Inside GDPR’s two rights — and why the exit still doesn’t work
The coat at the door
I opened my Google settings the other day and the machine had changed its face. The buttons I used to dig three menus deep to find were sitting in the open, almost warm. Export everything. Take it and go. Request erasure — your right to be forgotten. Google was practically walking me to the door, holding my coat.
A year ago this would have moved me. The platform growing up. Listening. Finally handing me what was always mine. I don’t read it that way now. Google didn’t soften. Google got forced. And once you see the shape of the thing that forced it, you cannot unsee it behind any friendly button again.
Here is the first thing the title is telling you. That button is not new. The right behind it — to take your data and leave — has existed in hard law since 2018, when the GDPR came into force. It could have sat in the open for eight years. And the part that should chill you: hiding it broke no law. The 2018 law required only that you be able to take your files. It never required the door to be easy to find. So platforms obeyed the letter through ugly, buried interfaces — compliant, and conveniently miserable. Eight years of we can’t, it’s complicated — and then, the moment the pressure got expensive, the button they couldn’t build appeared overnight, tidy and obvious, as if it had been waiting in a drawer the whole time. It had. When it finally appears and the platform smiles like it’s doing you a kindness, understand the arithmetic: you are handed access to a right you already had, eight years late. You weren’t given anything. You were robbed of eight years of reaching it, and the smile is the cover.
The law has a name, and I read it
Article 20 of the GDPR — the right to data portability. The text is not decoration. You have “the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance.”
Two phrases carry everything. Machine-readable format. Without hindrance. The law does not say a company merely has to let you leave. It says what you carry out the door must work on the other side, and that they are forbidden from making the leaving hard. Hold those two phrases. We come back to them, and a company is going to be standing on the wrong side of them.
Why they fought to keep it buried
Look at yourself inside any service you actually live in. Your cards, your passwords, your bookmarks, your history, your links to other people, the thousand settings you tuned over years until the thing fit like a worn shoe. Leaving isn’t one decision — it’s tearing out a root system. And as long as there is no working export, that root system stops being convenience and becomes a hook. You stay not because it’s good, but because cutting yourself free costs more than enduring it. The platform doesn’t need to be a prison. It only needs to make the door expensive.
Take ChatGPT, 2025. People will tell you there was an export button — and technically there was. But it handed back a dead archive: a zip that won’t reload into another tool, years of context you taught the machine reduced to a file that won’t boot anywhere else. When a 2025 outage wiped histories, a survey of affected users found two in three had used it as their main work reference, and nearly half judged their lost conversations would take over twenty hours to rebuild — if rebuilding was possible at all. They hadn’t been locked behind a wall with no door. They’d been handed a door onto a curb, where everything they carried out died on the way down. That is the lock-in — not the absence of an exit, but an exit that destroys what you take through it. And it was never one platform. The dead-format export was the industry’s quiet default, built into the floor everywhere at once.
Your data is not a copy. It is you.
While your data sits inside the platform, it is not a dormant archive waiting for you. It is working — sold to advertising partners, fed into models, turned into a profile that decides what you see and what you pay. You are not a customer of the machine. You are its raw material.
That is why two rights run through this part, not one. Portability is the right to move — to carry yourself somewhere else still alive. Erasure (Article 17, the right to be forgotten) is heavier: the right to stop being raw material at all, to order a platform to wipe your data rather than hand you a copy. One is about leaving. The other is about no longer being eaten.
Erasure binds anyone the law can reach who holds your data — the platform, the payment processor, the third parties they passed it to. But it is not a magic word. They can lawfully refuse in narrow cases: where the data serves freedom of expression, another legal obligation, or — note this — the defence of a legal claim, even one not yet filed. You cannot erase your way out of a fight you are already in; data tangled in a live dispute is evidence they get to keep. Erasure is a scalpel, not a panic button.
And one honest line for anyone who thinks erasure scrubs them from the AI entirely: it does not pull you out of a model already trained on you — what was absorbed is in the weights. What it cuts is the flow. And in this race the fresh, continuing flow is exactly what they fight to keep. You don’t undo the old slice. You shut the tap.
