family, to alternate services), the photo album interfaces typically have something like this:

Now I can share my photos with an unvetted startup by creating an insecure link. Even if my judgement is sound and the startup is trustworthy, others can still use that link if it leaks.

The situation is even worse with email data access. The only common workaround for email is for users to share their email passwords with 3rd party software. If I realize that’s terribly risky, I am left with almost no safe choices for 3rd party email management services.

Protecting users by taking away choice, while also allowing insecure alternatives, is the worst compromise. It’s time to help users make choices with their own data and also to protect them.

The UX for helping users safely make their own choices is yet to be designed. What would it look like? The user could be shown ratings and offered highly trusted destinations before making a riskier choice. The user could be allowed to decide if their own data is public, private but not very sensitive, or of the highest sensitivity. Companies hosting personal data could offer to filter content objects to help the user choose which content goes where.

Defaults are still important, but after being offered sensible defaults, users could apply their deeper knowledge and trade-off weights.

Let’s improve this whole situation. Over the last 20 years we’ve developed extensive systems and UX allowing users to make their own purchasing decisions online (verified brands, number of buyers, ratings and reviews). Modern online retail shows that this could be an empowering and smooth experience. We can make a lot of progress empowering users with their own data too.

Personal data is immensely valuable. And much of that value has not yet been unlocked. It’s great to be able to get a copy of your data for your own archives and reference, and for switching services. But the real magic happens downstream, with vertical innovation: building tools and services that can create new value from that data, including in integration across its origins.

The tide is turning. Awareness of digital footprints has been growing for years, and now, everyday people are learning more about what that means and how it can help them do things with their data. And the fundamental creativity of technology builders is awakening. And in parallel, people are generating more and more personal data, and consequently more potential downstream value. A huge factor amplifying these effects is AI.

Regular readers of this outlet know that DTI has been pushing for the importance of personal data portability in the context of AI for quite some time. These have been predictions of what’s to come and guidance on how to shape the future, drawn largely from my work and experience in the global tech sector, and my understanding of the possibilities of technology and how it can be both used and controlled. Three dynamics are emerging to validate this dynamic:

1. Developers are building tools to get value out of personal data – including developers and builders, not just large corporations – both with and through AI. Check out the reception for the world’s first AI portability hackathon, which DTI recently helped organize.
2. For better or worse, people are freely adopting tools like OpenClaw and giving it access to all of the personal data they possess, including their local files and access credentials to remove services. This is a wildly insecure path, but it is being widely pursued nevertheless, because the value is there.
3. People are making choices about which AI service to use not based on performance but values, including flash reactions to news developments. And when they decide to switch, service providers and internet commenters are walking them through the best currently available pathways to transfer their data over.

My colleague Tom offered a prediction this year as well: “Data portability use cases will be proven as commercially viable.” At the hackathon in late February, there was at least one angel investor present to look for opportunities. I think Tom’s right, and alongside that, there will be rapid acceleration on the growth curve of demand for and adoption of data portability and personal data use, in and with AI.

Why is AI accelerating portability? First, it helps people prototype technologies based on little more than a concept, reducing technical knowledge and experience barriers. Opinions vary on whether “vibe coding” and similar AI-assisted development can substitute for production-quality or long-term maintainable software. However, it’s hard to deny that it makes it easier to test out ideas and hypotheses.

Second, it unlocks new recommendation and suggestion power based on user tastes. While this is perhaps fairly basic functionality, it’s incredibly valuable to help someone identify new music they might want to listen to, restaurants they might want to try, or products they might want to purchase – both to the individual and to the enterprise. If, as posed by Eric Seufert, “everything is an ad network”, then everything must also be a potential data portability use case.

Finally, AI interactions are themselves a new source of interesting and valuable data. People talk with their chatbots about lots of things. While some of this data can be extremely personal and sensitive, lots of it also can be extremely valuable, as we know from the ways in which it is used in fine tuning and improvements to the AI service itself. These same learnings and personalizations are of use in many other contexts as well.

But, how much is this last part true in practice? What form is portability of personal AI data taking today? Are the current tools and methods making the right data available? Will there be trust mechanisms in place, or will users be encouraged (or misled) to transfer potentially sensitive chat histories to new services without safeguards?

DTI has articulated our principles for how it should work in practice. TL;DR: We aren’t there yet. Portability demand is growing. Can the supply keep up?

It’s great to see experimentations with memory transfers, as Anthropic is doing. I appreciate as well that you can still export your raw personal data from Claude as well – as you can from ChatGPT and other AI services. I hope, but cannot be certain, this will continue. And the direct transfer of such data, as articulated in GDPR Article 20, typically remains a work in progress, with few exceptions. In the age of possibility brought about by modern AI, I struggle to imagine that technical feasibility could be a plausible barrier.

