The problem is that the what actually has to be made portable is not well defined in GDPR. It basically says that it means any data by which the user can be identified by. When I requested a data export from some companies their legal team argued, that they cannot send me my projects in a structured format nor they won't allow import of project files from another service, because this is not a personal data (or rather not a PII).
So this is actually another area where GDPR is all bark but no bite.
I could only request my personal data, that is my name, address, email and IP addresses...
What the law doesn't specify is if data associated to personal data should be included or not. It's kind of paradoxical because I may have a table in the DB with the details about the user, like name and email, and another table about, say, sexual preferences (usually considered quite sensitive). I could argue that the sexual preferences table is not personal of viewed alone, but of course it is very personal when linked through an ID.
I think that, as long as the ID is there, and that data is therefore linkable, that data IS personal.
IANAL, but that company's reply is bullshit and could be easily brought to court.
> IANAL, but that company's reply is bullshit and could be easily brought to court.
Nobody has money and time for that unfortunately and if you are using a platform that you like or need, then it is impossible, because you'll risk getting your account deleted.
You don't need to hire a lawyer, you can (and should) go to the data protection authority of your country, if you're in Europe or if it's a European company.
> The problem is that the what actually has to be made portable is not well defined in GDPR
Wait, is there anything well defined in GDPR?
EDIT: k, so for the downvoters: I mean it. GDPR is muddy at best. Think IP addresses: in most cases, they are _not_ PII, especially when it's a dynamic IP from an ISP, yet nearly everything insists on hiding IPs or converting them into geo information.
> Think IP addresses: in most cases, they are _not_ PII, especially when it's a dynamic IP from an ISP
In other words: they can be PII, and you can't easily determine which of them aren't - the way they're being assigned is out of your control.
(Even in cases people think IPs aren't PII, they become so when combined with other datasets - dynamic IPs can be quite stable.)
> Wait, is there anything well defined in GDPR?
In terms of singling out particular technologies? No. In terms of defining principles and criteria? Very much yes. If GDPR went the other way, it would be trivial to work around by subtly changing the technologies or data involved.
