Abstract
With the GDPR in force in the EU since May 2018, companies and administrations need to be vigilant about the personal data they process. The new regulation defines rights for data subjects and obligations for data controllers but it is unclear how subjects and controllers interact concretely. This paper tries to answer two critical questions: is it safe for a data subject to exercise the right of access of her own data? When does a data controller have enough information to authenticate a data subject? To answer these questions, we have analyzed recommendations of Data Protection Authorities and authentication practices implemented in popular websites and third-party tracking services. We observed that some data controllers use unsafe or doubtful procedures to authenticate data subjects. The most common flaw is the use of authentication based on a copy of the subject’s national identity card transmitted over an insecure channel. We define how a data controller should react to a subject’s request to determine the appropriate procedures to identify the subject and her data. We provide compliance guidelines on data access response procedures.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, Case C-131/12, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62012CJ0131&from=EN.
- 2.
Alexa measures web traffic and provides a ranking of the websites with respect to their traffic: https://www.alexa.com/topsites, extracted in October 2018.
- 3.
Point 2.3 of the Terms of Service, https://help.mail.ru/mail-help/UA (available only in Russian).
- 4.
TOR is an anonymity network, directs Internet traffic through a worldwide overlay network, and therefore the IP address of the user’s device is not visible to the server that receives requests from the user, www.torproject.org.
References
Working party opinion 2/2010 on online behavioural advertising, adopted on 22 June 2010, (wp 171), p. 9. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp171en.pdf
4.1 accès ou rectification de vos données à caractère personnel. https://twitter.com/fr/privacy. Accessed 28 Sept 2018
Access, rectification, opposition and cancellation rights. https://www.baidu.eu/privacy-policy. Accessed 28 Sept 2018
Accessing your reddit data. https://www.reddithelp.com/en/categories/using-reddit/your-reddit-account/accessing-your-reddit-data. Accessed 28 Sept 2018
Googletakeout. https://takeout.google.com/?utm_source=pp&hl=en. Accessed 28 Sept 2018
I want to make a request regarding personal data microsoft has about me related to my microsoft account. https://www.microsoft.com/en-us/concern/privacy. Accessed 28 Sept 2018
Mail.Ru terms of service. https://help.mail.ru/mail-help/UA. Accessed 1 Oct 2018
Opinion n\(^\circ \) 4/200 on the concept of personal data - wp 136, p. 17. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136en.pdf
Privacy policy. https://alidropship.com/privacy-policy/. Accessed 28 Sept 2018
Privacy policy/FAQ. https://foundation.wikimedia.org/wiki/Privacypolicy/FAQ#anonymize. Accessed 28 Sept 2018
QQI DS rights request form. https://dl.url.cn/myapp/bhqq/iQQ/QQiDSRIGHTSREQUESTFORM.pdf. Accessed 28 Sept 2018
Request a copy of my personal data. https://fr.pornhubpremium.com/terms. Accessed 28 Sept 2018
Vi. How can you exercise your rights provided under the GDPR? Data download. https://www.instagram.com/about/legal/terms/api/. Accessed 28 Sept 2018
Vk.com privacy policy. https://vk.com/privacy/eu for logged-in users. Accessed 1 Oct 2018
Ways you can access, control, and correct your personal information. https://www.ebay.com/help/policies/member-behaviour-policies/user-privacy-notice-privacy-policy?id=4260#section6. Accessed 28 Sept 2018
What choices and access do i have. https://www.imdb.com/privacy?ref=helpmshelpftrprivacy. Accessed 28 Sept 2018
What information can i access. https://www.amazon.co.uk/gp/help/customer/display.html?nodeId=502584. Accessed 28 Sept 2018
