Hi everyone,

Thanks for coming back to Customer Futures. Each week I unpack the disruptive shifts around Empowerment Tech. Digital wallets, Personal AI and digital customer relationships.

If you haven’t yet signed up, why not subscribe now:

Today is Part 1 of a deep dive into Data Portability.

What it is, why it matters, and what’s coming.

Yes, many countries now have excellent data portability regulations. But compliance - meaning that people can access a copy of their personal data - has been sluggish.

And here’s why: data regulations are a what.

If we want more data portability - more personal data flowing, more value created, and more growth across the economy - we must also look at:

• The why (incentives)

• The who (the individual) and

• The where (new digital tools on the side of the customer themselves)

So this week in Part 1, we dive into:

• Data portability becomes A Thing (at least in the EU)

• Today’s mixed (and reluctant) market response

• Minding the gap - what’s missing?

• Brands playing ‘offence’ vs. ‘defence’

• Opening the door to Empowerment Tech

You see, data portability isn’t just about switching your energy or bank provider. Or moving your social media account (which by the way, folks rarely do).

Rather, when you look closely, you’ll see that data portability is at the heart of the future of the digital customer.

So welcome back to the Customer Futures newsletter.

Go make yourself a peppermint tea, find a comfy corner, and Let’s Go.

Moving physical things at scale is hard.

Especially when you need to move them around the world. It requires physical distribution centres, transport networks and container ships. Making it all very expensive, slow and full of friction.

And while it’s taken decades, our global supply chains are now pretty intelligent. And pretty optimised. The temporary closing of the Suez Canal and the global pandemic showed us just how fragile our physical supply chains are.

It’s easy to forget that often the biggest barrier in global supply chains isn’t politics or money. It’s physics. The real-world forces that act against us when we move stuff around.

But with 'digital’ supply chains, it’s different.

Data can move instantly. Easily. Seamlessly. Because, to all intents and purposes, there is zero functional distance between two points on a digital network.

So what’s the constraint?

It’s not physics, it’s digital trust.

The risk that your precious data cargo comes from a fraudster. Or the right data gets into the wrong hands. Or it’s tampered with, and someone changes an expiry date or an entitlement.

One of the fixes is the idea of ‘Data Portability’.

Building trusted supply chains of data, especially around personal and customer data.

It’s not just about getting customer data to move more freely… which (in theory) drives more economic value and more market growth.

It’s about doing it in a governed, structured, auditable and trusted way.

Data portability becomes A Thing

In the EU, data portability has been a citizen’s data right since 2018, when the GDPR came into force.

(For the nerds amongst you, you’ll know that data portability is really a competition regulation buried inside a data protection one... but that’s for another post).

But compliance has been pretty miserable. Painfully slow.

Yes, many businesses (reluctantly) now provide a ‘machine-readable’ copy of customer data to the individual. But it’s by email. Likely in a CSV file. And it’s clumsy, and almost always in hard-to-use formats.

So a couple of years ago, the EU decided that data portability needs to be beefed up. To be implemented at scale. Not just softly ignored by large enterprises with armies of lawyers.

In 2023, they brought the hammer down on a huge piece of data regulation giving individuals the right to move their data - and experiences - between competing service providers.

They brought in the new Digital Markets Act, or ‘DMA’.

If you care about customer data in the EU, the DMA is A Thing. And like most regulations, it’s a long and boring read.

But here’s the important bit, from Article 6(9) (bold mine):

“The gatekeeper shall provide end users and third parties authorised by an end user, at their request and free of charge, with effective portability of data provided by the end user or generated through the activity of the end user in the context of the use of the relevant core platform service, including by providing, free of charge, tools to facilitate the effective exercise of such data portability, and including by the provision of continuous and real-time access to such data.”

Let’s pull out the interesting points. Because the wording matters.

1. Third parties can ask for the data, authorised by an end-user

Makes sense. It’s how switching services already work in the UK today.

I move to a new provider (e.g. a new digital bank) and give them permission to go and ask my previous provider (the stuffy old bank) to hand over my basic customer data records. In theory, it makes switching ‘seamless’.

As it happens, the UK government has already gone further, forcing banks to move the customer data between them within 7 days.

So, this part of the DMA is the same as banking today, but now includes other large digital providers.

‘Move-Request-Switch.’

2. End users can receive the data themselves

Great. It’s now easy for users to ask for a copy of their own data.

But what can they really do with it? Download a complicated spreadsheet with random codes in it, and go line by line?

But there’s also this: how will businesses prove that it’s me receiving my data? By email? How is that different to what I can do today under the GDPR (with a Data Subject Access Request)?

3. Free-of-charge tools to facilitate data portability

Now we are getting closer.

But does this just mean a user portal? Tools to trigger the request? Or just tools to actually receive the data and make sense of it?

4. Continuous and real-time access

This is where it gets interesting. The DMA doesn’t specify what ‘continuous’ and ‘real-time access’ mean.

Would a daily batch update to the customer count as continuous? Or does the business just need to show that the datasets are continuous and uninterrupted?

Many devils in many details.

A mixed (and reluctant) market response

The verdict is now in.

The DMA regulation became enforceable early last year, and the Big Tech platforms - meaning those designated by the EU as ‘gatekeepers’ - have all responded.

Each of them has now put in place policies and tech solutions that, they say, meet the new data portability regulations.

And, well, it’s a mixed bag.

