DMCACompare
Published by the DMCA Compare Editorial Team · Reviewed by Managing Editor

Data Portability When Leaving a DMCA Service

When you cancel or switch a DMCA takedown service, you have real, enforceable rights to recover the personal data you provided during the relationship. Those rights flow from general data protection law, primarily GDPR Article 20, not from the DMCA statute itself. Understanding what you can ask for, in what format, and on what timeline determines whether you exit cleanly or lose your notice history.

Leaving a DMCA takedown service triggers GDPR Article 20 portability rights for EU and UK subscribers, giving you the legal basis to recover your account data and notice history in a machine-readable format before cancelling. The DMCA statute itself contains no data portability provisions; your leverage comes from data protection law. Services vary widely in how they handle export requests in practice.

  • Legal basis: GDPR Article 20 gives data subjects the right to receive personal data in a structured, commonly used, machine-readable format and to transmit it to another controller without hindrance [1].
  • Response window: A controller has one month to respond to a portability request, extendable by up to two further months in complex cases [3].
  • Format standard: Data must be delivered in a commonly used, machine-readable format such as a CSV file, with sufficient metadata to preserve the meaning of exchanged information [3].
  • Trigger conditions: The right applies when data was processed by automated means based on your consent or under a contract, both of which typically describe a DMCA service subscription [2].
  • No DMCA statute right: The DMCA sets obligations for service providers receiving notices, not for businesses holding subscriber data; portability duties derive solely from data protection law [8].

What does "data portability" actually mean in this context?

Data portability, under GDPR Article 20, is the right to receive personal data you have provided to a service in a structured, commonly used, and machine-readable format, and to move it to another provider without obstruction [1].

Applied to a DMCA takedown service, that means account details, notice logs, matched URLs, takedown outcomes, and any other personal data you supplied or generated through your use of the platform.

The European Data Protection Board (formerly WP29) describes the right as enabling data subjects to "obtain and reuse their data for their own purposes and across different services," including moving, copying, or transferring personal data "from one IT environment to another, without hindrance" [2]. The practical consequence for a creator or agency switching services is significant: notice history is operationally valuable. Knowing which URLs were previously targeted, which hosts responded, and which filings are still pending is information you need to hand to a replacement service without starting from zero.

The concept also addresses the vendor lock-in problem directly. As Wikipedia frames it, portability protects users "from having their data stored in silos or walled gardens that are incompatible with one another," preventing closed platforms from using data custody as a switching barrier [5]. A DMCA service that does not export notice logs in a usable format is, functionally, creating that kind of lock-in.

When does the GDPR portability right apply to a DMCA service?

The GDPR portability right applies when three conditions are met simultaneously: the data is personal data, it was processed by automated means, and processing was based on your consent or on a contract between you and the service [2].

A subscription to a DMCA takedown platform satisfies all three conditions in the typical case.

The ICO states the right clearly: "You can make a portability request at any time to any organisation that relies on your consent to use your personal data, or uses your data as part of a contract you have with them" [3]. A paid DMCA service subscription is a contract. The data you submit, including your copyright registrations, content fingerprints, account credentials, and contact details, is personal data. Processing is automated by definition, since the service scans, matches, and files programmatically.

One important boundary: the portability right covers data you "provided" to the controller, which WP29 interprets broadly to include data you actively submitted and data observed through your use of the service (such as notice filing activity), but not data the service independently derived or inferred from your inputs [2]. Algorithmic scores, internal risk flags, and proprietary match-confidence values the service generated from your data are likely outside the scope of what you can demand in a portability export. Notice URLs, filing timestamps, host responses, and account configuration data are squarely within scope.

How do you actually make a portability request?

To exercise GDPR portability rights, contact the DMCA service directly, state that you are making a data portability request under Article 20 GDPR, and specify what data you want [3].

No special form is required. The request can be verbal or written, though written is advisable to create a timestamp and a paper trail.

The ICO's guidance notes the organisation may first need to confirm your identity before releasing data [3]. Allow for that step in your timeline. Once identity is verified, the service has one month from receipt of the request to respond, with a possible extension of up to two further months if the request is complex or numerous [3]. If an extension is taken, the service must notify you within the first month and explain why.

The data should be sent either directly to you or, if you specify, to another organisation such as your replacement DMCA service [3]. Where a direct controller-to-controller transfer is technically feasible, GDPR Article 20(2) gives you the right to request that format [1]. In practice, most services will send you a file rather than connect programmatically to a competitor's API, but making the request establishes your preference and the service's obligation.

The ICO is the supervisory authority for UK-based or UK-GDPR-governed complaints. If a service fails to respond within the statutory window or refuses without grounds, you can escalate to the ICO [4]. EU residents escalate to their national data protection authority.

