Abstract
The right of access under Art. 15 of the General Data Protection Regulation (GDPR) grants data subjects the right to obtain comprehensive information about the processing of personal data from a controller, including a copy of the data. Privacy dashboards have been discussed as possible tools for implementing this right, and are increasingly found in practice. However, investigations of real world implementations are sparse. We therefore qualitatively examined the extent to which privacy dashboards of ten online services complied with the essential requirements of Art. 15 GDPR. For this, we compared the information provided in dashboards with the information provided in privacy statements and data exports. We found that most privacy dashboards provided a decent initial overview, but lacked important information about purposes, recipients, sources, and categories of data that online users consider to be sensitive. In addition, both the privacy dashboards and the data exports lacked copies of personal data that were processed according to the online services’ own privacy statements. We discuss the strengths and weaknesses of current implementations in terms of their ability to fulfill the objective of Art. 15 GDPR, namely to create awareness about data processing. We conclude by providing an outlook on what steps would be necessary for privacy dashboards to facilitate the exercise of the right of access and to provide real added value for online users.
Keywords
Supported by the German Federal Ministry of Education and Research (BMBF) under the research project “TrUSD - Transparente und selbstbestimmte Ausgestaltung der Datennutzung im Unternehmen” (transparent and self-determined design of data use in organizations) (16KIS0899).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
References
Acquisti, A., Grossklags, J.: Privacy and rationality in individual decision making. IEEE Secur. Priv. 3(1), 26–33 (2005). https://doi.org/10.1109/MSP.2005.22
Alizadeh, F., Jakobi, T., Boden, A., Stevens, G., Boldt, J.: GDPR reality check - claiming and investigating personally identifiable data from companies. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroSPW), pp. 120–129. IEEE (2020). https://doi.org/10.1109/EuroSPW51379.2020.00025
Angulo, J., Fischer-Hübner, S., Pulls, T., Wästlund, E.: Usable transparency with the data track: a tool for visualizing data disclosures. In: Proceedings of the 33rd Annual ACM Conference Extended Abstracts on Human Factors in Computing Systems, pp. 1803–1808. Association for Computing Machinery (2015). https://doi.org/10.1145/2702613.2732701
Arfelt, E., Basin, D., Debois, S.: Monitoring the GDPR. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11735, pp. 681–699. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29959-0_33
Bier, C., Kühne, K., Beyerer, J.: PrivacyInsight: the next generation privacy dashboard. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 135–152. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44760-5_9
Boniface, C., Fouad, I., Bielova, N., Lauradoux, C., Santos, C.: Security analysis of subject access request procedures. In: Naldi, M., Italiano, G.F., Rannenberg, K., Medina, M., Bourka, A. (eds.) APF 2019. LNCS, vol. 11498, pp. 182–209. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21752-5_12
Buchmann, J., Nebel, M., Roßnagel, A., Shirazi, F., Simo, H., Waidner, M.: Personal information dashboard: putting the individual back in control. In: Digital Enlightenment Yearbook 2013, pp. 139–164. IOS Press (2013)
Bufalieri, L., Morgia, M.L., Mei, A., Stefa, J.: GDPR: when the right to access personal data becomes a threat. In: 2020 IEEE International Conference on Web Services (ICWS), pp. 75–83 (2020). https://doi.org/10.1109/ICWS49710.2020.00017
Cabinakova, J., Zimmermann, C., Mueller, G.: An empirical analysis of privacy dashboard acceptance: the google case. In: Proceeding of the 24th European Conference on Information Systems (ECIS). Research Papers, vol. 114, pp. 1–18. AIS Electronic Library (AISeL) (2016)
Cagnazzo, M., Holz, T., Pohlmann, N.: GDPiRated – stealing personal information on- and offline. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 367–386. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_18
European Parliament and Council of European Union: Regulation (EU) 2016/679 (2016). https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
Few, S.: Information Dashboard Design: The Effective Visual Communication of Data. O’Reilly Media, Inc. (2006)
Fischer-Hübner, S., Angulo, J., Pulls, T.: How can cloud users be supported in deciding on, tracking and controlling how their data are used? In: Hansen, M., Hoepman, J.-H., Leenes, R., Whitehouse, D. (eds.) Privacy and Identity 2013. IAICT, vol. 421, pp. 77–92. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55137-6_6
Gerber, N., Gerber, P., Volkamer, M.: Explaining the privacy paradox: a systematic review of literature investigating privacy attitude and behavior. Comput. Secur. 77, 226–261 (2018). https://doi.org/10.1016/j.cose.2018.04.002
Gluck, J., et al.: How short is too short? Implications of length and framing on the effectiveness of privacy notices. In: 12th Symposium on Usable Privacy and Security (SOUPS), pp. 321–340. USENIX Association (2016)
Goodman, B., Flaxman, S.: European union regulations on algorithmic decision-making and a “Right to Explanation”. AI Mag. 38(3), 50–57 (2017). https://doi.org/10.1609/aimag.v38i3.2741
Harkous, H., Fawaz, K., Lebret, R., Schaub, F., Shin, K.G., Aberer, K.: Polisis: automated analysis and presentation of privacy policies using deep learning. In: 27th USENIX Security Symposium (USENIX Security), pp. 531–548. USENIX Association (2018)
Herder, E., van Maaren, O.: Privacy dashboards: the impact of the type of personal data and user control on trust and perceived risk. In: Adjunct Publication of the 28th ACM Conference on User Modeling, Adaptation and Personalization (UMAP), pp. 169–174. Association for Computing Machinery (2020). https://doi.org/10.1145/3386392.3399557
Kang, R., Dabbish, L., Fruchter, N., Kiesler, S.: “My data just goes everywhere:” user mental models of the internet and implications for privacy and security. In: 11th Symposium On Usable Privacy and Security (SOUPS), pp. 39–52. USENIX Association (2015)
Kani-Zabihi, E., Helmhout, M.: Increasing service users’ privacy awareness by introducing on-line interactive privacy features. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 131–148. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29615-4_10
Karegar, F., Pulls, T., Fischer-Hübner, S.: Visualizing exports of personal data by exercising the right of data portability in the data track - are people ready for this? In: Lehmann, A., Whitehouse, D., Fischer-Hübner, S., Fritsch, L., Raab, C. (eds.) Privacy and Identity 2016. IAICT, vol. 498, pp. 164–181. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-55783-0_12
Kolter, J., Netter, M., Pernul, G.: Visualizing past personal data disclosures. In: 2010 International Conference on Availability, Reliability and Security (ARES), pp. 131–139. IEEE (2010). https://doi.org/10.1109/ARES.2010.51
Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society (2019)
Mannhardt, F., Oliveira, M., Petersen, S.A.: Designing a privacy dashboard for a smart manufacturing environment. In: Pappas, I.O., Mikalef, P., Dwivedi, Y.K., Jaccheri, L., Krogstie, J., Mäntymäki, M. (eds.) I3E 2019. IAICT, vol. 573, pp. 79–85. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-39634-3_8
Markos, E., Milne, G.R., Peltier, J.W.: Information sensitivity and willingness to provide continua: a comparative privacy study of the United States and Brazil. J. Public Policy Market. 36(1), 79–96 (2017). https://doi.org/10.1509/jppm.15.159
Martino, M.D., Robyns, P., Weyts, W., Quax, P., Lamotte, W., Andries, K.: Personal information leakage by abusing the GDPR ‘Right of Access’. In: 15th USENIX Symposium on Usable Privacy and Security (SOUPS). USENIX Association (2019)
Matzutt, R., et al.: myneData: towards a trusted and user-controlled ecosystem for sharing personal data. In: 47. Jahrestagung Der Gesellschaft Für Informatik, pp. 1073–1084 (2017). https://doi.org/10.18420/in2017_109
Milne, G.R., Pettinico, G., Hajjat, F.M., Markos, E.: Information sensitivity typology: mapping the degree and type of risk consumers perceive in personal data sharing. J. Consum. Aff. 51(1), 133–161 (2017). https://doi.org/10.1111/joca.12111
Murmann, P., Fischer-Hübner, S.: Tools for achieving usable ex post transparency: a survey. IEEE Access 5, 22965–22991 (2017). https://doi.org/10.1109/ACCESS.2017.2765539
Nissenbaum, H.: Privacy as contextual integrity. Washington Law Rev. 79(1), 1119–157 (2004)
Pavur, J., Knerr, C.: GDPArrrrr: Using Privacy Laws to Steal Identities. arXiv:1912.00731 [cs] (2019)
Polst, S., Kelbert, P., Feth, D.: Company privacy dashboards: employee needs and requirements. In: Moallem, A. (ed.) HCII 2019. LNCS, vol. 11594, pp. 429–440. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22351-9_29
