Shattering one-way mirrors – data subject access rights in practice

The right of access occupies a central role in EU data protection law’s arsenal of data subject empowerment measures. It can be seen as a nec- essary enabler for most other data subject rights as well as an important role in monitoring opera- tions and (en)forcing compliance. Despite some high-profile revelations regarding unsavoury data processing practices over the past few years, access rights still appear to be under- used and not properly accommodated. It is espe- cially this last hypothesis we tried to investigate and substantiate through a legal empirical study. During the first half of 2017, around 60 informa- tion society service providers were contacted with data subject access requests. Eventually, the study confirmed the general suspicion that access rights are by and large not adequately accommo- dated. The systematic approach did allow for a more granular identification of key issues and broader problematic trends. Notably, it uncov- ered an often-flagrant lack of awareness; organi- zation; motivation; and harmonization. Despite the poor results of the empirical study, we still believe there to be an important role for data subject empowerment tools in a hyper-complex, automated, and ubiquitous data-processing ecosys- tem. Even if only used marginally, they provide a checks and balances infrastructure overseeing controllers’ processing operations, both on an indi- vidual basis as well as collectively. The empirical findings also allow identifying concrete suggestions aimed at controllers, such as relatively easy fixes in privacy policies and access rights templates.

Publication year:2018

BOF-keylabel:yes

IOF-keylabel:yes

BOF-publication weight:6

CSS-citation score:2

Authors:International

Authors from:Higher Education

Accessibility:Open