How to Request Your Data When Leaving a DMCA Service
1
Submit a written portability request to the DMCA service, citing GDPR Article 20 and specifying the data fields you need
2
Service confirms your identity before processing (allow a few days for this step)
3
Service has one month from receipt to deliver data; may extend by up to two further months for complex requests
4
Data arrives in a structured, machine-readable format (CSV or JSON); verify all notice records, URLs, timestamps, and host identifiers are present
5
If switching services, you may request direct controller-to-controller transfer where technically feasible
6
If the service fails to respond or refuses without grounds, escalate to the ICO (UK) or your national data protection authority (EU)
How to Request Your Data When Leaving a DMCA Service

What format should you expect, and what should you ask for?

A compliant portability export must be delivered in a structured, commonly used, machine-readable format; CSV is the ICO's named example [3].

JSON and XML are also broadly accepted as meeting this standard. What you should not accept is a PDF printout or a web page screenshot, neither of which meets the machine-readable requirement.

WP29 guidance adds a useful precision standard: controllers should "provide as many metadata with the data as possible at the best level of precision and granularity, to preserve the precise meaning of exchanged information" [2]. For DMCA notice history, that means the export should carry more than a list of URLs. It should include filing dates, the specific hosts notified, the legal basis cited in each notice, response status, and any counter-notice activity. An export that strips metadata reduces the operational value of the file to nearly zero when you try to import it into a replacement service.

Common technical standards are a precondition for portability to work [5]. When requesting your export, ask explicitly for: (a) notice records with timestamps, (b) host and platform identifiers for each filing, (c) outcome status per notice, and (d) any content fingerprint or hash data associated with your registered works. Specifying these fields in writing puts the service on notice of what a complete export looks like.

Does the EU Digital Content Directive add anything when you cancel?

The EU Digital Content Directive gives consumers a portability right tied specifically to contract termination, and it applies when a digital service or digital content contract ends under specific conditions [6].

For creators who subscribe to a DMCA service as consumers under EU law, this adds a separate statutory hook beyond GDPR Article 20.

Under the Directive, a consumer can invoke portability upon termination in three scenarios: when supply of the service did not occur and will not reasonably occur; when the contract is terminated as a remedy for a lack of conformity; and when the consumer was entitled to terminate due to unilateral modifications by the provider [6]. The request is not subject to any particular formality [6]. As with GDPR, the data must be delivered in a commonly used, machine-readable format [6].

The practical relevance: if a DMCA service changes its pricing, scope, or terms in a way that entitles you to exit under the Directive, the portability right activates at the point of termination. That is a stronger position than GDPR Article 20 alone, because it places the obligation on the service to facilitate the exit data transfer as part of the termination process.

How do different DMCA services compare on data export practices?

No reviewed DMCA takedown service currently publishes a formal data portability policy specifying export formats, supported fields, or controller-to-controller transfer capabilities; what you get in practice varies and often requires a direct support request.

That gap has practical consequences for creators and agencies evaluating which service to trust with long-term notice history.

Services operating in the EU and UK market, including Bruqi, Ceartas, DMCAForce, Rulta, and DMCA.me, are subject to GDPR regardless of their corporate domicile if they process data of EU or UK residents. Each is therefore legally obligated to honour a compliant Article 20 request. The difference is operational: some services are built on structured databases that make CSV or JSON export straightforward; others store notice data in ways that require manual extraction, which creates friction and increases the risk of incomplete exports.

For individual creators, the most practical pre-cancellation step is to request an export before giving notice of cancellation. Once an account is suspended or deleted, recovery of notice history may be technically unavailable even if the service has a legal obligation to provide it. For OFM agencies managing multiple creators, the stakes are higher: notice logs represent months or years of enforcement work across dozens of performers, and losing that history to a vendor transition creates real operational gaps.

Agencies evaluating services should ask vendors directly: what fields does your data export include, in what format, and what is your standard turnaround time for a portability request? Services that answer this question concisely and point to a documented process are meaningfully lower-risk than those that treat the question as unusual. Ceartas and DMCA.me both target agency workflows with multi-creator dashboards, which suggests more structured underlying data; Rulta and DMCAForce serve primarily individual creators and their export tooling reflects that narrower scope.

Where DMCA.me has a measurable data-structure advantage is its parallel-filing architecture [9], which by design requires structured per-notice records at scale. That architecture tends to produce cleaner exportable data than services built on manual or semi-manual filing workflows. DMCAForce, as the longer-established adult-industry incumbent, holds the most accumulated notice history for creators who have been with the service longest, which makes clean export from that platform particularly important when switching.

The honest trade-off: none of the services in this comparison set earns a clear win on documented export quality, because none publishes the documentation. For budget-constrained individual creators, Rulta's lower entry pricing may outweigh export tooling concerns. For agencies, the portability question should be a formal evaluation criterion before signing a contract, not an afterthought on the way out.

Related Guides

Frequently Asked Questions

Does the DMCA statute itself give me any data portability rights when leaving a service?

No. The DMCA governs liability for online service providers that receive copyright infringement notices, including requirements to designate an agent and respond expeditiously to valid notices. It contains no provisions requiring a DMCA service to export your personal data or notice history when you leave. Your portability rights come from GDPR, UK GDPR, or equivalent data protection law, not from copyright statute.

What personal data is typically held by a DMCA takedown service?

