The right to data portability in practice: exploring the implications of the technologically neutral GDPR

Wong, Janis; Henderson, Tristan

doi:10.1093/idpl/ipz008

Cited by 30 publications

(43 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In line with our findings, previous studies report various anomalies, poor practices, and severe compliance issues on the side of the data controllers, resulting in low rates of satisfying responses to data subject requests [1,10,19,24,34,37]. Besides a widespread unwillingness or inability to provide the requested data in time [2,10,34,37], researchers have observed the use of inappropriate file formats for the transfer of personal data [42], instances of personal information leakage to impostors [7,10], issues concerning the language and clarity of interactions [24], and unsafe procedures to authenticate data subjects [4,25]. In some cases, researchers were not even able to locate the contact details of data controllers, rendering any request submission impossible from the outset [17,24].…”

Section: Related Worksupporting

confidence: 87%

“…Existing research-based suggestions and recommendations for data controllers need to be compiled into actionable guidelines and distributed in a form that makes them digestible for small-and medium-sized organizations, such as app vendors. This includes, in particular, guidance on how to authenticate data subjects safely [4,7,25], how to transfer personal data [42], and how to facilitate the submission of requests [2,10,17]. It should be a key objective to replace the error-prone manual processing of data subject requests with automated and standardized interfaces for obtaining personal data and other privacy-related information.…”

Section: Discussionmentioning

confidence: 99%

“…Numerous studies have examined how data controllers react to data subject requests in practice. In these studies, test requests for data access, erasure, and/or portability were either sent to specific types of organizations, such as CCTV operators [34], smartphone app vendors and website owners [10], online tracking companies [37], or to a broad range of public and private sector organizations [1,2,18,19,24,42,43].…”

Section: Related Workmentioning

confidence: 99%

“…In [24], investigations were carried out in ten different EU member states and, in addition to the quantitative evaluation, a detailed case-by-case assessment is provided for individual data controllers. With the exception of [1], [37] and [42], the above-referenced studies were conducted prior to the GDPR coming into force. Also, in contrast to our study, none of the existing publications offers a multi-year longitudinal evaluation over a constant set of data controllers.…”

Section: Related Workmentioning

confidence: 99%

“…One crucial ethical aspect of undercover field studies is that resources of the studied subjects are consumed without their consent -namely, in our case, the working time of employees of the examined app vendors. However, as in related studies [1,2,10,24,37,42], the covert approach was necessary to test the behavior of the vendors under realistic conditions and to prevent a research participation effect [20]. It can be assumed that employees of the investigated companies would have put more care and diligence into answering our inquiries if they had known about the nature of our study.…”

Section: Ethical Considerations and Limitationsmentioning

confidence: 99%

See 4 more Smart Citations

How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps

Kröger

Lindemann

Herrmann

2020

Proceedings of the 15th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

EU data protection laws grant consumers the right to access the personal data that companies hold about them. In a first-of-itskind longitudinal study, we examine how service providers have complied with subject access requests over four years. In three iterations between 2015 and 2019, we sent subject access requests to vendors of 225 mobile apps popular in Germany. Throughout the iterations, 19 to 26 % of the vendors were unreachable or did not reply at all. Our subject access requests were fulfilled in 15 to 53 % of the cases, with an unexpected decline between the GDPR enforcement date and the end of our study. The remaining responses exhibit a long list of shortcomings, including severe violations of information security and data protection principles. Some responses even contained deceptive and misleading statements (7 to 13 %). Further, 9 % of the apps were discontinued and 27 % of the user accounts vanished during our study, mostly without proper notification about the consequences for our personal data. While we observe improvements for selected aspects over time, the results indicate that subject access request handling will be unsatisfactory as long as vendors accept such requests via email and process them manually. CCS CONCEPTS • Security and privacy → Social aspects of security and privacy; Privacy protections; • Social and professional topics → Privacy policies.

show abstract

Section: Related Worksupporting

confidence: 87%

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Ethical Considerations and Limitationsmentioning

confidence: 99%

See 3 more Smart Citations

How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps

Kröger

Lindemann

Herrmann

2020

Proceedings of the 15th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

show abstract

Can the principle of the ‘right to be forgotten’ be applied to academic publishing? Probe from the perspective of personal rights, archival science, open science and post‐publication peer review

Teixeira da Silva,

Nazarovets

2023

Learned Publishing

View full text Add to dashboard Cite

In this paper, we reflect on how the principle of the ‘right to be forgotten’ (RTBF), specifically the right to erasure as enshrined in Article 17 (and to some extent Art. 19 and Art. 21) of the General Data Protection Regulation (GDPR; Regulation (EU) 2016/679), or the right to delete undesirable, unflattering or reputation‐damaging archived records of oneself from search engines or databases, might apply to academic publishing. In particular, we focus on archival (library and information) science, post‐publication peer review, and reflect on whether RTBF is compatible with open science principles. Even though RTBF became enshrined in EU law in 2018, its trans‐Atlantic export to the United States faces resistance because it is seen as being incompatible with First Amendment rights. We ponder the pertinence of the debate regarding local versus global applicability of RTBF when considering the transnational nature of some collaborative research. Although RTBF applies broadly to search engines such as Google, we question whether authors have this right and also whether publishers are subjected to this law with respect to science databases, or even ‘local’ (i.e., publisher‐controlled) archives, especially in the light of retractions or withdrawals, in which data and files are removed from a preprint or journal's website or, in extreme cases, where all or most bibliometric information is scrubbed clean, as in the case of ‘silent retractions’. We extend our reflections further to appreciate whether authors or editors are entitled to RTBF in extreme instances of misconduct or fraud. The fundamental right to privacy and personal choice, as is suggested by (or enshrined in) RTBF, is not—in our view—compatible with several principles related to the integrity of data and information, or even their preservation, and may be diametrically opposed, depending on the situation. We encourage wider debate on this budding pertinent issue as a fundamental aspect of academic rights and freedoms.

show abstract

Enhancing Citizen Participation Through Data Subject Right Delegation

Habu,

Henderson

2024

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The right to data portability in practice: exploring the implications of the technologically neutral GDPR

Cited by 30 publications

References 9 publications

How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps

How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps

Can the principle of the ‘right to be forgotten’ be applied to academic publishing? Probe from the perspective of personal rights, archival science, open science and post‐publication peer review

Enhancing Citizen Participation Through Data Subject Right Delegation

Contact Info

Product

Resources

About