What personal information Netflix holds about you and how to request a copy. https://help.netflix.com/en/node/100624?ba=SwiftypeResultClick&q=request%20a%20copy%20of%20my%20data. Accessed 28 Sept 2018
Yandex.ru privacy policy. https://yandex.com/legal/privacy/. Accessed 1 Oct 2018
Your choices and obligations. https://www.linkedin.com/legal/privacy-policy. Accessed 28 Sept 2018
Your control and privacy rights. https://policies.oath.com/ie/en/oath/privacy/index.html. Accessed 28 Sept 2018
Your privacy choices. https://www.twitch.tv/p/legal/privacy-choices/. Accessed 28 Sept 2018
Your rights. https://info.xvideos.com/legal/privacy/. Accessed 28 Sept 2018
Your rights with respect to your personal information. https://render.alipay.com/p/f/agreementpages/alipayeuprivacypolicy.html. Accessed 28 Sept 2018
Yourfacebookinformation. https://www.facebook.com/full_data_use_policy. Accessed 28 Sept 2018
Opinion 2/2010 on online behavioural advertising. Technical report 171 (2010)
The Schengen Information System A Guide For Exercising The Right of Access (2015). https://edps.europa.eu/sites/edp/files/publication/16-11-07_sis_ii_guide_of_access_en.pdf
Case C-210/16 Wirtschaftsakademie Schleswig-Holstein (2018). ECLI:EU:C:2018:388. http://curia.europa.eu/juris/document/document.jsf?docid=202543&doclang=EN
Data subject requests, working paper 04/2018 (2018). https://www.iabeurope.eu/wp-content/uploads/2018/04/20180406-IABEU-GIG-Working-Paper04_Data-Subject-Requests.pdf
European Data Protection Board (2018). https://edpb.europa.eu
European Data Protection Supervisor (2018). https://edps.europa.eu
Addthis - privacy policy. https://www.addthis.com/privacy/privacy-policy/
Adform - privacy policy. https://site.adform.com/privacy-center/website-privacy/website-privacy-policy/
Adnxs - appnexus data subject rights. https://www.appnexus.com/data-subject-rights-policy
Adsrvr. https://www.adsrvr.org/
AFCDP. Données personnelles - Index AFCDP du Droit d’accès. Technical report (2013, in french)
AFCDP. Données personnelles - Index AFCDP du Droit d’accès. Technical report (2014, in french)
AFCDP. Données personnelles - Index AFCDP du Droit d’accès. Technical report (2015, in french)
AFCDP. Données personnelles - Index AFCDP du Droit d’accès. Technical report (2017, in french)
Agencia de Protección de Datos. Ejerce tus derechos. https://www.aepd.es/media/formularios/formulario-derecho-de-acceso.pdf. Accessed 28 Sept 2018
Alexa. https://www.alexa.com/
Andmekaitse Inspektsioon. Andmekaitse Inspektsioon. http://www.aki.ee/. Accessed 28 Sept 2018
Asghari, H., Mahieu, R.L.P., Mittal, P., Greenstadt, R.: The right of access as a tool for privacy governance. In: Proceedings of Hot Topics in Privacy Enhancing Technologies (HotPETs 2017) (2017)
Ausloos, J., Dewitte, P.: Shattering one-way mirrors - data subject access rights in practice. Int. Data Priv. Law 8(1), 4–28 (2018)
Ihre rechte als betroffener (2018). https://www.dsb.gv.at/rechte-der-betroffenen. Accessed 28 Sept 2018
Antrag gemäß art. 15 DSGVO auf auskunft (2018). https://www.dsb.gv.at/at.gv.bka.liferay-app/documents/22758/844171/Antrag+an+den+Verantwortlichen+Recht+auf+Auskunft+Art+15.pdf/00315f65-1ea8-438b-8f1f-766d20002702. Accessed 28 Sept 2018
Autorité de protection des données. Lettre Type Droit Acces Direct. https://www.autoriteprotectiondonnees.be/node/3995. Accessed 28 Sept 2018
Autoriteit Persoonsgegevens. Recht op inzage. https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/privacyrechten/recht-op-inzage#. Accessed 28 Sept 2018
Baidu - privacy policy. http://usa.baidu.com/privacy/
Bayamlıoğlu, E.: Transparency of automated decisions in the GDPR: an attempt for systemisation (2018). https://ssrn.com/abstract=3097653
Borgesius, F.Z.: Singling Out People Without Knowing Their Names - Behavioural Targeting, Pseudonymous Data, and the New Data Protection Regulation (2016). https://ssrn.com/abstract=2733115
Casalemedia - privacy policy. http://casalemedia.com/