The walled garden has a buyer
Now see who is standing at the gate with a checkbook. Platforms don’t hoard your content out of habit. They hoard it to sell it — wholesale, to the AI companies, while you are still inside thinking you are a member of a community. Reddit signed data-licensing deals worth two hundred and three million dollars — sixty of it from Google alone — handing over millions of people’s posts as training feed. The users wrote it. Reddit banked it. To the platform you are not an author. You are inventory — content it can resell to an AI model by the tonne, without your consent and without a cent to you.
That is what the locked export is for. A walled garden is valuable only while the wall holds, because the wall keeps the harvest exclusive — and exclusive is what the buyers pay for. The investor knows the math the author never sees: for an AI company, up to seventy or eighty percent of the entire valuation can sit in proprietary data nobody else can reach. Let authors carve themselves out of the fuel tank and that fraction doesn’t shrink — it evaporates. Which is the quiet argument for your own ground. A writer on their own domain is in no one’s inventory: indexed by Google directly, owned outright, impossible to bundle and resell through an API, because no platform stands between the writer and the world. Leaving the garden is not just escaping a bad exit. It is stepping out of the merchandise.
And now they have you training it
Watch how the next gift arrives. In June 2026 Substack rolled out a feature called Reply Rules: tell it your standards for comments — no slurs, no AI slop, stay on topic — and an AI moderator enforces them for you. By their own description, the system learns every time you hide a reply and preemptively hides the ones it predicts you would hide. Un-hide one, and that teaches it too. It is presented as a kindness to the creator — less of the grinding work of policing your own threads.
Now run it through everything you just read. Who is learning? Their model. On what? Your judgment — every hide, every un-hide is a labeled example, a training pair you produce for free. You think you are moderating your comment section. You are hand-labeling a dataset for a self-improving model you will never own, never audit, never be paid for. And how it works under the hood, they declined to say — the proprietary wall from the lawyer’s second round, raised again, this time around the very thing your labor is building.
This is the lock-in’s final form. No longer just that your content is hard to carry out — now your daily work inside the garden has been quietly converted into fuel. You are not only the inventory anymore. You are the unpaid trainer of the machine that makes the inventory worth selling.
And this is not one platform’s trick. It is the whole industry’s default, dressed up as a feature. LinkedIn switched on training its AI from member profiles and posts in late 2025 — opt-out, on by default, so silence counts as a yes. Meta has fed Facebook and Instagram content into its models for longer than that. The garden Reply Rules belongs to is everywhere, and they all learned the same move: turn your work into their training mass, and call it an upgrade.
And consider who is asking for this trust. The same platform that, just months before, had to email its users to confess a breach. The unauthorized access began in October 2025 and ran for roughly a hundred days before anyone at the company noticed — they discovered it only on February 3, 2026, and not through their own monitoring but because the stolen records had surfaced on a cybercrime forum. On February 5 the notification went out, signed by the CEO himself: email addresses, phone numbers and internal metadata, scraped from its systems. Nearly seven hundred thousand people — taken through the very API that feeds these clever new features. So line up the calendar. In February 2026 the platform admitted it had lost your data and hadn’t noticed for three months. In June 2026 the same platform asked you to trust its self-learning model with your judgment. The wall it raises around how that model works under the hood is the same wall that hid the breach until a stranger announced it.
“Tougher regulators” is a timetable, not a feeling
In 2026 the regulators stopped asking politely, on a calendar you can read. A newer law sits on top of the GDPR — the EU Data Act. From September 12, 2025, providers must remove barriers to switching. It tightens yearly: interoperability obligations in September 2026; in January 2027 a complete ban on charges for switching between data services. The screws turn on a schedule — and that schedule is what “tougher regulators” actually means. Not a feeling. A timetable. And it has teeth: fines up to 4% of global annual turnover, the same ceiling as the GDPR.
The total looks huge — over €7.1 billion in fines across more than 2,200 penalties since the GDPR began. But the total hides the real story, which is the slope. From 2018 through 2022, regulators issued about forty percent of all fines. From 2023 to early 2026, they issued more than in the entire five years before — combined. Not a plateau. A ramp.
