The debate about how to govern personal data has intensified in recent years. The European Union’s General Data Protection Regulation, which came into effect in May 2018, relies on transparency mechanisms codified through obligations for organisations and citizen rights. While some of these rights have existed for decades, their effectiveness is rarely tested in practice. This paper reports on the exercise of the so-called right of access, which gives citizens the right to get access to their personal data. We study this by working with articipants—citizens for whom the law is written—who collectively sent over a hundred data access requests and shared the responses with us. We analyse the replies to the access requests, as well as the participant's evaluation of them. We find that non-compliance with the law's obligations is widespread. Participants were critical of many responses, though they also reported a large variation in quality. They did not find them effective for getting transparency into the processing of their own personal data. We did find a way forward emerging from their responses, namely by looking at the requests as a collective endeavour, rather than an individual one. Comparing the responses to similar access requests creates a context to judge the quality of a reply and the lawfulness of the data practices it reveals. Moreover, collective use of the right of access can help shift the power imbalance between individual citizens and organisations in favour of the citizen, which may incentivise organisations to deal with data in a more transparent way.
- Access rights
- Privacy measurement
- General Data Protection Regulation
- Data governance