[Students Policy Brief] GDPR: A critical investigation of data subject rights

By Maryliz Abolou, Hamza Belgroun, Joshua Bernstein, Ellie Copeland, Janine Ecker, Nicolas Julian, Maria Chiara Liviano D’Arcangelo and Raja Madani, students in the Master in Public Policy, Digital, New Technology and Public Policy stream

The Digital, Governance and Sovereignty Chair publishes, on a regular basis, the finest essays and papers written by Sciences Po students in the course of their studies.

This Policy Brief has been selected as one of the best works written during the course taught by Prof. Suzanne Vergnolle “Tech Regulation in Europe and Beyond” in Spring 2024.

The General Data Protection Regulation (GDPR) has been in force since 2016 but are data subject rights really that easy to exercise?

In an age where personal data is both ubiquitous and invaluable, data protection becomes a constant concern. In Europe, Regulations such as GDPR play a vital role in safeguarding individual rights establishing standards for data privacy, security, and accountability. They empower individuals to exercise their so-called data subject rights which have become essential for taking control in an environment where personal data holds immense value. But what exactly happens when individuals navigate claiming their GDPR rights?

This is what our class, specialised in ‘Digital, New Technology and Public Policy’ stream of Sciences Po’s Master in Public Policy wanted to find out as part of Prof. Suzanne

Vergnolle’s “Tech Regulation in Europe and Beyond” course. As part of a hands-on study, the students in the class tried exercising different data subject rights by formulating requests to over twenty different-sized platforms and websites (see Appendix 1), in order to assess the extent to which they comply with the GDPR. Coming into force in 2016, this is a landmark piece of legislation. With its Articles 12 to 22, it outlines fundamental data subject rights, including the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing. We have tried exercising most of them with mixed outcomes.

Upon deeper examination, it becomes clear that the system is filled with complexities and that exercising data rights might not be as straightforward as a data subject would hope or assume. In the following we will share our experiences and outline the outcomes of navigating this complex legal landscape, providing insights and lessons learned.

Investigation

Interestingly, large companies often present a standardised approach. They may even offer the possibility to directly download one’s data on the platform/website itself without lengthy communication or special requests. This was notably the case with platforms such as LinkedIn, Facebook, and YouTube.

However, what may appear to be a straightforward process can be deceiving. Even large organisations can encounter challenges – incomplete requests or overly complex procedures can create obstacles for the user. While the right to access might be relatively straightforward, exercising other rights like data portability or erasure can be time-consuming and require technical know-how, leaving those less familiar with technology at a disadvantage.

Things get even trickier when dealing with smaller entities like universities or small enterprises. These organisations often lack the infrastructure and resources for efficient data management. This was notably the case for a student who tried to exercise their right directly on the Sciences Po website, and was left with no answer for weeks. With this kind of organisation, non-compliance rates rise, and response times can stretch significantly.

Another factor worth noting is that the user experience differs between applications and websites, as some functions are restricted to one mode of access. In our investigation, we found that automated processes for data access prove far more efficient than email interactions, highlighting the limitations of human intervention. Non-compliance issues arise when human interaction is involved, for example by data controllers requesting justifications for data access requests (a practice not envisioned by the law).

Despite the difficulties, students exercising their rights generally reported satisfaction with the outcome, suggesting a trade-off between effort and control.

Discussion

Several critical issues emerged from our experience. Firstly, how do we guarantee access to data of deceased individuals? The burden of proof falls on the individual to demonstrate the absence of data, a near-impossible task. The extensive legal exceptions further add complexity. Additionally, defining “legitimate interest,” a justification for data retention, remains ambiguous. While some companies offer additional options and formats for data retrieval and portability (practices exceeding legal requirements), the fundamental question remains: how do we ensure the data provided is complete and exhaustive?

All in all, our investigation on the exercise of the GDPR’s data subject rights across various platforms and websites has shown that managing personal information comes with both conveniences and challenges. For the most part, students reported satisfaction in exercising their rights, although difficulties were encountered in a number of cases. Overall, the exercise has given us valuable insights and broadened our understanding of the topic. Key questions about data access and rights highlight the need for further exploration and analysis.

___________________________________________________________________________

Appendix 1: List of platforms in alphabetical order with the relevant GDPR articles that were tested:

1. Airbnb – Transparency and Erasure (Articles 12-14 & 17)

2. BeReal – Access (Article 15)

3. Ebay – Transparency and Erasure (Articles 12-14 & 17)

4. Etsy – Access (Article 15)

5. FitBit – Erasure (Article 17)

6. Google – Access (Article 15)

7. Instagram – Access and Erasure (Articles 15 & 17)

8. LinkedIn – Transparency and Portability (Articles 12-14 & 20)

9. Meta/Facebook – Portability (Article 20)

10. MTCH Technology Services Ltd (Hinge) – Portability (Article 20)

11. Oracle – Portability (Article 20)

12. Perplexity : Access and Erasure (Article 15 & 17)

13. Sciences Po Moodle – Access (Article 15)

14. Signal – Transparency, Erasure and Portability (Articles 12-14, 17 & 20) 15. Telegram – Erasure (Article 17)

16. Tumblr – Privacy Directive (Article 6)

17. VeraLab newsletter – Portability (Article 20)

18. Vinted – Transparency and Access (Articles 12-14 & 15)

19. X – Access (Article 15)

20. YouTube – Transparency and Portability (Articles 12-14 & 20)

learn more

• The Digital, New Technology and Public Policy at the School of Public Affairs