The fine is a mosquito bite — the swarm is not
Here is where everyone misreads it. The biggest GDPR fine ever is Meta’s — €1.2 billion. It reads like an execution. It isn’t. The year it landed, Meta reported $117 billion in revenue. The record-shattering penalty came to barely one percent of a single year’s income — the kind of money a company that size finds in the cushions and forgets by lunch. A mosquito bite. You do not frighten a company that size with money. Money is what it has instead of fear.
So why fear it? Because of who delivers the bite, and because one bite is never one bite. That record fine was set in motion by one man — an activist who filed a single complaint and waited the better part of a decade. One grievance, lodged and re-lodged, became €1.2 billion and a court order to shut the data pipe to the United States. Not the money — the order to stop the flow was the knife. And it began with one form, filled out by someone who could have told himself he was too small to matter.
Your one complaint never arrives alone. It lands on the stack — and the stack is what the regulator weighs. Thousands of small filings are what let a regulator walk into a government and say this is systemic, not personal. That permission is what hardens the rules. The pressure never came down from above, from some benevolent regulator who woke up caring about you. It came up. You don’t win your case. You thicken the stack that makes the next rule possible.
The machine, drawn in full
Step back and see the whole mechanism, because its shape explains why some doors open and others don’t.
It starts with you, as noise. One complaint, to a European regulator or the American FTC, is nothing — and the regulator is not an ambulance come to rescue your case. It is a collector of evidence about systemic failure. But it keeps the count: the FTC literally runs a “Surge” report flagging companies whose complaints are spiking. Cross a line and the noise becomes a mandate. Then the regulator turns to the platform with three levers. One: a knife at the business model — a turnover fine stings, but an order to halt the data flow is instant death on a key market. Two: it turns the company inside out — an open investigation is a legally mandatory line in the material risk disclosures a platform must file before going public, so it has to write its own sins into the documents handed to investors, toxic to capital by its own hand. Three: enough accumulated violations crystallize into harder law — the Data Act sealing the gaps the GDPR left open.
And the author is not loose cargo on that ship — the author is the cargo. In the AI race, this platform is worth something to OpenAI or Google only as long as it holds exclusive, locked content made by living people. The moment writers cut themselves out of the feedstock, the company loses the one race that defines the decade — not by fine or scandal, but by quiet structural starvation.
And here is where the chain snaps. It runs clean only where the gap in the law is already sealed — Google’s door. Where the gap is still open — the publishing platforms — the mechanism stalls at the first step. You complain about a broken export. The regulator checks the 2018 law: file handed over? Yes. Readable? Yes. No pressure forms, because formally there is no breach. The swarm beats the machine only through sheer volume held long enough — until the count of dead mosquitoes on the windshield starts to block the investors’ view.
So — do complaints work?
This is the question I kept tripping on myself, so let me cut it clean, because the answer is two answers.
A complaint about something already forbidden — Meta moving data it shouldn’t — works directly. It hits a rule that exists, it stacks, it bites. A complaint about something sitting in a gap — a broken export the 2018 law doesn’t cover — will not be caught, because the regulator looks and sees no breach. So the honest map is this: against a violation, you file and it lands. Against a gap, no single filing lands at all — the gap closes only when enough people press on the same empty spot that a new rule gets written into it. Both are worth doing. But know which one you are doing. The first is a strike. The second is a vote, and it counts only in the thousands.
Now hear their lawyer
Before you cheer that we caught them — we didn’t. Picture the platform’s lawyer, unhurried, opening the regulation to read me my own rights. They strike at the joints in the law’s armor, and they have four rounds. I’ll load them myself, because knowing the enemy’s armor better than he does is the only way to see where it has no seam.
Round one — the law forbids them from helping you. They open Recital 68 of the GDPR: the right to receive your data “should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.” Sewn into the law itself. We handed you a standard file. It opens. That your new site breaks on our redirects is your architecture’s problem, not our compliance. The British regulator agrees in writing: the right produces interoperable systems, not compatible ones; a platform need not stay technically compatible with anyone else’s.
Round two — their machine is a trade secret. Demand it exported so it works the same, and they raise proprietary software. The link structure, the tag logic, the subscriber graph, the rendering engine — intellectual property and commercial secret. To export the data with that logic is to hand a competitor a slice of the engine, so they strip their IP before it goes out the door. What survives is, of necessity, a bare archive. The deadness is IP protection working as designed.