Trust is missing here as well. Our trust registry project, nearing the end of its pilot phase, vets third-party recipients of direct transfers of personal data to help protect people – checking that their data will not be stored insecurely or abused, and that relevant consent mechanisms meaningfully reflect what the company will do with the data.

Contrast DTI’s trust work with the realities of OpenClaw, which Simon Willison has described as the technical development most likely to result in a “Challenger disaster.” People are wantonly opening their local drives and connecting their access credentials to AI agents they not only do not actively control, but in many cases do not understand.

I have confidence in DTI’s partners and affiliates, who together lead on data portability in all its implementations. Joining us in our work means supporting our mission: “Empower people by building a vibrant ecosystem for simple and secure data transfers.” These companies make personal data available through many methodologies, including downloads, Data Transfer Project-powered direct transfers, and APIs. With our affiliate Inflection, we shipped a data model for conversation histories designed to maximize effective reuse. And our affiliates Fabric and koodos are building new tools and open ecosystems around personal context portability in AI, including this brand new context-use tool from Fabric. Context-use is a local, open source tool that converts user archives like full ChatGPT conversations and Instagram stories into personal context for agents like OpenClaw. In this way, agents are able to use full personal context safely without accessing primary user accounts.

But I am worried about a reversion to historical patterns of trapping users in online services by their own data. Where there is money to be made, there is incentive to capture as much of it as possible. The question I asked in November 2023 has not been fully answered: “whether the future of generative AI will lock users into new technology silos, or empower them by ensuring portability.”

I’m also worried about privacy and security problems that could arise from an ecosystem of data movement that develops without collaboration and considerations of trust. In other portability contexts, great care is taken in scoping the data made available and in user understanding of the transfer and its safety. Without substantial investment in and coordination of portability, more problems – avoidable problems – will occur.

I’m not the only one thinking about the risks of consolidation and security in data flows. Regulation is on the horizon. In the EU’s recent DMA review process, Open Markets Institute and other commentators explicitly called on the European Commission to designate virtual assistants and chatbots. Megan Kirkwood at Tech Policy Press wrote an overview of the issue.

In the United States, at the state level at least, there is ample regulatory appetite. In 2025 alone, more than 1100 AI-related bills were introduced in U.S. states. The Digital Choice Act in Utah, although it is not without controversy and challenge in implementation, includes substantial data portability obligations for social media services; and similar laws have been proposed in several other states. It’s not hard to imagine these two forces coming together.

DTI doesn’t take a position on regulatory matters, and we recognize that these are complex issues and regulation inherently involves tradeoffs. But we also recognize that regulation in some form is inevitable, regardless of one’s views on the merits.

Now is the time to get a head start on building portability infrastructure in AI the right way – together. We can, and should, collaborate on shared tools and methodologies to export and import personal data in AI, including both conversation histories as well as higher-level memories and contexts. It won’t take radical new engineering. Just the space and collective will to coordinate. And we at DTI exist to facilitate precisely this.

We invite you to join us on this journey.

(Disclaimer for the skim readers: DTI is absolutely not proposing the introduction of fees in the context of user-initiated transfers of personal data.)

A tricky policy question

The UK is looking to be a leader in data portability initiatives, bringing forward what it calls “Smart Data” schemes in a range of sectors, through which it is hoping to replicate the success of Open Banking. These include schemes for financial services, energy, telecoms and digital markets, which could include both personal and non-personal data within their scope. In this work, the UK government faces a difficult and somewhat controversial policy question looming on the horizon: who should cover the costs of facilitating user-requested data transfers?

Recent regulatory precedents suggest the burden will be placed on the incumbent data holders, with the aim of having the minimum impediment to individuals or third-party businesses from accessing the data. For example, data controllers in the EU and UK are generally not permitted to charge for user-led transfers of personal data under the data portability provisions within the GDPR, nor can “gatekeepers” under the EU’s Digital Markets Act (DMA), nor the largest banks in the UK as part of Open Banking arrangements that were triggered by the CMAs 2017 market investigation into retail banking, and complemented by the Second Payment Services Directive (PSD2).

However, unlike those existing regulatory frameworks, the UK’s Data (Use and Access) Act 2025, which enables the introduction of Smart Data Schemes, explicitly leaves open the potential for data holders to charge third parties for access.

As sector-specific schemes are developed, this issue is likely to elicit some polarised views. On one side, there are strong economic arguments for incentives so data holders continue to invest in data, high-quality data transfer tools, and unlocking data as an economic asset. On the other, some may question whether fees for data access are consistent with policy aims of promoting competition, unlocking innovation, and empowering consumers.

The economist’s perspective

Here is (roughly) how our conversation went…

Tom: I enjoyed reading your report on fees for Smart Data schemes. The thing that struck me was that your proposed framework includes fees for data portability in nearly all circumstances, with data holders always permitted to recover costs. This is different to what we have seen in Open Banking regulation in the UK and the EU, or in digital markets regulation. What is your thinking behind this? Won’t we see more innovation if data is freely available?

Tanja: Of course, demand will inevitably be higher (at least initially) if there is no charge. Economists call that pricing that facilitates “static competition”. But in return you may see lower quality supply, fewer sustainable use cases and weaker investment. Economists call that “dynamic competition” over time. It is about striking the right balance between these factors.

On the one hand, if data is freely available to make new scientific discoveries or provide public services, then there’ll be more opportunities for more people to contribute and create things that ultimately will benefit everyone.

But on the other hand, there are also good reasons why data should not be free because doing so could lead to under-investment – in data and also the products that use it. If companies must build data tools entirely at their own expense, with no financial incentives in place to generate any meaningful demand for the functionality, the natural response will be to do the bare minimum for legal compliance. This means that outcomes may suffer.

Tom: That makes sense, though I would add that collective action can also help to address this challenge by sharing the costs of investment while delivering better outcomes. The Data Transfer Project is one example where this kind of collaboration to support reciprocal transfers has made progress without fees.

Tell me more about the thinking behind your framework then. Surely you can’t have monopolies profiting from policies that are intended to address their market power?

Tanja: There are a few factors that can affect the appropriate fee level, including the type of data and the motivations for the intervention, such as addressing competition challenges. Prof. Sean Ennis of the Centre for Competition Policy at the University of East Anglia and I created a framework with three categories of pricing solutions to account for this:

1) where data can be shared across markets to deliver significant consumer and potentially social benefits (for example in health and transport/smart city type application), without undermining data holders’ business models: transaction-cost-only pricing;
2) where data sharing in competitive markets may undermine data holders’ business models: opportunity cost recovery; and
3) where data sharing is required to remedy a competition problem in a market: at least transaction cost plus a margin, or a value based element subject to the case specific competitive assessment.

Even in cases of addressing market power, usually permitting a fee with a reasonable margin will create incentives that drive the most efficient outcomes. There are standard ways of doing this using cost-based, benchmark-based, income-based and externalities-based valuation methods (here’s a good overview by Oxera, for example).

Tom: I see where you are coming from regarding incentives. But the framework could be challenging to implement – both practically and politically – in the context of digital markets, where so much of the data collected is personal, and given the regulatory frameworks already in place. Some might also argue that where companies extract substantial profits from the collection of large volumes of personal data, supporting onward transfers of that data is merely a cost of doing business.

Tanja: I addressed these issues in my paper, which points out the risk that when the economic benefits of participating in data sharing are not clear, then it’s difficult to incentivise the provision of high-quality data products. The OECD has also pointed this out (here). Of course regulation can always force supply, but as regulators in other sectors know (telecoms, utilities) that’s hard to get right and is not ideal in differentiated product markets.

The DMA has required the gatekeepers to provide continuous and real-time access to data to authorised third parties free of charge. How is that working out?

Tom: If you are asking me should Article 6(9) of the DMA be viewed as a positive success story, then I would say absolutely, yes! It has been a catalyst for major progress for data portability in digital markets, the likes of which we have not seen before. But if you are asking me whether the data portability tools could have been even more effective if the gatekeepers were offered carrots as well as sticks, I would probably agree.

Let’s just say hypothetically that we did agree a fee was justified for creating the right incentives for data holders, wouldn’t that just kill any startup that came along trying to create a new type of service? Digital services often struggle with strong network effects, and fees for data access could really stifle the kind of innovation that policy makers are looking to unleash. From my experience at a startup data intermediary, a fee each time a user wanted to share their data would have made the business completely non-viable in those early stages. Successful data transfer takes two: by improving the incentives for data holders, won’t we reduce the ability or incentive for data recipients to participate?

Tanja: Yes, that is certainly a risk. In new markets, where users need to experience the value of a proposition before it becomes more mainstream, initial discounts can be important, ultimately to drive volume. So initially, high input prices, even if cost reflective, might be a challenge.

I can see that.

Once higher adoption is achieved, and learning effects happen in competitive markets, prices tend to come down as average costs reduce. We’ve seen this in mobile data since the iPhone’s launch in 2008, and in technologies from batteries to LEDs. So the issue is one of upfront cost when the uncertain rewards come later.

If both data holder and data recipient can see the potential in a proposition, teething problems can typically be resolved without regulatory intervention where there isn‘t market power. Firms in competitive markets holding data will want to establish long-term partnerships with firms having know-how that can help them create viable products and potentially include low or zero entry prices as part of the business case, with future pay-offs shared between partners.

And even where there is market power, it’s important to ensure that investment in data and the infrastructure that supports it will continue to be funded. Where pricing ends up being imposed this should align with incentives to achieve that and long-term contracts can also play a role here.

