Obtaining personal data and asking for erasure: Do app vendors and website owners honour your privacy rights?

TL;DR

This study investigates whether app vendors and website owners in Germany honor users' rights to access and delete personal data, revealing that compliance is often inadequate and privacy rights are difficult to enforce in practice.

Contribution

The paper provides empirical evidence on the actual compliance of vendors with EU data access and erasure rights through a field study of popular apps and websites.

Findings

Deletion requests fulfilled in 52-57% of cases

Less than half of data provision requests answered satisfactorily

20% of website owners would disclose data to impostors

Abstract

EU Directive 95/46/EC and the upcoming EU General Data Protection Regulation grant Europeans the right of access to data pertaining to them. Consumers can approach their service providers to obtain all personal data stored and processed there. Furthermore, they can demand erasure (or correction) of their data. We conducted an undercover field study to determine whether these rights can be exerted in practice. We assessed the behaviour of the vendors of 150 smartphone apps and 120 websites that are popular in Germany. Our deletion requests were fulfilled in 52 to 57% of the cases and less than half of the data provision requests were answered satisfactorily. Further, we observed instances of carelessness: About 20% of website owners would have disclosed our personal data to impostors. The results indicate that exerting privacy rights that have been introduced two decades ago is still a frustrating endeavour most of the time.