Advertisement

A Case Study on the Implementation of the Right of Access in Privacy Dashboards

Conference paper
  • 146 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12703)

Abstract

The right of access under Art. 15 of the General Data Protection Regulation (GDPR) grants data subjects the right to obtain comprehensive information about the processing of personal data from a controller, including a copy of the data. Privacy dashboards have been discussed as possible tools for implementing this right, and are increasingly found in practice. However, investigations of real world implementations are sparse. We therefore qualitatively examined the extent to which privacy dashboards of ten online services complied with the essential requirements of Art. 15 GDPR. For this, we compared the information provided in dashboards with the information provided in privacy statements and data exports. We found that most privacy dashboards provided a decent initial overview, but lacked important information about purposes, recipients, sources, and categories of data that online users consider to be sensitive. In addition, both the privacy dashboards and the data exports lacked copies of personal data that were processed according to the online services’ own privacy statements. We discuss the strengths and weaknesses of current implementations in terms of their ability to fulfill the objective of Art. 15 GDPR, namely to create awareness about data processing. We conclude by providing an outlook on what steps would be necessary for privacy dashboards to facilitate the exercise of the right of access and to provide real added value for online users.

Keywords

GDPR Right of access Privacy dashboards 

References

  1. 1.
    Acquisti, A., Grossklags, J.: Privacy and rationality in individual decision making. IEEE Secur. Priv. 3(1), 26–33 (2005).  https://doi.org/10.1109/MSP.2005.22CrossRefGoogle Scholar
  2. 2.
    Alizadeh, F., Jakobi, T., Boden, A., Stevens, G., Boldt, J.: GDPR reality check - claiming and investigating personally identifiable data from companies. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroSPW), pp. 120–129. IEEE (2020).  https://doi.org/10.1109/EuroSPW51379.2020.00025
  3. 3.
    Angulo, J., Fischer-Hübner, S., Pulls, T., Wästlund, E.: Usable transparency with the data track: a tool for visualizing data disclosures. In: Proceedings of the 33rd Annual ACM Conference Extended Abstracts on Human Factors in Computing Systems, pp. 1803–1808. Association for Computing Machinery (2015).  https://doi.org/10.1145/2702613.2732701
  4. 4.
    Arfelt, E., Basin, D., Debois, S.: Monitoring the GDPR. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11735, pp. 681–699. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-29959-0_33CrossRefGoogle Scholar
  5. 5.
    Bier, C., Kühne, K., Beyerer, J.: PrivacyInsight: the next generation privacy dashboard. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 135–152. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-44760-5_9CrossRefGoogle Scholar
  6. 6.
    Boniface, C., Fouad, I., Bielova, N., Lauradoux, C., Santos, C.: Security analysis of subject access request procedures. In: Naldi, M., Italiano, G.F., Rannenberg, K., Medina, M., Bourka, A. (eds.) APF 2019. LNCS, vol. 11498, pp. 182–209. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-21752-5_12CrossRefGoogle Scholar
  7. 7.
    Buchmann, J., Nebel, M., Roßnagel, A., Shirazi, F., Simo, H., Waidner, M.: Personal information dashboard: putting the individual back in control. In: Digital Enlightenment Yearbook 2013, pp. 139–164. IOS Press (2013)Google Scholar
  8. 8.
    Bufalieri, L., Morgia, M.L., Mei, A., Stefa, J.: GDPR: when the right to access personal data becomes a threat. In: 2020 IEEE International Conference on Web Services (ICWS), pp. 75–83 (2020).  https://doi.org/10.1109/ICWS49710.2020.00017
  9. 9.
    Cabinakova, J., Zimmermann, C., Mueller, G.: An empirical analysis of privacy dashboard acceptance: the google case. In: Proceeding of the 24th European Conference on Information Systems (ECIS). Research Papers, vol. 114, pp. 1–18. AIS Electronic Library (AISeL) (2016)Google Scholar
  10. 10.
    Cagnazzo, M., Holz, T., Pohlmann, N.: GDPiRated – stealing personal information on- and offline. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 367–386. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-29962-0_18CrossRefGoogle Scholar
  11. 11.
    European Parliament and Council of European Union: Regulation (EU) 2016/679 (2016). https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
  12. 12.
    Few, S.: Information Dashboard Design: The Effective Visual Communication of Data. O’Reilly Media, Inc. (2006)Google Scholar
  13. 13.