Tom: I suppose it also depends on the type of data we are talking about. I am on board with your proposed more flexible approach where data sharing could undermine business models. I would actually question whether such a requirement is justified in the first place, regardless of fee structures. For example, at DTI we have been talking a lot lately about data portability from LLMs and AI assistants, including the need to capture both sides of conversation histories. But I absolutely draw the line when it comes to underlying model weights and parameters that are the individual company’s valuable IP. Forcing the sharing of that kind of information sets a harmful precedent and would be difficult to compensate for. Is this the kind of thing you mean?

Tanja: Here it’s likely to be harder to land on a one size fits all solution. As an economist I’d say the challenge with legislation in this area is that it is hard to arrive at economically meaningful legal distinctions between different types of data. Whereas some legal distinctions have been hard-coded into the EU Data Act, there is still an opportunity for economically meaningful distinctions to be drawn in the future implementing regulations for the Data Use and Access Act in the UK, and potentially also the EU Financial Data Access regulation (FIDA).

As you say, when it comes to model weights – ultimately also information in digital form – IP rights will likely kick in. It appears that some legislation might jar with that. Forcing openness by imposing regulation that potentially interferes with IP rights or database rights are clearly highly risky for incentives to invest in these in the first place.

Tom: Where do you see this going then? As the UK brings through firm proposals for an Open Finance Scheme, do you expect your framework for charging to be applied? And what about in some of the other schemes like digital that are perhaps less sector specific?

Tanja: I certainly hope the framework we created will be useful, yes.

Open data initiatives such as smart cities suggest there is huge scope for voluntary open data and long-term commercial partnerships between data holders and data recipients, enabling the sharing of risk and reward. A key distinction will be the presence of absence of market power or other market failures, and where there isn’t, government policy and regulation should facilitate rather than determine outcomes.

As it spans all sectors, smart data is unlikely to be a one-size fits all policy – and different use cases and sectors will come with different opportunities, challenges and risks.

Since 2018, technical feasibility has been treated by many organizations in the EU and the UK as a legal loophole in an obligation to support data portability through direct transfers. This element of the GDPR Article 20 has never had much bite, because the words have no single clear meaning.

This has long been a bugbear of mine, as has regulators’ and legislators’ heads-in-the-sand approach to the issue (most recently in the draft guidelines on the interplay between the DMA and the GDPR). However, when I learned that the problem is being exported to the US through State legislation such as Utah’s Digital Choice Act, I decided it was time to revisit the topic.

The term ‘where technically feasible’ was added to the direct transfer component of GDPR Article 20 for very understandable reasons. Unlike the DMA, which applies to a small number of very large technology companies, the GDPR has wide application to data controllers in the EU of all different shapes and sizes. From farmers, to factories, to florists, the data portability provisions of the GDPR will likely apply if data controllers process personal data on the basis of consent or performing a contract. So, quite reasonably, authors of the GDPR inserted a carve out for organisations that would find it challenging to implement.

Unfortunately, this carve out is open to different interpretations, and has consequently acted as a barrier to effective data portability implementation and enforcement throughout the European Union and the UK ever since.

What does ‘technically feasible’ mean?

The Collins English Dictionary felt like an obvious starting point for my research: it defines feasible as “able to be done or put into effect; possible”.

Finding the consensus for a commonly used phrase is also a strong use case for Large Language Models (LLMs), given they have been trained on the entire Web archive:

• ChatGPT told me that “Technically feasible means that something can be accomplished using existing or attainable technology, skills, and resources, even if it may be difficult, expensive, or impractical for other reasons. In other words: it’s possible in theory and in practice from a technical standpoint.”

• Along similar lines, Gemini explained “When someone says a project is technically feasible, they mean it is actually possible to build or implement with the technology, tools, and expertise currently available.”

One critical area of uncertainty that these two responses subtly highlight is whether or not direct transfers need to be feasible with the technology and skills currently held by an organisation, or whether technical feasibility also takes into account the technology that could be relatively easily procured or built within a reasonable time frame.

Official EU guidance on the right to data portability adopted in 2016 sheds some light on the baseline requirements for the technical feasibility of direct transfers, which are:

• Communication between two data controllers’ systems is possible;
• The transmission can take place in a secure way; and
• The receiving system is technically in a position to receive the incoming data.

These do not appear to set a high bar.

Practical interpretations

There are numerous practical solutions available for facilitating direct transfers of data that can meet the above criteria. The official guidance itself provides some examples, including secure messaging, an SFTP server, a secured WebAPI, or a WebPortal, going on to emphasise that data subjects should be enabled to use personal data stores, PIMS, and other trusted third-parties.

Since that guidance was written a decade ago, a myriad of affordable options have emerged online for secure cloud storage, as well as commercial services that are dedicated to supporting secure transfers of large files (such as WeTransfer). The Data Transfer Project (DTP) has also demonstrated the art of the possible when organisations collaborate to develop interoperable, reciprocal, and scalable portability solutions based on common data models. Although not all organisations will have the resources to invest in large scale portability initiatives like the Data Transfer Project (DTP), many of the alternatives are far less complex, where any barriers to implementation must surely be non-technical (e.g. cost or lack of business incentive).

