Skip to main content
SpringerLink
Log in

A Case Study on the Implementation of the Right of Access in Privacy Dashboards

  • Conference paper
  • First Online:
Privacy Technologies and Policy (APF 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12703))

Included in the following conference series:

Abstract

The right of access under Art. 15 of the General Data Protection Regulation (GDPR) grants data subjects the right to obtain comprehensive information about the processing of personal data from a controller, including a copy of the data. Privacy dashboards have been discussed as possible tools for implementing this right, and are increasingly found in practice. However, investigations of real world implementations are sparse. We therefore qualitatively examined the extent to which privacy dashboards of ten online services complied with the essential requirements of Art. 15 GDPR. For this, we compared the information provided in dashboards with the information provided in privacy statements and data exports. We found that most privacy dashboards provided a decent initial overview, but lacked important information about purposes, recipients, sources, and categories of data that online users consider to be sensitive. In addition, both the privacy dashboards and the data exports lacked copies of personal data that were processed according to the online services’ own privacy statements. We discuss the strengths and weaknesses of current implementations in terms of their ability to fulfill the objective of Art. 15 GDPR, namely to create awareness about data processing. We conclude by providing an outlook on what steps would be necessary for privacy dashboards to facilitate the exercise of the right of access and to provide real added value for online users.

Supported by the German Federal Ministry of Education and Research (BMBF) under the research project “TrUSD - Transparente und selbstbestimmte Ausgestaltung der Datennutzung im Unternehmen” (transparent and self-determined design of data use in organizations) (16KIS0899).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://privacy.microsoft.com/en-us/privacystatement, https://support.google.com/accounts/answer/162744?hl=en.

  2. 2.

    https://noyb.eu/en/netflix-spotify-youtube-eight-strategic-complaints-filed-right-access.

  3. 3.

    https://tranco-list.eu/list/W3W9.

  4. 4.

    https://pribot.org/polisis.

  5. 5.

    https://transparency-vis.vx.igd.fraunhofer.de/.

References

  1. Acquisti, A., Grossklags, J.: Privacy and rationality in individual decision making. IEEE Secur. Priv. 3(1), 26–33 (2005). https://doi.org/10.1109/MSP.2005.22

    Article  Google Scholar 

  2. Alizadeh, F., Jakobi, T., Boden, A., Stevens, G., Boldt, J.: GDPR reality check - claiming and investigating personally identifiable data from companies. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroSPW), pp. 120–129. IEEE (2020). https://doi.org/10.1109/EuroSPW51379.2020.00025

  3. Angulo, J., Fischer-Hübner, S., Pulls, T., Wästlund, E.: Usable transparency with the data track: a tool for visualizing data disclosures. In: Proceedings of the 33rd Annual ACM Conference Extended Abstracts on Human Factors in Computing Systems, pp. 1803–1808. Association for Computing Machinery (2015). https://doi.org/10.1145/2702613.2732701

  4. Arfelt, E., Basin, D., Debois, S.: Monitoring the GDPR. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11735, pp. 681–699. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29959-0_33

    Chapter  Google Scholar 

  5. Bier, C., Kühne, K., Beyerer, J.: PrivacyInsight: the next generation privacy dashboard. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 135–152. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44760-5_9

    Chapter  Google Scholar 

  6. Boniface, C., Fouad, I., Bielova, N., Lauradoux, C., Santos, C.: Security analysis of subject access request procedures. In: Naldi, M., Italiano, G.F., Rannenberg, K., Medina, M., Bourka, A. (eds.) APF 2019. LNCS, vol. 11498, pp. 182–209. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21752-5_12

    Chapter  Google Scholar 

  7. Buchmann, J., Nebel, M., Roßnagel, A., Shirazi, F., Simo, H., Waidner, M.: Personal information dashboard: putting the individual back in control. In: Digital Enlightenment Yearbook 2013, pp. 139–164. IOS Press (2013)

    Google Scholar 

  8. Bufalieri, L., Morgia, M.L., Mei, A., Stefa, J.: GDPR: when the right to access personal data becomes a threat. In: 2020 IEEE International Conference on Web Services (ICWS), pp. 75–83 (2020). https://doi.org/10.1109/ICWS49710.2020.00017

  9. Cabinakova, J., Zimmermann, C., Mueller, G.: An empirical analysis of privacy dashboard acceptance: the google case. In: Proceeding of the 24th European Conference on Information Systems (ECIS). Research Papers, vol. 114, pp. 1–18. AIS Electronic Library (AISeL) (2016)

    Google Scholar 

  10. Cagnazzo, M., Holz, T., Pohlmann, N.: GDPiRated – stealing personal information on- and offline. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 367–386. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_18

    Chapter  Google Scholar 

  11. European Parliament and Council of European Union: Regulation (EU) 2016/679 (2016). https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

  12. Few, S.: Information Dashboard Design: The Effective Visual Communication of Data. O’Reilly Media, Inc. (2006)

    Google Scholar 

  13. Fischer-Hübner, S., Angulo, J., Pulls, T.: How can cloud users be supported in deciding on, tracking and controlling how their data are used? In: Hansen, M., Hoepman, J.-H., Leenes, R., Whitehouse, D. (eds.) Privacy and Identity 2013. IAICT, vol. 421, pp. 77–92. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55137-6_6

    Chapter  Google Scholar 

  14. Gerber, N., Gerber, P., Volkamer, M.: Explaining the privacy paradox: a systematic review of literature investigating privacy attitude and behavior. Comput. Secur. 77, 226–261 (2018). https://doi.org/10.1016/j.cose.2018.04.002

    Article  Google Scholar 

  15. Gluck, J., et al.: How short is too short? Implications of length and framing on the effectiveness of privacy notices. In: 12th Symposium on Usable Privacy and Security (SOUPS), pp. 321–340. USENIX Association (2016)

    Google Scholar 

  16. Goodman, B., Flaxman, S.: European union regulations on algorithmic decision-making and a “Right to Explanation”. AI Mag. 38(3), 50–57 (2017). https://doi.org/10.1609/aimag.v38i3.2741

    Article  Google Scholar 

  17. Harkous, H., Fawaz, K., Lebret, R., Schaub, F., Shin, K.G., Aberer, K.: Polisis: automated analysis and presentation of privacy policies using deep learning. In: 27th USENIX Security Symposium (USENIX Security), pp. 531–548. USENIX Association (2018)

    Google Scholar 

  18. Herder, E., van Maaren, O.: Privacy dashboards: the impact of the type of personal data and user control on trust and perceived risk. In: Adjunct Publication of the 28th ACM Conference on User Modeling, Adaptation and Personalization (UMAP), pp. 169–174. Association for Computing Machinery (2020). https://doi.org/10.1145/3386392.3399557

  19. Kang, R., Dabbish, L., Fruchter, N., Kiesler, S.: “My data just goes everywhere:” user mental models of the internet and implications for privacy and security. In: 11th Symposium On Usable Privacy and Security (SOUPS), pp. 39–52. USENIX Association (2015)

    Google Scholar 

  20. Kani-Zabihi, E., Helmhout, M.: Increasing service users’ privacy awareness by introducing on-line interactive privacy features. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 131–148. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29615-4_10

    Chapter  Google Scholar 

  21. Karegar, F., Pulls, T., Fischer-Hübner, S.: Visualizing exports of personal data by exercising the right of data portability in the data track - are people ready for this? In: Lehmann, A., Whitehouse, D., Fischer-Hübner, S., Fritsch, L., Raab, C. (eds.) Privacy and Identity 2016. IAICT, vol. 498, pp. 164–181. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-55783-0_12

    Chapter  Google Scholar 

  22. Kolter, J., Netter, M., Pernul, G.: Visualizing past personal data disclosures. In: 2010 International Conference on Availability, Reliability and Security (ARES), pp. 131–139. IEEE (2010). https://doi.org/10.1109/ARES.2010.51

  23. Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society (2019)

    Google Scholar 

  24. Mannhardt, F., Oliveira, M., Petersen, S.A.: Designing a privacy dashboard for a smart manufacturing environment. In: Pappas, I.O., Mikalef, P., Dwivedi, Y.K., Jaccheri, L., Krogstie, J., Mäntymäki, M. (eds.) I3E 2019. IAICT, vol. 573, pp. 79–85. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-39634-3_8

    Chapter  Google Scholar 

  25. Markos, E., Milne, G.R., Peltier, J.W.: Information sensitivity and willingness to provide continua: a comparative privacy study of the United States and Brazil. J. Public Policy Market. 36(1), 79–96 (2017). https://doi.org/10.1509/jppm.15.159

    Article  Google Scholar 

  26. Martino, M.D., Robyns, P., Weyts, W., Quax, P., Lamotte, W., Andries, K.: Personal information leakage by abusing the GDPR ‘Right of Access’. In: 15th USENIX Symposium on Usable Privacy and Security (SOUPS). USENIX Association (2019)

    Google Scholar 

  27. Matzutt, R., et al.: myneData: towards a trusted and user-controlled ecosystem for sharing personal data. In: 47. Jahrestagung Der Gesellschaft Für Informatik, pp. 1073–1084 (2017). https://doi.org/10.18420/in2017_109

  28. Milne, G.R., Pettinico, G., Hajjat, F.M., Markos, E.: Information sensitivity typology: mapping the degree and type of risk consumers perceive in personal data sharing. J. Consum. Aff. 51(1), 133–161 (2017). https://doi.org/10.1111/joca.12111

    Article  Google Scholar 

  29. Murmann, P., Fischer-Hübner, S.: Tools for achieving usable ex post transparency: a survey. IEEE Access 5, 22965–22991 (2017). https://doi.org/10.1109/ACCESS.2017.2765539

    Article  Google Scholar 

  30. Nissenbaum, H.: Privacy as contextual integrity. Washington Law Rev. 79(1), 1119–157 (2004)

    Google Scholar 

  31. Pavur, J., Knerr, C.: GDPArrrrr: Using Privacy Laws to Steal Identities. arXiv:1912.00731 [cs] (2019)

  32. Polst, S., Kelbert, P., Feth, D.: Company privacy dashboards: employee needs and requirements. In: Moallem, A. (ed.) HCII 2019. LNCS, vol. 11594, pp. 429–440. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22351-9_29

    Chapter  Google Scholar 

  33. Popescu, A., et al.: Increasing transparency and privacy for online social network users – USEMP value model, scoring framework and legal. In: Berendt, B., Engel, T., Ikonomou, D., Le Métayer, D., Schiffner, S. (eds.) APF 2015. LNCS, vol. 9484, pp. 38–59. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31456-3_3

    Chapter  Google Scholar 

  34. Presthus, W., Sørum, H.: Consumer perspectives on information privacy following the implementation of the GDPR. Int. J. Inf. Syst. Project Manag. (IJISPM) 7(3), 19–34 (2019)

    Google Scholar 

  35. Raschke, P., Küpper, A., Drozd, O., Kirrane, S.: Designing a GDPR-compliant and usable privacy dashboard. In: Hansen, M., Kosta, E., Nai-Fovino, I., Fischer-Hübner, S. (eds.) Privacy and Identity 2017. IAICT, vol. 526, pp. 221–236. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-92925-5_14

    Chapter  Google Scholar 

  36. Schomakers, E.M., Lidynia, C., Müllmann, D., Ziefle, M.: Internet users’ perceptions of information sensitivity - insights from Germany. Int. J. Inf. Manag. 46, 142–150 (2019). https://doi.org/10.1016/j.ijinfomgt.2018.11.018

    Article  Google Scholar 

  37. Schufrin, M., Reynolds, S.L., Kuijper, A., Kohlhammer, J.: A visualization interface to improve the transparency of collected personal data on the internet. IEEE Trans. Vis. Comput. Graph. 27(2), 1840–1849 (2021). https://doi.org/10.1109/TVCG.2020.3028946