CNIL Commission Nationale de l’Informatique et des Libertés. Guide sécurité des données personnelles. https://www.cnil.fr/fr/le-droit-dacces-connaitre-les-donnees-quun-organisme-detient-sur-vous. Accessed 28 Sept 2018
Comissão Nacional de Protecção de Dados. Comissão Nacional de Protecção de Dados. https://www.cnpd.pt. Accessed 28 Sept 2018
Commission for Personal Data Protection. Who can copy your identity card. https://www.cpdp.bg/index.php?p=element&aid=423. Accessed 28 Sept 2018
Commissioner for Personal Data Protection. Commissioner for Personal Data Protection. http://www.dataprotection.gov.cy/. Accessed 28 Sept 2018
Cormack, A.: Is the subject access right now too great a threat to privacy? Eur. Data Prot. Law Rev. 2(1), 15–27 (2016)
Council of European Union. Council regulation (EU) no 2016/679 (2016). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
Access right criteo. https://www.criteo.com/privacy/
Croatian Personal Data Protection Agency. Croatian Personal Data Protection Agency. https://azop.hr/. Accessed 28 Sept 2018
Data Protection Commissioner. A guide to your rights. https://www.dataprotection.ie/docs/A-guide-to-your-rights-Plain-English-Version/r/858.htm. Accessed 28 Sept 2018
Data Protection Commissioner of Hungary. Annual report of the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) (2017). http://www.naih.hu/annual-reports.html. Accessed 28 Sept 2018
Data State Inspectorate. Datu subjekta tiesibas. http://www.dvi.gov.lv/lv/wp-content/uploads/DVIbroshuradatusubjektties.pdf. Accessed 28 Sept 2018
Datatilsynet. Guidance on the registrants’ rights. https://www.datatilsynet.dk/media/6893/registreredes-rettigheder.pdf. Accessed 28 Sept 2018
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit. Auskunftsrecht. https://www.bfdi.bund.de/DE/Datenschutz/Ueberblick/MeineRechte/Artikel/Auskunftsrecht.html. Accessed 28 Sept 2018
Grogan, S., McDonald, A.M.: Access denied! contrasting data access in the United States and Ireland. PoPETs 2016(3), 191–211 (2016)
Hellenic Data Protection Authority. Law 2472/1997 & Citizen’s rights. http://www.dpa.gr/portal/page?_pageid=33,43290&dad=portal&schema=PORTAL. Accessed 28 Sept 2018
Information Commissioner. Request for acquaintance with your own personal data. https://www.ip-rs.si/fileadmin/user_upload/doc/obrazci/ZVOP/ZahtevazaseznanitevzlastnimiosebnimipodatkiObrazecSLOP.doc. Accessed 28 Sept 2018
Access right Innovid. https://www.innovid.com/privacy-policy/
Lerner, A., Simpson, A.K., Kohno, T., Roesner, F.: Internet Jones and the raiders of the lost trackers: an archaeological study of web tracking from 1996 to 2016. In: 25th USENIX Security Symposium (USENIX Security 2016). USENIX Association (2016)
Mahieu, R., van Hoboken, J., Asghari, H.: Responsibility for data protection in a networked world - on the question of the controller, “effective and complete protection” and its application to data access rights in Europe (2019). https://ssrn.com/abstract=3256743
Mathtag - privacy policy. http://www.mediamath.com/privacy-policy/#Section-11
Menezes, A., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)
Miller, A.R.: Personal privacy in the computer age: the challenge of a new technology in an information-oriented society. Mich. Law Rev. 67(6), 1089–1246 (1969)
National Commission for Data Protection. The right of access. https://cnpd.public.lu/en/particuliers/vos-droits/droit-acces.html. Accessed 28 Sept 2018
New relic - privacy policy. https://www.simpli.fi/site-privacy-policy/
Norris, C., de Hert, P., L’Hoiry, X., Galetta, A. (eds.): The Unaccountable State of Surveillance. LGTS, vol. 34. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-47573-8
Office for Personal Data Protection of the Slovak Republic. Dina rättigheter enligt personuppgiftslagen. https://www.datainspektionen.se/globalassets/dokument/gammalt/dina-rattigheter-enligt-personuppgiftslagen.pdf. Accessed 28 Sept 2018