Rather than focusing too much on the relatively straightforward question of when direct transfers of any kind are technically feasible (answer=almost always), I am more interested in considering when it is technically feasible to deliver effective data portability e.g. through a scalable solution such as the DTP or via a purpose-built API. I’ve illustrated my thinking below by describing six plausible scenarios a data controller could find itself in where they cannot immediately support a transfer request. In each case, I’ve indicated the extent to which the barriers are technical in nature.

At one end of the spectrum, if organisations already have direct transfer tools such as an API at their disposal but choose to restrict their use for data portability in some way, then it would appear any barriers to effective data portability in these cases are non-technical (such as assertions of regulatory obstacles to implementation).

At the other end of the scale, many organisations (probably a very long tail) may simply not have the technical knowhow, software, or bandwidth required to facilitate data exports in a secure and efficient manner. Technical feasibility will be a barrier to effective data portability in these circumstances. Somewhere in the middle, there will be many organisations that do not currently have data transfer tools or technology available to them, but they could realistically build or acquire them in time.

While it might be tricky to know where to draw the line on technical feasibility from a legal standpoint, let’s put things into perspective with a reminder of some of the amazing things that are technically feasible in 2026:

• Space tourism with re-usable rockets
• Driverless taxis
• Laboratory grown meat
• 3D bioprinting of human organs
• Direct communication from brains to computers

How about user-led data transfers? Well, let’s just say it’s not rocket science.

In our first annual report, I described 2023 as our “launch” year. Last year, I framed 2024 as our “journey.” With this year’s report, I note the accelerating pace and demands of our task as an ongoing “march” forward. We can’t know what the year ahead will bring, but I have a hunch it, too, will be quite different from what has come before. (My colleague Tom has shared some predictions, in case you missed our last note!)

I recommend you read the report – it’s not too long, nor I hope too long-winded. But let me provide three bullet points to summarize:

• We shipped. We continued our work on the core Data Transfer Project open-source toolkit for simple and secure end-to-end data transfers, but our pilot Data Trust Registry project rose above DTP in widespread visibility as we shipped infrastructure, secured a platform partner, and signed up several organizations to our trust levels 1 and 2.
• We showed up. Our goal is to be at the table whenever data portability is on the agenda. We organized workshops and events and spoke at conferences. We submitted comments to governments in multiple jurisdictions. And we published original work on critical issues, including realtime portability and AI.
• We stayed on target. The world is changing, and the landscape for portability is evolving and growing with it. In 2025 we grew to meet that, adding new headcount and new affiliates. Yet our mission remains our north star: to empower people by building a vibrant ecosystem for simple and secure data transfers. As we increase our work on topics like trust and AI that were ancillary at our beginnings and are now central, our purpose does not and will not change.

This year is poised to be even bigger for our work than any of the years thus far. And we’re ready for it. Stay tuned.

So here they are…

1. OpenAI will be designated as an ‘emerging gatekeeper’ in the EU. Following the one year review of the Digital Markets Act (DMA), I expect the European Commission to move towards classifying ChatGPT as a “Virtual Assistant”, then applying a targeted subset of the DMA provisions to the service (including Articles 6(9) and 6(10)). As a result, I predict ChatGPT will implement a data portability API, supporting ongoing developer access to daily downloads of users’ data such as conversation histories. In a rapidly evolving technology context, we expect lots of discussion of scope, and anticipate greater visibility into DTI’s AI portability principles. The Virtual Assistant CPS may also be applied more widely to existing gatekeepers that operate AI powered chatbots, thereby expanding the scope of data included in their data portability tools.

2. The UK will introduce a Smart Data Scheme for digital markets. This prediction is really about the when rather than the if, and I am expecting a rapid timeline from the Department for Science, Innovation and Technology (DSIT), with the necessary secondary legislation in place before the end of the year (just). That would be an extremely ambitious timeline but, for a government motivated by economic growth (and with no money to spend), it makes sense to move quickly.

3. DTI’s Data Trust Registry will reach critical mass on both sides. Perhaps this is a bit of a cheat prediction. After all, it is something I am looking to influence directly, and we have already made significant progress in this direction. But nonetheless it feels sufficiently noteworthy for inclusion. I estimate that the tipping point for overcoming the ‘chicken and egg’ effects of this two-sided platform we are building will be three large platforms relying on our Registry for verification, and 30+ services registered and listed and set up for annual review. I am confident we will get there comfortably in 2026.

4. Data portability use cases will be proven as commercially viable. I’m certainly not predicting an explosion of use cases with billions of users - I will save that prediction for 2027! But in this coming year I expect to see two very important developments for data portability use cases. First, a few of the most promising startups built on top of data portability APIs will become profitable and/or attract major inward investment (though we may be too early to start talking about exits). Second, a handful of existing businesses with established userbases will incorporate portability as a new feature into their offerings to enhance personalisation of their service. These early success stories will provide useful for regulators around the world examining digital market regulation.