If you are interested, or bored enough, you can see the full and detailed responses from each Big Tech platform here.

Anyway, here’s a rough round-up:

Alphabet (Google)

• Google were among the first to launch a ‘Data Portability API’ for developers, supporting data transfers from services like Chrome, Search, Play, and Android.

• Interestingly, users must re-authenticate for each transfer, and the API does not currently support ‘continuous or real-time access’ (though apparently they are reviewing that). Perhaps an odd position for a company that lives and dies on real-time data.

Amazon

• Their Data Portability API is for ‘Marketplace and Ads’ data, along with a new 'Transfer Your Data' self-service portal. So far, so muted.

• Nothing to see here, move along now, for retail, Alexa, or Prime customers. These APIs feel like a gesture at best.

Apple

• A pretty straightforward DMA response, with an ‘Account Data Transfer API’ for App Store data. These have set limits for daily downloads (30 days) and weekly downloads (180 days).

• It seems the tool is basic, but functional. But what about Health, iCloud, and other customer data across the broader Apple ecosystem…? Privacy-forward? Maybe. But portability-forward? Not yet.

ByteDance (TikTok)

• While there’s a new 'Download Your Data' service, it’s mostly manual. There’s no ‘fully automated’ API for continuous data transfers.

• Perhaps this betrays a deeper data strategy - to comply ‘just enough’, and keep the identity insights and algo firmly in-house.

Meta (Facebook, Instagram, WhatsApp)

• They have expanded their ‘Transfer Your Information’ tool to allow daily data transfers. They also support exports to third-party services (like Dropbox or Google Drive).

• Looks like there’s no ongoing access.

Microsoft (LinkedIn, Windows)

• They have introduced a ‘Member Data Portability API’ for LinkedIn.

• Meaning users can also approve third parties to access user data, and authorisation ‘tokens’ are valid for one year.

• What about All. The. Other. Data. They. Hold?

Mind the gap - what’s missing?

The verdict? Well, there are quite a few gaps in these DMA responses. The two most obvious being:

A. Lack of ‘continuous access and real-time’

When it comes to how and when users can access their data, these DMA implementations are pretty limited. Let’s be honest. Do you really think these $bn digital businesses believe that ‘real time’ means ‘daily’?

Just imagine if a senior exec at Meta asked an engineer to create a ‘real-time’ dashboard showing server performance, or user engagement. Do you hand-on-heart believe that they’d build it to pull down results once a day? Nope. It would serve up a live feed. No question.

So why can’t these huge platforms do the same thing here with data portability, a regulatory requirement?

B. Limited automation

Most of these EU ‘gatekeepers’ are relying on manual downloads, rather than automated, user-friendly APIs.

And data advocacy groups like MyData and CODE have reported that the proposed DMA tech solutions are clunky, hard to access, and poorly documented and supported.

What a surprise.

But there’s something else hidden that's worth looking at.

DMA offence vs. defence

So far, these new data portability APIs are mostly only available in the EU.

That feels odd.

If data portability via API is now technically available, why not make that data available to users globally?

From what I can see, only two of the providers - Google and TikTok - have opened up their APIs outside the EU.

And even then, it’s only to the UK.

Why? Because, I suspect, they feel they have to. You see, one of these brands is playing offence, and the other is playing defence.

First, Google is playing offence.

Right from the start, UK users have been able to transfer their data with the Google APIs.

And why would Google do that? You could argue it’s simply because they have been in the UK longer, and they are dealing with many more political and technical fights, with more conflicts, on more fronts.

Just look at how busy they are right now with digital ID wallets, fighting the competition authorities, and fending off the other AI platforms.

On the other hand, TikTok’s DMA response is more about defence.

They only shipped the APIs to the UK once they were nudged along by data advocacy group CODE, whose head of policy, Tom Fish, cleverly pointed out that TikTok were likely in breach of UK GDPR.

CODE did a victory lap in September 2024, posting about the ByteDance policy win:

“In April, we made a formal complaint to the ICO, on the basis that TikTok (and also Amazon, Apple and LinkedIn) was in breach of the UK GDPR by refusing data portability requests, where it was demonstrably technically feasible via its new API.”

“In June, TikTok followed up by email to say that it had in fact taken on our feedback, and decided to implement in the UK after all”.

So well done to Tom and CODE. (Interesting side note: Tom has now moved to the excellent ‘Data Transfer Initiative’ based out of the US, working on the same, and more, globally. This stuff is building momentum).

Anyway, let’s zoom out again. Why is all this so important? And why should you care?

Because there’s a gap.

Something missing.

Opening the door to Empowerment Tech

Yes, the individual can ask for their data. But where does the data really end up? In most cases, it’s sent to another business. A direct transfer. From ‘here to there’ as part of switching services.

But what if the data went directly to the user themselves?

And not only transferring the data to the individual, but helping them make sense of it? Not only combining it with other verified customer data, but putting it to use?

This is yet another new $bn opportunity that most folks can’t see. To unlock new customer value, to unleash new revenue streams, and to create new digital markets. But this time, all organised around the empowered digital customer.

Where the BigTech providers have failed, customers themselves can step in.

In Part 2 next week, we’ll dive into what’s fast becoming possible with Agentic Wallets, Data Stores and Personal AI.

And what’s about to happen with Empowerment Tech all around the world.

Thanks for reading this week’s edition.

If you’ve enjoyed it, and want to learn more about the future of personal data, digital wallets and customer engagement, then why not subscribe: