Subject access requests are surging under lockdown, making it harder than ever for companies to meet all the requirements of GDPR rules. Ben Heubl discovers what one technology giant has on him and investigates how firms are coping under the extra pressure.
The email I have been waiting for finally drops into my inbox. In March I asked Amazon for access to all the data it holds on me and now, the email informs me, it’s ready for collection.
Under GDPR rules, anyone with an Amazon account can do this. All it needs is a personal Data Subject Access Request or DSAR. However, this right brings unforeseen power for individuals and extra responsibilities and costs for companies.
DSAR covers any recorded interactivity a company had with an individual. It can be expensive for companies but large ones like Amazon have an advantage because they can automate the process more easily. Amazon’s customer service portal allowed me to make the initial request. Other smaller companies will receive emails and have to juggle responses. You can no longer just send Amazon an email to get your data.
There is also a time window. Firms have 30 days to respond. Amazon’s reply to me comes weeks after the deadline passes – a sign that perhaps even the large players crumble under additional Covid-19 pressure. So far, the UK regulator seems unperturbed. The Information Commissioner’s Office (ICO) warns people that delays are possible.
My annoyance with Amazon’s breaching my DSAR deadline is quickly replaced by the excitement of what I will be able to find in my very own data repository. It’s full of Excel spreadsheets. I am not a frequent Amazon shopper and I am surprised how much data there is.
Despite my fairly limited use of Amazon’s offering over the past two years the company still managed to collect a whopping 13.9 megabytes in 86 data items. In comparison, 100,000 Excel rows with 20 columns amounts to around 11MB.
The largest file is called ‘device kindle reading action’. I installed the Kindle app shortly before the lockdown began. After just a few days on the Kindle Android reading a single book, 84,000 rows of interactions where recorded. This is the largest file in the repository.
Amazon thought it necessary to track every page turn to the millisecond. It also tracked every time I scrolled, every time I highlighted something, paused in reading, when I started the apps and a bunch of other events.
The East German Ministry for State Security (STASI) kept files on only 5.6 million people. There are many more millions of Kindle readers, but Amazon has to comply with DSARs that the STASI didn’t have to worry about.
Ever since GDPR came into force in May of 2018, pundits have warned that Internet of Things (IoT) devices and their vast data-collection capabilities will increase companies’ GDPR responsibilities. Sensors capturing every piece of information from the surrounding environment fall under personal information. When individuals ask for them firms have to be ready. That’s not an easy task.
Concerns about privacy and data breaches have never been so vital”, argued the authors of a BT research and innovation paper in 2018.
What’s it all for? How much value can individuals retrieve from this most granular data? How many shoppers will ever find out anything beyond the obvious fact that the corporate appetite for data is growing? Also, would we ever know if anything was missing, fake or false?
There are signs we should be more sceptical about what we receive. In 2018, New York Times reporters in the UK and the US launched similar DSARs towards a number of tech companies, including Amazon. Responses varied dramatically in size. Tech companies in the US tended to give out fewer data points than their colleagues in the UK.
Guidance on how to execute DSARs remains woolly, argues Matt Lock, director of sales engineers at Varonis, a company that assists other firms in running risk assessments on the personal data that firms hold.
So far, such regulatory woolliness has played in companies’ favour. One way many companies get around complying with the law under pressure is by cherry-picking the data they respond with. This way firms can still meet their 30-day deadline. That may not be fair but that’s reality, experts say. If the filer remains unsatisfied with the response they are welcome to get in touch again. No cases are known where UK firms have been fined for handing over only a share of the data.
Reading and interpreting the data is hard, too. I find Amazon’s data table columns are badly annotated. Some are self-evident. Many aren’t. The power lies with the company rather than the individual. There is no law requiring firms to make their data easy to read.
Companies know what data they have on us and it’s easy for them to analyse it. That’s not so for consumers who aren’t data scientists.
Take my WhatsApp chat history with my mother. I requested data from Facebook’s WhatsApp text messaging service and filtered out text messages with my mum over the past 18 months. Each message has a timestamp. With some data wizardry I can draw a daily WhatsApp texting routine.
My mother tends to get up early and texts me in the morning. I usually respond to a conversation later in the day or in the evening, when she is already asleep. I have no doubt that WhatsApp already knows this about me. But does it do anything about it?
