> The problem is that the what actually has to be made portable is not well defined in GDPR
Wait, is there anything well defined in GDPR?
EDIT: k, so for the downvoters: I mean it. GDPR is muddy at best. Think IP addresses: in most cases, they are _not_ PII, especially when it's a dynamic IP from an ISP, yet nearly everything insists on hiding IPs or converting them into geo information.
> Think IP addresses: in most cases, they are _not_ PII, especially when it's a dynamic IP from an ISP
In other words: they can be PII, and you can't easily determine which of them aren't - the way they're being assigned is out of your control.
(Even in cases people think IPs aren't PII, they become so when combined with other datasets - dynamic IPs can be quite stable.)
> Wait, is there anything well defined in GDPR?
In terms of singling out particular technologies? No. In terms of defining principles and criteria? Very much yes. If GDPR went the other way, it would be trivial to work around by subtly changing the technologies or data involved.
Wait, is there anything well defined in GDPR?
EDIT: k, so for the downvoters: I mean it. GDPR is muddy at best. Think IP addresses: in most cases, they are _not_ PII, especially when it's a dynamic IP from an ISP, yet nearly everything insists on hiding IPs or converting them into geo information.