Office for Personal Data Protection of the Slovak Republic. How to submit a petition initiating the procedure of personal data protection. https://dataprotection.gov.sk/uoou/en/content/how-submit-petition-initiating-procedure-personal-data-protection. Accessed 28 Sept 2018
Office of the Data Protection Commissioner. What is the Right of Access?. https://idpc.org.mt/en/Pages/faq.aspx#3. Accessed 28 Sept 2018
Office of the Data Protection Ombudsman. When you want to inspect your data. https://tietosuoja.fi/en/when-you-want-to-inspect-your-data. Accessed 28 Sept 2018
OpenX - privacy policy. https://www.openx.com/legal/privacy-policy/
Garante per la protezione dei dati personali. Guida all’applicazione del regolamento europeo in materia di protezione dei dati personali - diritti degli interessati (2018). https://www.garanteprivacy.it/regolamentoue/diritti-degli-interessati. Accessed 28 Sept 2018
Data subject rights notice, PubMatic. https://pubmatic.com/legal/eea-data-subject-rights-notice/
PubMatic - cookie policy. https://pubmatic.com/legal/platform-cookie-policy/
Quantserve - privacy policy. https://www.quantcast.com/privacy/
Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2012, pp. 155–168 (2012)
Access right Rubiconproject. https://rubiconproject.com/terms-conditions/subject-access-request-policy/
Access right Scorecardresearch. https://www.scorecardresearch.com/privacy.aspx
Simpli - privacy policy. https://www.simpli.fi/site-privacy-policy/
Smart Ad Server - privacy policy. https://smartadserver.com/end-user-privacy-policy//
Solon, O.: How much data did facebook have on one man? 1.200 pages of data in 57 categories. Wired (2012). https://www.wired.co.uk/article/privacy-versus-facebook
Sporny, M., Longley D.: Verifiable claims data model and representations. Technical report, W3C (2017). https://www.w3.org/TR/verifiable-claims-data-model/
SpotXchange - privacy policy. https://www.spotx.tv/privacy-policy/
SpotXchange portal. https://www.spotx.tv/privacy-policy/gdpr/
Teads - privacy policy. https://www.teads.tv/privacy-policy/
The Bureau of the Inspector General for the Protection of Personal Data - GIODO. Rights of data subject. https://giodo.gov.pl/en/293. Accessed 28 Sept 2018
The Information Commissioner’s Office. Your right of access. https://ico.org.uk/your-data-matters/your-right-of-access/. Accessed 28 Sept 2018
The Information Commissioner’s Office. Your right to get copies of your data. https://ico.org.uk/your-data-matters/your-right-of-access/. Accessed 28 Sept 2018
The National Supervisory Authority for Personal Data Processing. Derptul de Acces. http://www.dataprotection.ro/servlet/ViewDocument?id=386. Accessed 28 Sept 2018
The Office for Personal Data Protection. The Office for Personal Data Protection. http://www.uoou.cz/. Accessed 28 Sept 2018
Urban, T., Tatang, D., Degeling, M., Holz, T., Pohlmann, N.: The Unwanted Sharing Economy: An Analysis of Cookie Syncing and User Transparency under GDPR. CoRR, abs/1811.08660 (2018)
Weborama - privacy policy. https://weborama.com/weborama-privacy-commitment/
Yandex.ru - privacy policy. https://yandex.com/legal/privacy/
Acknowledgments
This work is supported by the French National Research Agency in the framework of the Investissements d’Avenir program (ANR-15-IDEX-02) and project PrivaWEB (ANR-18-CE39-0008-01), and as well ANSWER project PIA FSN2 (P159564-2661789\(\backslash \)DOS0060094).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Boniface, C., Fouad, I., Bielova, N., Lauradoux, C., Santos, C. (2019). Security Analysis of Subject Access Request Procedures. In: Naldi, M., Italiano, G., Rannenberg, K., Medina, M., Bourka, A. (eds) Privacy Technologies and Policy. APF 2019. Lecture Notes in Computer Science(), vol 11498. Springer, Cham. https://doi.org/10.1007/978-3-030-21752-5_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-21752-5_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-21751-8
Online ISBN: 978-3-030-21752-5
eBook Packages: Computer ScienceComputer Science (R0)