    Article  Google Scholar 

  38. Scudder, J., Jøsang, A.: Personal federation control with the identity dashboard. In: de Leeuw, E., Fischer-Hübner, S., Fritsch, L. (eds.) IDMAN 2010. IAICT, vol. 343, pp. 85–99. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17303-5_7

    Chapter  Google Scholar 

  39. Siljee, J.: Privacy transparency patterns. In: Proceedings of the 20th ACM European Conference on Pattern Languages of Programs (EuroPLoP), pp. 1–11. ACM (2015). https://doi.org/10.1145/2855321.2855374

  40. The European Comission: ICT usage in households and by individuals. Technical report, The European Union (2019). https://ec.europa.eu/eurostat/cache/metadata/en/isoc_i_esms.htm

  41. The European Comission: Digital Economy and Society Index (DESI) 2020 - Use of internet services. Technical report. DESI 2020, The European Union (2020). https://ec.europa.eu/digital-single-market/en/use-internet-and-online-activities

  42. Tolsdorf, J., Dehling, F.: In our employer we trust: mental models of office workers’ privacy perceptions. In: Bernhard, M., et al. (eds.) FC 2020. LNCS, vol. 12063, pp. 122–136. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-54455-3_9

    Chapter  Google Scholar 

  43. Tolsdorf, J., Dehling, F., Lo Iacono, L.: Take back control! the use of mental models to develop privacy dashboards. ITG News 8(3), 15–20 (2020)

    Google Scholar 

  44. Urban, T., Tatang, D., Degeling, M., Holz, T., Pohlmann, N.: A study on subject data access in online advertising after the GDPR. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds.) DPM/CBT -2019. LNCS, vol. 11737, pp. 61–79. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31500-9_5

    Chapter  Google Scholar 

  45. Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz, T.: (un)informed consent: studying GDPR consent notices in the field. In: Proceedings of the 26th ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 973–990. Association for Computing Machinery (2019). https://doi.org/10.1145/3319535.3354212

  46. Wilson, S., et al.: Crowdsourcing annotations for websites’ privacy policies: can it really work? In: Proceedings of the 25th International Conference on World Wide Web (WWW), pp. 133–143. International World Wide Web Conferences Steering Committee (2016). https://doi.org/10.1145/2872427.2883035

  47. Wong, J., Henderson, T.: How portable is portable? Exercising the GDPR’s right to data portability. In: Proceedings of the 2018 ACM International Joint Conference and 2018 International Symposium on Pervasive and Ubiquitous Computing and Wearable Computers (UbiComp), pp. 911–920. Association for Computing Machinery (2018)

    Google Scholar 

  48. Zimmermann, C., Accorsi, R., Müller, G.: Privacy dashboards: reconciling data-driven business models and privacy. In: Proceedings of the 9th International Conference on Availability, Reliability and Security (ARES), pp. 152–157. IEEE Computer Society (2014). https://doi.org/10.1109/ARES.2014.27

Download references

Author information

Authors and Affiliations

  1. Data and Application Security Group, H-BRS University of Applied Sciences, Sankt Augustin, Germany

    Jan Tolsdorf, Michael Fischer & Luigi Lo Iacono

Authors
  1. Jan Tolsdorf
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Fischer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Luigi Lo Iacono
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jan Tolsdorf .

Editor information

Editors and Affiliations

  1. University of Oslo, Oslo, Norway

    Nils Gruschka

  2. Department of Computer Science, University of Porto, Porto, Portugal

    Luís Filipe Coelho Antunes

  3. Goethe University Frankfurt, Frankfurt, Germany

    Kai Rannenberg

  4. ENISA, Athens, Greece

    Prokopios Drogkaris

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tolsdorf, J., Fischer, M., Lo Iacono, L. (2021). A Case Study on the Implementation of the Right of Access in Privacy Dashboards. In: Gruschka, N., Antunes, L.F.C., Rannenberg, K., Drogkaris, P. (eds) Privacy Technologies and Policy. APF 2021. Lecture Notes in Computer Science(), vol 12703. Springer, Cham. https://doi.org/10.1007/978-3-030-76663-4_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-76663-4_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-76662-7

  • Online ISBN: 978-3-030-76663-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation