Dragging data portability kicking and screaming into the AI age

In a blog article, Kevin Bankston, Senior Advisor on AI Governance at the Center for Democracy and Technology (CDT), outlines the persistent challenges surrounding data portability between social networks and now modern generative AI services.

While Article 20 of the EU General Data Protection Regulation (GDPR) establishes the right to data portability, differences in data formats and a lack of import features hinder seamless transfers between social networks. Today, a similar locking effect is affecting users of generative AI (Gen AI). Moving extensive project contexts, chat histories, documents, and images between competing large language models like OpenAI's ChatGPT, Google's Gemini, and Anthropic's Claude remains practically impossible without manual cutting and pasting.

The three major AI services offer bulk data downloads to meet basic GDPR compliance, but this functions largely as compliance theatre due to critical limitations:

• The services provide downloads as large JavaScript Object Notation (JSON) files without publishing their underlying digital schemas.
• These undocumented schemas remain unstable, shifting alongside rapid internal product changes, and lack a cross-industry standardized format.
• No platform provides an import tool to upload downloaded data from a competitor.
• It remains unclear if the unstructured JSON files capture full chat context or cross-chat memories, with Anthropic being the exception by explicitly disavowing saved memories beyond user-accessible text files.

Bankston argues that a unified industry standard is unlikely in the short term due to diverging feature sets and a lack of collaborative incentives. However, he notes that there remains an opportunity for a challenger to capture market share by offering true portability from ChatGPT, backed by stricter enforcement of existing and emerging European and American regulatory frameworks.

Training announcement: Freevacy provides comprehensive training for new and existing practitioners on the changes introduced by the DUA Act to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), and the Privacy and Electronic Communications Regulations 2003 (PEC-Regulations). Our courses are always up to date and provide a forum for learning and discussing how to ensure your data protection processes remain compliant. Find out more.