Popescu, A., et al.: Increasing transparency and privacy for online social network users – USEMP value model, scoring framework and legal. In: Berendt, B., Engel, T., Ikonomou, D., Le Métayer, D., Schiffner, S. (eds.) APF 2015. LNCS, vol. 9484, pp. 38–59. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31456-3_3
Presthus, W., Sørum, H.: Consumer perspectives on information privacy following the implementation of the GDPR. Int. J. Inf. Syst. Project Manag. (IJISPM) 7(3), 19–34 (2019)
Raschke, P., Küpper, A., Drozd, O., Kirrane, S.: Designing a GDPR-compliant and usable privacy dashboard. In: Hansen, M., Kosta, E., Nai-Fovino, I., Fischer-Hübner, S. (eds.) Privacy and Identity 2017. IAICT, vol. 526, pp. 221–236. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-92925-5_14
Schomakers, E.M., Lidynia, C., Müllmann, D., Ziefle, M.: Internet users’ perceptions of information sensitivity - insights from Germany. Int. J. Inf. Manag. 46, 142–150 (2019). https://doi.org/10.1016/j.ijinfomgt.2018.11.018
Schufrin, M., Reynolds, S.L., Kuijper, A., Kohlhammer, J.: A visualization interface to improve the transparency of collected personal data on the internet. IEEE Trans. Vis. Comput. Graph. 27(2), 1840–1849 (2021). https://doi.org/10.1109/TVCG.2020.3028946
Scudder, J., Jøsang, A.: Personal federation control with the identity dashboard. In: de Leeuw, E., Fischer-Hübner, S., Fritsch, L. (eds.) IDMAN 2010. IAICT, vol. 343, pp. 85–99. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17303-5_7
Siljee, J.: Privacy transparency patterns. In: Proceedings of the 20th ACM European Conference on Pattern Languages of Programs (EuroPLoP), pp. 1–11. ACM (2015). https://doi.org/10.1145/2855321.2855374
The European Comission: ICT usage in households and by individuals. Technical report, The European Union (2019). https://ec.europa.eu/eurostat/cache/metadata/en/isoc_i_esms.htm
The European Comission: Digital Economy and Society Index (DESI) 2020 - Use of internet services. Technical report. DESI 2020, The European Union (2020). https://ec.europa.eu/digital-single-market/en/use-internet-and-online-activities
Tolsdorf, J., Dehling, F.: In our employer we trust: mental models of office workers’ privacy perceptions. In: Bernhard, M., et al. (eds.) FC 2020. LNCS, vol. 12063, pp. 122–136. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-54455-3_9
Tolsdorf, J., Dehling, F., Lo Iacono, L.: Take back control! the use of mental models to develop privacy dashboards. ITG News 8(3), 15–20 (2020)
Urban, T., Tatang, D., Degeling, M., Holz, T., Pohlmann, N.: A study on subject data access in online advertising after the GDPR. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds.) DPM/CBT -2019. LNCS, vol. 11737, pp. 61–79. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31500-9_5
Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz, T.: (un)informed consent: studying GDPR consent notices in the field. In: Proceedings of the 26th ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 973–990. Association for Computing Machinery (2019). https://doi.org/10.1145/3319535.3354212
Wilson, S., et al.: Crowdsourcing annotations for websites’ privacy policies: can it really work? In: Proceedings of the 25th International Conference on World Wide Web (WWW), pp. 133–143. International World Wide Web Conferences Steering Committee (2016). https://doi.org/10.1145/2872427.2883035
Wong, J., Henderson, T.: How portable is portable? Exercising the GDPR’s right to data portability. In: Proceedings of the 2018 ACM International Joint Conference and 2018 International Symposium on Pervasive and Ubiquitous Computing and Wearable Computers (UbiComp), pp. 911–920. Association for Computing Machinery (2018)
Zimmermann, C., Accorsi, R., Müller, G.: Privacy dashboards: reconciling data-driven business models and privacy. In: Proceedings of the 9th International Conference on Availability, Reliability and Security (ARES), pp. 152–157. IEEE Computer Society (2014). https://doi.org/10.1109/ARES.2014.27
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Tolsdorf, J., Fischer, M., Lo Iacono, L. (2021). A Case Study on the Implementation of the Right of Access in Privacy Dashboards. In: Gruschka, N., Antunes, L.F.C., Rannenberg, K., Drogkaris, P. (eds) Privacy Technologies and Policy. APF 2021. Lecture Notes in Computer Science(), vol 12703. Springer, Cham. https://doi.org/10.1007/978-3-030-76663-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-76663-4_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-76662-7
Online ISBN: 978-3-030-76663-4
eBook Packages: Computer ScienceComputer Science (R0)