The world is WhatsApp’s oyster. It may react to me breaking the daily routine. It may serve different ads at times when I am most active. It could do the same for my mother. But the truth is: we don’t know. Also, what worries me is that my mother’s information is there at all. Anyone who has access to my personal data could also mine my mum’s data. In other words, it could put her at risk if I am not careful with my data.
Even before Covid-19, complying with DSARs was a battle. A survey from 2019 found 62 per cent of London enterprises experienced a surge in DSARs over the first year of 2018 since GDPR kicked in.
Now new research claims substantial costs are involved. Companies with more than 5,000 employees can spend as much as £1.58m or 14 person-years annually on responding to data subject access requests, according to research commissioned by Guardum, a data-security firm.
Straightforward requests like mine are not why companies struggle. More complex requests drive up costs. Those tend to come from staff or ex-employees, says Rob Westmacott, DSAR expert at Guardum.
Previously laid-off or fired staff have an incentive to file more complex and ambitious DSAR requests, he says. Employment lawyers advise clients that the first move when being dismissed is to access the personal data their employers hold. It can help to build a case against the firm and aid in redundancy settlements.
Covid-19 made a bad situation worse. The number of DSARs increased as more people got laid off or furloughed. Those stuck at home with more time on their hands in lockdown filed more requests, just for the heck of it, Westmacott thinks. The privacy issues around contact-tracing apps also stimulated curiosity.
The government’s NHS contact-tracing app still attracts criticism from privacy advocates. Keeping data secure has not been the NHS’s strongest side. One recent poll found that less than half of the population is confident in how the government handles the situation.
Lockdown complicates compliance among firms. With staff out of their office spaces, access to paper files stored in archives is limited. 75 per cent of data protection officers polled say they struggle to meet data compliance obligations whilst working remotely, Guardum says.
Despite these difficulties in responding, the ICO left the compliance window unchanged at 30 days, Westmacott says. “They understand the logistical hurdles people have to go over because of the pandemic” but failed to act.
It’s unlikely the ICO will enforce fines for those firms that don’t comply during the pandemic. Yet, most law firms will strongly advise their corporate clients to keep trying to comply with the 30-day response window despite this leniency.
“Covid-19 pandemic has tipped an already dire situation into a potential melting pot of requests, with fears that the return to work and the ensuing post-mortem by furloughed and sacked workers will overwhelm data compliance teams,” says Westmacott.
The ICO has been reluctant to impose draconian fines on companies for failing to comply with DSAR requests. But the stakes are high. On paper, fines could be as high as €20m or 4 per cent of the total annual worldwide turnover in the preceding financial year, whichever is higher.
In the current climate this is still inconceivable. The regulator prefers punishing other groups of culprits first. At the top of the list are those in the ad and tech business for mismanagement of cookie consents and those that fail to report data breaches within the given period. But Westmacott thinks it’s just a matter of time until the ICO will enforce fines. The French data protection regulator CNIL punished Google with a €50m fine for murky data consent policies.
If more frequent and complex requests isn’t enough, there is also the issue of phoney DSARs.
Matt Lock says fake DSARs are a real problem. More companies became aware of it after an Oxford-based researcher obtained a vast amount of personal information via impersonated DSAR requests for his fiancée last year.
Medium and smaller companies are especially vulnerable, this example highlighted. Those that “didn’t have much of a specialised process”, James Pavur, the researchers told the BBC. A quarter of his 83 requests to firms that held data on his partner supplied personal information without verifying the requester’s identity.
If someone could access the response to my Amazon DSAR request, they’d find out where I live, where my parents live, my daily reading routines and many other more intricate details about my everyday life.
Experts say cyber criminals often make use of fake DSARs to prepare and refine their malicious attacks towards individuals. What provides cyber security specialists with some solace, at least for now, is that cyber criminals still struggle with automating their fake requests, which limits their possibilities.
How do large companies like Amazon protect your data? They put special security measures in place to deter criminals. I had to enter my password, decrypt a set of letters and numbers to prove I am not a robot and confirm a numeric code via a phone message or call to access my data on Amazon. Others ask for photo ID or other personal identifying evidence. This makes it slightly more cumbersome for the individuals. But we all should be thankful. After all it reduces the odds that criminals get access to you and whoever has their data inside your repository – like my mum.
The future of DSARs will become messier. More curious people like me – and those who intend to sue their old employers – will enquire more, not less. This leaves companies in a difficult spot once regulators start to become serious about fines.
Firms that can afford to automate will have a better chance to reduce costs. Those that can’t will need to think hard how they are going to stay within the law.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.