Data Protection Stories  3, Data Protection Stories

Helping individuals take control of their data

Digital rights organizations are helping individuals exercise their rights under the GDPR

Context

The Issue

Companies collect massive amounts of personal information on their users, but this data is often extremely challenging for users to obtain. Even though data protection laws have generally given people the right to access their data, a number of barriers exist for exercising this right in practice.

The Role of the GDPR

Under the GDPR, individuals whose data are processed by organizations or corporations in EU member states have the right to access, correct, delete or move this data. The GDPR has strengthened the rights individuals hold over their data across the EU by removing fees for filing requests and imposing significant financial penalties for non-compliance. However, filing a data request still requires familiarity with inaccessible, technical legal processes. Digital rights groups are addressing this by creating easy-to-use tools that generate data requests users can send to companies.

Key Takeaways

In addition to raising public understanding around exercising their data rights, these tools provide an avenue for applying collective pressure on corporations to improve their internal data practices. However, many people still lack an understanding of how exercising these rights are relevant to their day-to-day lives. An important step for increasing the impact of these tools will be helping people connect the dots between the data collected by companies and consumers’ everyday lives—beyond abstract notions of “data rights”. Moving forward, it will be important for these initiatives to reach communities most adversely affected by state and corporate data collection.

Published August 16, 2019

A couple of years ago, the Guardian published an account of journalist Judith Duportail’s efforts to access her personal data stored by the smartphone dating app Tinder. After some help from privacy advocate Paul-Olivier Dehaye and human rights lawyer Ravi Naik, Duportail was able to access 800 pages of information the dating app had stored on her. This included the number of times she’d opened the app, a log of all the messages she’d ever sent, her educational background, pages she’d liked on Facebook and more. 

The story went viral and became part of a growing public dialogue concerning the lack of agency consumers have over their personal data. Data held by a dating app may feel particularly creepy, but Tinder is just one company of many holding massive amounts of information on its users. For the most part, all of our personal data collected by ride-hailing apps, social media platforms, credit agencies and insurance companies has remained largely inaccessible—until recently

Strengthened data rights under the GDPR, but barriers still exist

The data rights landscape has changed since Duportail’s story was first published. Accessing one’s personal data in the EU has become slightly easier—though not without challenges—since the implementation of the General Data Protection Regulation (GDPR) in May 2018, which strengthened individuals’ data rights across the EU. Under the GDPR, data subjects in the EU have the right to access their personal information from companies and organisations, along with details on whether, how, where and why that data is being processed, how their data is sourced, and where their data is sent. People also have the right to update incomplete or incorrect information held about them. Under certain circumstances, individuals can have their personal data erased, like when it is no longer necessary or consented to or if it has been unlawfully processed. 

While many of these rights already existed under previous data protection laws, the GDPR carries strong financial penalties for non-compliance, and organisations are taking their data practices more seriously in response. The GDPR also required the removal of fees for processing standard subject access requests, thus minimising financial barriers to submitting requests. Of course, filing a request still requires familiarity with often inaccessible, technical, legal language. It also requires social privilege: many people do not have the time, capacity or support to navigate an often confusing and lengthy process. 

Building capacity for individuals to take back control of their data 

Digital rights groups and advocates are responding to this challenge by developing tools that level the playing field and help data subjects in the EU exercise their rights under the GDPR. Last October, Dutch digital rights organisation Bits of Freedom launched My Data Done Right, a platform which helps people generate requests to access, correct, erase or move personal data held by over 1,500 companies and organisations in the EU. The platform is simple to use, asking users a series of questions about the data they want to access, correct, delete or move. It then generates a customised request letter that can be sent to the organisation in question. Their database includes major corporations such as Google, Facebook, Microsoft, UPS and Uber. Since its launch, My Data Done Right has already generated over 17,000 requests. 

Along a similar vein, the Data Rights Finder, developed by the Open Rights Group (ORG) and Projects by IF,  provides explanations of privacy policies of major financial companies in the EU. Similar to My Data Done Right, the tool provides templates for requests to access, delete, change or export data that an organisation holds about individuals. When we spoke to Ed Johnson-Williams from ORG about lessons learned from developing this tool, he pointed to a key gap identified in their user testing: many people had no idea that they had rights over their personal data—even though many of these laws have existed for decades before the GDPR. Even when these rights were explained to them, most people were unable to think of relevant use cases for exercising them. 

This is an important lesson for anyone working on similar data rights tools: increasing the impact of these tools will require helping people connect the dots between the data collected by companies and their everyday lives. How is my insurance rate or credit score calculated? What do political parties know about me? Or in the case of Duportail — what on earth has Tinder been able to collect about me, and what kind of information would people be privy to if it were leaked?  

Individuals data rights, collective power

In addition helping individuals understand the personal relevance of their data rights, there is also an opportunity for civil society to recognise how these rights can be exercised collectively. Paul-Olivier Dehaye, the privacy expert behind the Tinder story and founder of PersonalData.io, pointed to the “power in launching a crowd towards a specific company” when discussing the GDPR’s potential impact with us last month. In other words: a company without a robust system for handling subject access requests will be forced to address this when a mass of people suddenly start filing requests to their organization. 

Dehaye is not alone in this thinking. Access My Info—a personal data access request tool launched in Canada and Hong Kongdescribes access requests as an avenue for collective people power. They explain how a community of people submitting access requests can pressure them to improve internal data practices. According to their website, requests from Access My Info have already pushed Canadian telecom companies to increase transparency around how they disclose personal data to law enforcement and state actors. 

A collective approach to data rights has also been explored in Germany. Last year, OpenSCHUFA launched a public data donation campaign to understand the inner workings of SCHUFA, the country’s biggest private credit bureau. The project aimed to shed light on how credit scores are calculated—a number that impacts many aspects of everyday life, from getting loans approved to being eligible for renting an apartment. Over 4000 members of the public submitted their SCHUFA data to the project, obtained through individual subject access requests. Arne Semsrott, one of the project leads, says helping people leverage their agency and request their personal data was a highlight of this work. However, OpenSCHUFA also acknowledges a key limitation of the campaign: it was primarily young men from urban areas donating their data. The lack of diversity made a nuanced analysis of potential discrimination from SCHUFA scores impossible.

This raises an important point for data rights tools more broadly. While many have reduced barriers to submitting data access requests, more work is needed to ensure that the benefits are equitably distributed. To truly level the playing field, it will be important for data rights tools and capacity-building initiatives to reach, and be useful to, diverse communities—especially vulnerable groups most adversely affected by corporate data collection practices. 

Acknowledgements

We connected with many digital rights groups and privacy experts in researching this piece. Their perspectives informed our understanding of individual data rights, under the GDPR and beyond. Thank you to Paul-Olivier Dehaye (PersonalData.io), David Korteweg (Bits of Freedom), Matthew Rice and Ed Johnson-Williams (Open Rights Group), Arne Semsrott (OpenSCHUFA), and Cynthia Khoo (Citizen Lab) for being generous with their time and knowledge.