5. Portability will be trialled to support consented personalisation of ads. Perhaps as a subset of the prediction above, I foresee some ad-funded apps will trial the use of data portability APIs to power their ad targeting as a replacement for cross-site or cross-app tracking. For example, apps might request that their users share their personal data from other platforms such as Facebook, YouTube or the App Store, with explicit consent that it could be used to serve them relevant ads. Gaming seems a strong candidate for this move, given that games providers could incentivise users to share their data by giving them non-financial rewards such as extra lives or other in-game features that players might otherwise purchase through in-app payments.

6. Personalised audio content will grow in popularity. The shift towards AI generated audio content going mainstream started last year, with AI generated music entering the charts and capturing headlines. While I’m sure that controversial trend will continue this year, I expect another (slightly conflicting) shift to take place that could make charts less relevant altogether. People are going to start creating and listening to their own music and podcasts, produced at the click of a button by AI powered services to their own tastes and interests. This development will drive new demand for data portability from major streaming platforms, with new AI powered content creation services seeking access to their users’ past listening, viewing and searching data to support creation of highly personalised content.

7. Europe will continue to lead the way on data portability. Somewhat disappointingly, unless prediction four comes to fruition much sooner than expected, I don’t think we will reach the tipping point in 2026 where it is a no-brainer for all major tech platforms to support global availability of data portability APIs. Instead, I think we will see continued divergence between Europe (EU and UK) and the rest of the world. There will be some progress elsewhere (I hope to see at least one more existing portability API made available in the US for example) but regulatory uncertainty will stifle incentives, and the demand from developers and users in key markets such as the US will not be vocal enough (yet). As we strive to build a thriving global data portability ecosystem, this is one prediction we will be actively looking to disprove.

I look forward to returning to these at the end of the year to see how well I did. In the meantime, get in touch to let me know what you think, or even to share some predictions of your own!

We made it! It’s the end of 2025, and wow, what a year it has been.

I hope you all are able to take a breath, step back from the work, and get some rest as the year winds down.

We here at DTI wanted to gift you some of our favorite things – things we’ve read this year that really mattered or opened our eyes, things we’ve learned we want to share, and even some personal tidbits we just couldn’t help but include to hopefully bring you some of the joy it brought us.

Enjoy and the happiest of holidays to you from all of us!

Chris, Lisa, Delara, Tom, Aaron, and Jen
Your Data Transfer Initiative Team

Our Favorite Things

Chris Riley, Executive Director

• I’ve spent a ton of time this year working on and thinking about AI. I could create a long list of recommendations just on that subject. But I’ll keep it to 1, and my apologies to the many left-behinds: Mustafa Suleyman’s writings on Seemingly Conscious AI. As modern AI grows, so do its problems. (For a bonus, check out the AI portability principles we’ve published at DTI, to help people stay in control of the AI future.)
• In a year of significant, yet at times swirling, winds for data policy in Europe, I’ll highlight the UK’s Data (Use and Access) Act, which was fully adopted this year. The expansion of Smart Data into other sectors, including potentially the digital sector, will lead to a great increase in data transfers in practice, and DTI will be there to support.
• Shifting to the personal, I think this year saw an increase in fans for one of the greatest sources of unalloyed joy in my life: the TV show “Somebody Feed Phil.” Not as serious as Anthony Bourdain’s travel food shows, though inspired by them, Phil celebrates the positive and the wonder in good food wherever he goes, and the people, history, and culture behind the food.

Lisa Dusseault, CTO

• Favorite non-fiction book read this year: The Unaccountability Machine. Favorite new fiction series: Dungeon Crawler Carl – I devoured these at the beginning of 2025.
• DjangoCon, in Chicago, where I spoke in October, was a terrific experience with friendly, supportive people, all willing to share their knowledge. Standout talk: AI Modest Proposal by Mario Munoz.
• Favourite new DTI collaborators: getting to know Fabric.io, Koodos and Inflection AI this year, all of whom became DTI affiliates in the year. I love learning about startups’ journeys and their vision.

Tom Fish, Head of Europe

• On the policy side of things, a personal highlight of the year for me was the UK government consultation on whether and how to implement a Smart Data scheme for digital markets. Having originally proposed this idea a few years ago in a former role, it reaffirmed my personal public policy mantra: “it can all start with a blog”.
• When selling the value of data portability to policy makers and politicians over the years, I have often called on the expression “if you build it, they will come”, slightly adapted from the 1989 classic Field of Dreams. At an event in London on Context Portability for AI Agents, hosted alongside two DTI members Google and Fabric, I officially retired this movie reference, as data portability use cases are finally emerging from the cornfield. (Watch here from 28:00 onwards).
• I’m sure this will also appear in all of my colleagues’ lists, but my biggest highlight of 2025 is of course joining DTI at the start of the year. As I said in my first DTI newsletter, “my joining DTI feels like it was a foregone conclusion since my first conversation with its Executive Director Chris Riley in July 2023.” It hasn’t disappointed!

Jen Caltrider, Director of Research & Engagement

• My favorite dense slog of an academic read that actually changed my world view on how data portability could change the world for good would be this paper Data Portability Revisited: Toward the Human-Centric, AI-Driven Data Ecosystems of Tomorrow. Don’t let the hefty wordcount of an academic paper fool you, it’s really quite good. And if you don’t have time to read it all, skim the first parts and then really read section IV on Portability Reimagined.
• As a consumer privacy advocate, I spent 2025 really trying to figure out how data portability could make life better for people and give them back control over their data and their privacy. The best person I’ve found out there already talking about the potential for this future is Jamie Smith, who writes the Customer Futures substack newsletter. Please, go check it out, and I’d recommend starting here (which I know is part 2, you should also read part 1 and then go from there).
• My “fun” read recommendation probably isn’t exactly all that fun to read, as it’s a Harvard Law Review article from 1850. But, stay with me here, it’s actually really, really cool. Back then, some smart legal types (Warren and Brandeis) wrote a paper called The Right to Privacy for the Harvard Law Review. In it, they defined privacy as the “right to be let alone.” People, we all deserve the right to be let alone in the AI age! Let’s embrace this definition of privacy please!

Delara Derakhshani, Director of Policy

• One of my favorite things this year has been a renewed interest in and ongoing momentum for data portability – in the U.S., around the world, and increasingly across new sectors. Part of my work at DTI is to track this, so I offer to you the tracker from this July. We are at a turning point for data portability and I’m excited to be part of this journey.
• Translating the technical work of portability to the everyday is tricky. Early in 2025 I wrote this blog post that I wanted to highlight as a step forward. It spells out nicely and succinctly why data portability should matter to you, using the threat of a TikTok ban as an example.
• On the personal front, I’ve enjoyed spending more time with my mini-dachshund, Charlie Derakhshani, recently. Those of you who own this unique breed know that they ooze love and never leave your side – but that they would also probably happily trade you for a sandwich if they had the chance.

Aarón Ayerdis Espinoza, Software Developer

• This year I attended FediForum online, and among all the topics presented, there was a fantastic moment when Elena Rossini (whom I was very surprised to see after several years of watching a documentary she directed) appeared, presenting a short film explaining how the Fediverse works.
• Reading articles about Data Portability and discussing at social gatherings with former colleagues and classmates about the importance of our digital rights has been a fun experience. It’s a topic that has largely gone unnoticed, even by people working in the same field as me. You should try talking about portability with your friends - they may never have thought about whether they can move their data.

As an (entirely self-proclaimed) specialist in technology policy at the intersection of competition and data protection, the opportunity to feed into this document is as good as it gets for me. Strictly speaking in my view, at least for the data portability sections that I examined, the document goes a little beyond the stated scope of the interplay between the two regulations, also providing some useful detail on how the DMA provisions themselves should be interpreted by gatekeepers. This is a good thing, if not a little late in the day!

Stating the obvious, and helpfully so, the guidelines confirm that Article 20 of the GDPR and Article 6(9) of the DMA are complements to one another. They also clarify how compliance with Article 6(9) of the DMA fits within the framework of the legal responsibilities placed on gatekeepers by the GDPR. This is welcome and should provide additional confidence to all participants within the data portability ecosystem going forwards.

Beyond this, the guidelines also provide some additional practical detail on how the data portability provisions in DMA Article 6(9) should be implemented by gatekeepers, addressing several topics that have been the source of lengthy and sometimes polarised debates over the last two years.

Of these new details, there are many areas where the merits of the policy direction could (and may continue to) be hotly debated, even though the intent and meaning of the guidance itself is pretty clear. For example, the guidelines set out a fairly explicit position on the treatment of other users’ personal data in the context of a data portability transfer. Many will agree with the position, just as many won’t. But most will understand what the text means.

Then, there are a smaller number of areas where the policy issue itself need not be particularly controversial, but the intent of the guidance appears to be open to various interpretations. Rather than answering questions, some sections of the text appear to pose new ones.

Given the objective of the guidance to promote a “consistent and coherent interpretation of the DMA and the GDPR”, I have focused on this latter category of issues where further clarity is needed.

The first of these areas is the interplay between Article 20 of the GDPR and Article 6(9) of the DMA. The document spends several pages detailing how the DMA’s data portability provisions should be interpreted, but the equivalent provisions in the GDPR are almost entirely overlooked. This is a shame, and feels like a real missed opportunity to provide some much needed clarity around the circumstances where a data controller should support direct transfers under Article 20. In particular, a few sentences covering what “where technically feasible” means in practice could be a game changer for the prospects of widespread user-led data transfers. After all, the world of technology has moved on a fair bit since the GDPR was drafted, so perhaps a refresh of thinking is needed beyond the gatekeeper seven.

The second issue we have highlighted is the guidance on the meaning of “continuous and real time”. There is some new detail on how to interpret this requirement, but I’m not convinced the new words are any less open to interpretation than the ones we already had.

In our response, we have encouraged an approach that is context specific and keeps user needs central, which could draw from the recent research by DTI Summer Fellow Thomas Carey-Wilson that presented a Functional Real-Time framework to help conceptualise latency and speed in data portability.

The third issue we are drawing attention to is Trust. As anyone that has followed my writing on this topic will know, this is an area where DTI has skin in the game. I have previously highlighted the fact that the DMA was unhelpfully silent on Trust, so it is welcome that the guidelines now explicitly recognise the need for gatekeepers to onboard third parties. This includes by requesting identity documents, and also through robust authentication processes integrated into each data transfer request. However, they don’t go any further than that, appearing to rule out the placement of any other guardrails, and completely omitting any reference to the two big ‘C words’:

• Criminals: the guidelines state that “Gatekeepers can therefore not restrict, in any way, the data portability use cases and business purposes that authorised third parties can pursue with the data they receive under Article 6(9) DMA.” While I firmly agree with the spirit (and what I believe to be the intent) of this sentence, it oversimplifies the issue. What about use cases that are illegal? What about third parties that are suspected to be criminal enterprises, or even state actors? If the European Commission wants this guidance to be useful and credible, it needs to be more exhaustive about acceptable vetting procedures, and more explicit that blocking such applications is necessary, and that some basic checks to identify them are expected.
• Consent: the guidance seems to suggest that gatekeepers must not do any checks in the onboarding process to validate that third parties intend to obtain valid consent, or even consent of any kind at all. Such checks can be very straightforward and light touch, by comparing the organisation’s privacy policy with an image or mock up of their consent screen. The benefits of doing this are immediately obvious – blatantly dishonest and deceptive businesses can be blocked, while the standard of consent is nudged upwards as third parties try harder in the knowledge that someone is checking their homework.

As DTI is finalising the processes and documentation for our Data Trust Registry, you can be absolutely certain that a proportionate review of third-parties’ approach to consent will be a core component, as will the aim of blocking criminals’ access to user data. I’d suggest this is fully aligned with the complementary goals of data protection and market contestability. Don’t you agree?

The consultation closes in two days, so you still have time to get involved and offer up your own views to these questions.

Consent and portability piece by Tom Fish at Tech Policy Press

Today, Tech Policy Press published “Consent, pay or port” by DTI Head of Europe Tom Fish. Tom digs into a privacy question that has been at a roiling boil in Europe for some time: whether current modalities of consent to data collection and use in order to use a service without payment are appropriate. Some companies – including Meta, one of DTI’s founding members – offer paid access to their services, and in some circumstances, also options for less personalized advertising. Tom identifies an orthogonal issue that is critical for meaningful consent: whether or not users can effectively port their data between services. Data portability is a necessary condition for empowering users and making sure that consent, and particularly the withdrawal of consent, is meaningful. Portability helps make markets work, and work to serve the interests of consumers.

AI and privacy piece by Jen Caltrider at Fast Company

DTI Director of Research and Engagement Jen Caltrider has a new piece in Fast Company this week entitled “AI is killing privacy. We can’t let that happen.” In it, Jen writes of the often-overlooked significance of the printing press in the history of privacy – how books give us space to read and to think in solitude. She proposes that in the emerging era of AI – one already marked by, let’s say, less-than-ideal levels of user empowerment over personal data – we look to data portability, “the underdog of privacy rights”, as the lever that we need to change the future of privacy for the better. Check it out!

New affiliates

DTI is a membership organization, but a social welfare variant, not a trade association; our structure is one of our superpowers, in my view, as it lets us be grounded and aspirational in equal parts. I wrote a fairly extensive piece last summer about how and why we work with industry to put real solutions into real people’s hands, while maintaining strategic independence and unwavering dedication to our mission of empowering people through data portability.

For some months now, our website has listed our organizational partners, including founding members Apple, Google, and Meta and partners Amazon and ErnieApp. We’ve also long listed some other organizations with which we have various levels of association; the European Internet Form and the World Wide Web Consortium, both with long established membership structures, along with FediForum and the Trust Over IP Foundation.

But our network is broader than even these data points indicate. And in particular, we’ve begun identifying industry collaborators who provide immense support and alignment on specific projects, and with whom we’ve decided to codify a formal relationship as “affiliates.” Our website now lists Inflection AI, which joined last year as our first affiliate, as well as Fabric and Koodos. We’re delighted to have them on board the DTI train, and are looking forward to continued collaboration.

If you’re reading this and thinking, hey I want to get in on that – there’s a “Contact Us” link at the bottom of our website, or here: send us a note!