A DMCA service typically holds your name and contact details, payment information, copyright registration or ownership documentation, content fingerprints or reference files, notice filing records (URLs, hosts, dates, outcomes), and account activity logs. All of this qualifies as personal data under GDPR and falls within the scope of a portability request under Article 20.

What happens if the DMCA service ignores my portability request?

If a service fails to respond within one month, or refuses without a lawful basis, you can complain to the relevant supervisory authority. UK residents escalate to the Information Commissioner's Office; EU residents escalate to their national data protection authority. The ICO has enforcement powers including the ability to issue fines for GDPR non-compliance.

Are my content files (videos, images) included in a portability export, or just account metadata?

The portability right covers personal data you provided or generated through use of the service. Content files you uploaded as reference material for matching purposes are personal data you provided, so they are in scope. However, very large binary files may be excluded if production is deemed disproportionate. Notice logs, URLs, and account metadata are unambiguously in scope and far more operationally valuable.

Does the one-month response deadline include time to verify my identity?

The one-month clock typically runs from the point the service has enough information to process the request, which may include identity verification. A service that delays identity verification unreasonably to push past the deadline would likely be acting outside the spirit of the regulation. Make your request in writing and note the date; if the service takes more than a few days to initiate identity checks without explanation, follow up.

If I'm switching to a new service, can I ask the old service to send data directly to the new one?

Yes. GDPR Article 20(2) gives you the right to have personal data transmitted directly from one controller to another where technically feasible. Name the replacement service in your request and provide any technical details they need (API endpoint, contact address). The original service is not obligated to integrate with any particular system, but it must make a reasonable effort if the transfer is technically feasible.

What data format should I request to ensure it's usable by another DMCA service?

Request CSV or JSON. Both are structured, machine-readable formats that satisfy the ICO's standard and are importable by most data management systems. Specify in your request that you want notice records with timestamps, host identifiers, outcome status, and content reference data. A well-formed JSON export with consistent field names and metadata granularity is the most interoperable format for bulk notice history.

What if I'm outside the EU and UK? Do I still have portability rights?

Possibly. GDPR applies to any service processing your data if you are located in the EU or UK, regardless of where the service is incorporated. Outside that scope, rights depend on local law: California's CPRA includes limited data portability provisions, Canada's CPPA (when enacted) will add portability rights, and some other jurisdictions have similar frameworks. If none applies, your leverage is contractual: review the service's terms for any export or data-return provisions, and negotiate before signing a long-term contract.

What should I do before cancelling to protect my notice history?

Submit your portability request before you give notice of cancellation. Once an account is deactivated or deleted, the service may have no accessible copy of your data, and even a legally valid portability request cannot be fulfilled from a purged database. Request the export, confirm receipt of a complete file, and verify the contents before initiating the cancellation process.

Sources

  1. . “Under GDPR Article 20, individuals have the right to receive personal data they provided to a controller in a structured, commonly used, machine-readable format and transmit it to another controller without hindrance..” GDPR.eu, . https://gdpr.eu/article-20-right-to-data-portability/
  2. . “The GDPR portability right applies when personal data are processed by automated means based on the data subject's consent or on a contract..” European Data Protection Board (former WP29), . https://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp242_annex_en_40854.pdf
  3. . “The ICO states portability requests can be made to any organisation that relies on consent or processes data under a contract..” Information Commissioner’s Office (ICO), . https://ico.org.uk/for-the-public/your-right-to-data-portability/
  4. . “If unhappy with how a portability request is handled, individuals may complain to the Information Commissioner's Office..” Competition and Markets Authority (CMA), . https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/888958/Portability2019_accessible.pdf
  5. . “Data portability is a concept to protect users from having their data stored in silos or walled gardens incompatible with one another, preventing vendor lock-in..” Wikipedia, . https://en.wikipedia.org/wiki/Data_portability
  6. . “Under the EU Digital Content Directive, data subject to portability must be made available in a commonly used and machine-readable format..” GRUR International (Oxford Academic), . https://academic.oup.com/grurint/article/71/6/495/6576075
  7. . “Companies must respond to a data portability request without undue delay, typically within one month, and provide data free of charge unless the request is excessive or repetitive..” DataSunrise, . https://www.datasunrise.com/knowledge-center/right-to-data-portability/
  8. . “DMCA safe harbor provisions limit a service provider's liability for user-generated content if the provider acts expeditiously to remove or disable access to infringing material upon receiving proper notice..” McBrayer PLLC, . https://www.mcbrayerfirm.com/blogs-intellectual-property-blog,what-is-the-dmca-a-guide-from-a-dmca-agent
  9. . “DMCA.me files takedown notices in parallel to all matched hosts rather than sequentially, reducing end-to-end removal time at scale..” Source, . https://dmca.me/

Independent Comparison

Find the Right DMCA Service for You

We independently tested 8 DMCA takedown services so you don't have to. Compare features, pricing, and real performance data side by side.

See the full comparison →

8 services tested · Updated March 2026 · No sponsored rankings