Round three — protecting everyone else from you. The essay is mine. The comments, likes, reply-chains and reader profiles under it belong to other people. Article 20(4) and Recital 68 both say portability must not harm the rights of other data subjects. So: if we export every cross-link, comment and reader profile for transplant to an independent engine, we commit a mass breach against those readers — handing their data to a new host without consent. We sever the connections to protect third parties. They break your archive in the name of someone else’s privacy.
Round four — and we met this one already. Against the harder, newer law they raise a wall of definitions: the Data Act was written for data processing services — cloud infrastructure, IaaS, PaaS, IoT. A publishing platform is not a cloud you rent compute from. It is a content service, draped in freedom of expression. The switching duties simply do not reach it. (The legal spine, for those who want it: GDPR Art. 20 is satisfied by a raw machine-readable .zip and never required compatibility; the EU Data Act’s functional-equivalence duties live in Chapter VI, Art. 23–31, but bind data processing services, and a closed-source content platform slips out through a built-in exemption. It is not a flaw in the product. It is legal arbitrage — working a lacuna in the definition.)
Four rounds, and every one lands. Not one is a lie, not one would fail in court. The platform did not break the law four times. It obeyed the law four times — and left me on the curb anyway. That is the whole thing, distilled: the armor has no seam because the armor is the law. So the question stops being did they break a rule. It becomes: what closes a gap that perfect compliance fits through? Not a lawsuit. The gap is not a violation — it is a vacancy. And a vacancy in the law is filled the only way vacancies ever are: by enough people pressing on the same empty spot until someone writes a rule into it.
When the user has lost the door
And there is a harder case still, where the right stays perfect and the hand cannot reach it. Picture a user locked out of their own account — and there are a dozen ordinary ways to get there. Banned. Caught by a policy change. Cut off by a border or a sanctions regime. Forgot the password. Lost the phone that holds the two-factor code, and with it the only key to the login. The reason barely matters; the result is identical. Their right to erasure is intact. Their right to portability is intact. The law still says delete me, hand me my data. But the door to those rights is a button inside an account they can no longer enter. They cannot click delete. They cannot request the export. The right and the access to the right are two different things — and you can lose the second while keeping the first whole. A right you cannot physically reach is a key to a lock on the far side of a wall.
This is why the button in the app was never the real thing — only its most fragile form. The exit that matters is the one that does not depend on being let back inside: a written demand, a regulator, a representative who can knock on the door you no longer can. Which is exactly the side door — and we go looking for it in the parts ahead.
This isn’t a European story, and it isn’t over
Before you decide this is a European story that doesn’t touch you — stop. The right is not bound to the EU by passport. The GDPR set the template and it spread: California’s CCPA, Brazil’s LGPD, Japan’s APPI, the UK’s own GDPR — all carry the same principle, that a company can no longer escape its duty to you by moving your data across a border. The flag on the building stopped being a shield. Wherever you stand, some version of this right has a hand on the door near you.
And it costs you to wait. Your data does not sit still while you decide — every day you don’t move it or demand its erasure, it keeps being sold, keeps feeding the model, keeps building the profile. Doing nothing is not neutral. It compounds, against you, with interest.
This part walked two rights — portability and erasure. They are not the only ones. The next opens confidentiality, where these American platforms get interesting: Substack and Stripe are US companies under US state law, and their own published policies say what they will hand over and to whom, carrying both regimes at once — European and American — in plain sight. They wrote the terms themselves. Next, we read them back to them. And how you actually use the right — the form, the words, the side door for those of us outside the EU — comes too. For now, only this:
You were never the user who was handed a button. You are one of the thousands whose pressure pried it open. They are not afraid of your lawsuit — they have lawyers for that, and you read what those lawyers can do. They are afraid of the only thing a vacancy in the law has ever feared: the count going up. One more person who looked at the friendly button and saw the surrender it actually is. That person is now you. The platform would much rather you felt like a single mosquito, too small to bother swatting. It is counting on it. Disappoint it.
There. Now you know. You don’t get to be an innocent user again.
Write to me
Discover more from Lintara
Subscribe to get the latest posts sent to your email.