    Fischer-Hübner, S., Angulo, J., Pulls, T.: How can cloud users be supported in deciding on, tracking and controlling how their data are used? In: Hansen, M., Hoepman, J.-H., Leenes, R., Whitehouse, D. (eds.) Privacy and Identity 2013. IAICT, vol. 421, pp. 77–92. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55137-6_6CrossRefGoogle Scholar
  14. 14.
    Gerber, N., Gerber, P., Volkamer, M.: Explaining the privacy paradox: a systematic review of literature investigating privacy attitude and behavior. Comput. Secur. 77, 226–261 (2018).  https://doi.org/10.1016/j.cose.2018.04.002CrossRefGoogle Scholar
  15. 15.
    Gluck, J., et al.: How short is too short? Implications of length and framing on the effectiveness of privacy notices. In: 12th Symposium on Usable Privacy and Security (SOUPS), pp. 321–340. USENIX Association (2016)Google Scholar
  16. 16.
    Goodman, B., Flaxman, S.: European union regulations on algorithmic decision-making and a “Right to Explanation”. AI Mag. 38(3), 50–57 (2017).  https://doi.org/10.1609/aimag.v38i3.2741CrossRefGoogle Scholar
  17. 17.
    Harkous, H., Fawaz, K., Lebret, R., Schaub, F., Shin, K.G., Aberer, K.: Polisis: automated analysis and presentation of privacy policies using deep learning. In: 27th USENIX Security Symposium (USENIX Security), pp. 531–548. USENIX Association (2018)Google Scholar
  18. 18.
    Herder, E., van Maaren, O.: Privacy dashboards: the impact of the type of personal data and user control on trust and perceived risk. In: Adjunct Publication of the 28th ACM Conference on User Modeling, Adaptation and Personalization (UMAP), pp. 169–174. Association for Computing Machinery (2020).  https://doi.org/10.1145/3386392.3399557
  19. 19.
    Kang, R., Dabbish, L., Fruchter, N., Kiesler, S.: “My data just goes everywhere:” user mental models of the internet and implications for privacy and security. In: 11th Symposium On Usable Privacy and Security (SOUPS), pp. 39–52. USENIX Association (2015)Google Scholar
  20. 20.
    Kani-Zabihi, E., Helmhout, M.: Increasing service users’ privacy awareness by introducing on-line interactive privacy features. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 131–148. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29615-4_10CrossRefGoogle Scholar
  21. 21.
    Karegar, F., Pulls, T., Fischer-Hübner, S.: Visualizing exports of personal data by exercising the right of data portability in the data track - are people ready for this? In: Lehmann, A., Whitehouse, D., Fischer-Hübner, S., Fritsch, L., Raab, C. (eds.) Privacy and Identity 2016. IAICT, vol. 498, pp. 164–181. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-55783-0_12CrossRefGoogle Scholar
  22. 22.
    Kolter, J., Netter, M., Pernul, G.: Visualizing past personal data disclosures. In: 2010 International Conference on Availability, Reliability and Security (ARES), pp. 131–139. IEEE (2010).  https://doi.org/10.1109/ARES.2010.51
  23. 23.
    Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society (2019)Google Scholar
  24. 24.
    Mannhardt, F., Oliveira, M., Petersen, S.A.: Designing a privacy dashboard for a smart manufacturing environment. In: Pappas, I.O., Mikalef, P., Dwivedi, Y.K., Jaccheri, L., Krogstie, J., Mäntymäki, M. (eds.) I3E 2019. IAICT, vol. 573, pp. 79–85. Springer, Cham (2020).  https://doi.org/10.1007/978-3-030-39634-3_8CrossRefGoogle Scholar
  25. 25.
    Markos, E., Milne, G.R., Peltier, J.W.: Information sensitivity and willingness to provide continua: a comparative privacy study of the United States and Brazil. J. Public Policy Market. 36(1), 79–96 (2017).  https://doi.org/10.1509/jppm.15.159CrossRefGoogle Scholar
  26. 26.
    Martino, M.D., Robyns, P., Weyts, W., Quax, P., Lamotte, W., Andries, K.: Personal information leakage by abusing the GDPR ‘Right of Access’. In: 15th USENIX Symposium on Usable Privacy and Security (SOUPS). USENIX Association (2019)Google Scholar
  27. 27.
    Matzutt, R., et al.: myneData: towards a trusted and user-controlled ecosystem for sharing personal data. In: 47. Jahrestagung Der Gesellschaft Für Informatik, pp. 1073–1084 (2017).  https://doi.org/10.18420/in2017_109
  28. 28.
    Milne, G.R., Pettinico, G., Hajjat, F.M., Markos, E.: Information sensitivity typology: mapping the degree and type of risk consumers perceive in personal data sharing. J. Consum. Aff. 51(1), 133–161 (2017).  https://doi.org/10.1111/joca.12111CrossRefGoogle Scholar
  29. 29.
    Murmann, P., Fischer-Hübner, S.: Tools for achieving usable ex post transparency: a survey. IEEE Access 5, 22965–22991 (2017).  https://doi.org/10.1109/ACCESS.2017.2765539CrossRefGoogle Scholar
  30. 30.
    Nissenbaum, H.: Privacy as contextual integrity. Washington Law Rev. 79(1), 1119–157 (2004)Google Scholar
  31. 31.
    Pavur, J., Knerr, C.: GDPArrrrr: Using Privacy Laws to Steal Identities. arXiv:1912.00731 [cs] (2019)
  32. 32.
    Polst, S., Kelbert, P., Feth, D.: Company privacy dashboards: employee needs and requirements. In: Moallem, A. (ed.) HCII 2019. LNCS, vol. 11594, pp. 429–440. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-22351-9_29CrossRefGoogle Scholar
  33. 33.
    Popescu, A., et al.: Increasing transparency and privacy for online social network users – USEMP value model, scoring framework and legal. In: Berendt, B., Engel, T., Ikonomou, D., Le Métayer, D., Schiffner, S. (eds.) APF 2015. LNCS, vol. 9484, pp. 38–59. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-31456-3_3CrossRefGoogle Scholar
  34. 34.
    Presthus, W., Sørum, H.: Consumer perspectives on information privacy following the implementation of the GDPR. Int. J. Inf. Syst. Project Manag. (IJISPM) 7(3), 19–34 (2019)Google Scholar
  35. 35.
    Raschke, P., Küpper, A., Drozd, O., Kirrane, S.: Designing a GDPR-compliant and usable privacy dashboard. In: Hansen, M., Kosta, E., Nai-Fovino, I., Fischer-Hübner, S. (eds.) Privacy and Identity 2017. IAICT, vol. 526, pp. 221–236. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-92925-5_14CrossRefGoogle Scholar
  36. 36.
    Schomakers, E.M., Lidynia, C., Müllmann, D., Ziefle, M.: Internet users’ perceptions of information sensitivity - insights from Germany. Int. J. Inf. Manag. 46, 142–150 (2019).  https://doi.org/10.1016/j.ijinfomgt.2018.11.018CrossRefGoogle Scholar
  37. 37.
    Schufrin, M., Reynolds, S.L., Kuijper, A., Kohlhammer, J.: A visualization interface to improve the transparency of collected personal data on the internet. IEEE Trans. Vis. Comput. Graph. 27(2), 1840–1849 (2021).  https://doi.org/10.1109/TVCG.2020.3028946CrossRefGoogle Scholar
  38. 38.
    Scudder, J., Jøsang, A.: Personal federation control with the identity dashboard. In: de Leeuw, E., Fischer-Hübner, S., Fritsch, L. (eds.) IDMAN 2010. IAICT, vol. 343, pp. 85–99. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17303-5_7CrossRefGoogle Scholar
  39. 39.
    Siljee, J.: Privacy transparency patterns. In: Proceedings of the 20th ACM European Conference on Pattern Languages of Programs (EuroPLoP), pp. 1–11. ACM (2015).  https://doi.org/10.1145/2855321.2855374
  40. 40.
    The European Comission: ICT usage in households and by individuals. Technical report, The European Union (2019). https://ec.europa.eu/eurostat/cache/metadata/en/isoc_i_esms.htm
  41. 41.
    The European Comission: Digital Economy and Society Index (DESI) 2020 - Use of internet services. Technical report. DESI 2020, The European Union (2020). https://ec.europa.eu/digital-single-market/en/use-internet-and-online-activities
  42. 42.
    Tolsdorf, J., Dehling, F.: In our employer we trust: mental models of office workers’ privacy perceptions. In: Bernhard, M., et al. (eds.) FC 2020. LNCS, vol. 12063, pp. 122–136. Springer, Cham (2020).  https://doi.org/10.1007/978-3-030-54455-3_9CrossRefGoogle Scholar
  43. 43.
    Tolsdorf, J., Dehling, F., Lo Iacono, L.: Take back control! the use of mental models to develop privacy dashboards. ITG News 8(3), 15–20 (2020)Google Scholar
  44. 44.
    Urban, T., Tatang, D., Degeling, M., Holz, T., Pohlmann, N.: A study on subject data access in online advertising after the GDPR. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds.) DPM/CBT -2019. LNCS, vol. 11737, pp. 61–79. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-31500-9_5CrossRefGoogle Scholar
  45. 45.
    Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz, T.: (un)informed consent: studying GDPR consent notices in the field. In: Proceedings of the 26th ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 973–990. Association for Computing Machinery (2019).  https://doi.org/10.1145/3319535.3354212
  46. 46.
    Wilson, S., et al.: Crowdsourcing annotations for websites’ privacy policies: can it really work? In: Proceedings of the 25th International Conference on World Wide Web (WWW), pp. 133–143. International World Wide Web Conferences Steering Committee (2016).  https://doi.org/10.1145/2872427.2883035
  47. 47.
    Wong, J., Henderson, T.: How portable is portable? Exercising the GDPR’s right to data portability. In: Proceedings of the 2018 ACM International Joint Conference and 2018 International Symposium on Pervasive and Ubiquitous Computing and Wearable Computers (UbiComp), pp. 911–920. Association for Computing Machinery (2018)Google Scholar
  48. 48.
    Zimmermann, C., Accorsi, R., Müller, G.: Privacy dashboards: reconciling data-driven business models and privacy. In: Proceedings of the 9th International Conference on Availability, Reliability and Security (ARES), pp. 152–157. IEEE Computer Society (2014).  https://doi.org/10.1109/ARES.2014.27

Copyright information

© Springer Nature Switzerland AG 2021

Authors and Affiliations

  1. 1.Data and Application Security GroupH-BRS University of Applied SciencesSankt AugustinGermany

Personalised recommendations