Sometimes that data gets spliced, scattered and consolidated across a web of collaborators, researchers and advertisers. Acxiom, for instance, claims 1,500 data points for each of the 500 million people in its database, including most US adults. Just in the past few months, Facebook was reported to have asked hospitals, including Stanford University School of Medicine, to share and integrate patients’ medical data with its own (the research project has since been put on hold). In April, gay dating app Grindr was revealed to have shared customers’ HIV status with two app-optimization companies. And who suspected completing an online personality test would pave the way for President Donald Trump’s targeted political advertising?
In short, the close relationships we have with our devices are not monogamous. But what’s a privacy-valuing citizen who still wants or needs to partake in our fabulously networked 21st-century society to do?
There likely could not be a more timely moment for the public to care about the General Data Protection Regulation (GDPR), the European Union’s superlatively complex, contested, sweeping data-privacy law that came into force on May 25th.
Its key rights include access to personal data, explanations of the algorithms that shape citizens’ lives, portability (or moving your data from one company to another) and deletion. Years in the making, it affects any global organization’s business in the European Union, leading companies worldwide to spend millions of dollars bringing their privacy standards into compliance, in some cases standardizing their practices outside the EU too.
So we decided to test the system. A team of nine Engadget reporters in London, Paris, New York and San Francisco filed more than 150 subject access requests — in other words, requests for personal data — to more than 30 popular tech companies, ranging from social networks to dating apps to streaming services. We reached out before May 25th — when previous laws for data access existed in the EU — as well as after, to see how procedures might have changed.
The EU has had a data-protection directive since 1995, yet studies have repeatedly shown that its rights weren’t well-enforced. The GDPR has been law since 2016, yet it only grew teeth this May, with companies now open to fines of up to 4 percent of global annual revenue.
The EU has had a data-protection directive since 1995, yet studies have repeatedly shown that its rights weren’t well-enforced.
Indeed, the history of data privacy is really a tale of violation without meaningful justice. For example, hacked credit agency Equifax is still in business, and its customers can’t even cut ties with it if they wish to. In the UK, Facebook was fined £500,000 ($640,000) for its role in the Cambridge Analytica scandal, the maximum sum under laws at the time of the incident — but also equal to the amount of cash the company makes every 5.5 minutes.
If the same thing happened today, Facebook could be hit with fines potentially in the billions of dollars. Already, about 1,000 US-based news websites including theLos Angeles TimesandChicago Tribuneare inaccessible in the EU, and in a recent Deloitte survey only about a third of organizations could say they were fully compliant.
The hope is that the GDPR will be a gold standard for how to feasibly check the power of big tech companies whose market value dwarfs the GDP of some of the countries trying to hold them accountable.
We contacted companies by email or through their websites when they specified a method in their privacy policies, or we sent a letter when they didn’t. (Instagram, for instance, only added an email address for data requests on May 25th and didn’t reply to our mailed request.) Our letter was a modified version of the template on the UK Information Commissioner’s Office’s website, quoting directly from the relevant laws. We asked for information on what data was held on us, where it came from, who it’s been sent to and how we’ve been profiled, among other questions.
Our requests were made from personal email and home addresses, in an effort to be treated as much like regular consumers as possible. In most cases, we sent follow-up questions identifying ourselves as reporters.
“Data requests are a window into the soul of on organization,” said Hadi Asghari, an assistant professor at Delft University of Technology in the Netherlands, whose research has shown how little EU access laws have been adhered to in recent years. And we made unexpected discoveries: the distorted, fun house mirror profile that Acxiom held on one reporter; a kink app with lax security practices; a dating service that sent us a stranger’s data. But we also saw the wildly divergent extents to which companies are adjusting to the GDPR. Personal information is the commodity that fuels the big data economy, and like all commodities, there’s a fight for its control.
There is an elephant in the room to address here: Understanding data privacy is fundamentally boring, if not unintelligible, to a regular user.
This touches on what academics call the digital-privacy paradox. When polled, people say they care deeply about privacy, but in reality, they will give up their data or even the email addresses of their friends in exchange for something as trivial as a pizza.
It’s with this in mind that we waded through all sorts of corporate responses to our data requests: emails, Excel spreadsheets, data-download tools. Beyond simply what was given to us, would it be understandable, even meaningful?
Netflix, for instance, provided full glossaries for its tables of data in a single PDF.
Beyond simply what was given to us, would the data be understandable, even meaningful?
Spotify, in contrast, provided its data through an online-download function. Inside, one UK-based reporter received 101 JSON files, and another received 90. While admirably comprehensive, these are dumps from databases normally read by computers: There’s no way to reasonably make sense of the file names, let alone their plain-text contents. Spotify Customer Service did not provide full explanations of the file names, and a spokeswoman said while we could ask about specific data fields, the company did not have a glossary for all of its files.
(A third reporter who made an identical request from the US received only seven files with basic information like payment methods, playlists and followers. The spokeswoman said that “there are no differences to the information shared based on countries” and that worldwide users could request additional files by contacting customer service, but this interaction points to an obvious conundrum: How do you ask for files that you don’t know exist?)
Instagram, too, offered its data — aside from copies of photos and videos — in reams of plain-text JSON files, which a spokeswoman justified as a more portable format. The right to portability, however, is separate from the right to access one’s data.
At least it provided some information. Dating app Bumble sent a UK reporter nothing more than basic personal info (name, age, language), the photos he’d uploaded and the last year of IP addresses and login times. A request from a US-based reporter went unanswered for more than a month; the company eventually provided data 12 weeks later.