Data portability defines that individuals have the right to request a copy of their personal information and/or have their information shared or transmitted from one controller to another. The controller being the organization that has legally obtained the individual’s information for a legitimate processing purpose (for instance a health provider or insurance firm). Both the GDPR and CCPA provide for data portability and this is a common feature for most privacy legislation worldwide. Data portability requests are considered a part of the data subject access request (DSAR) process.
Data portability is concerned with personal information on individuals and does not apply to information that has been anonymized or pseudonymized (this is specifically related to GDPR). Article 20 of the GDPR provides a description of the rights for data portability and includes this statement to help define the data portability concept: “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided…”