Streamlining personal data access requests: From obstructive procedures to automated web workflows

TL;DR

This paper introduces an automated web-based system for executing data subject access requests (DSARs), transforming manual procedures into streamlined, one-click workflows to enhance privacy transparency and data access efficiency.

Contribution

It presents a novel generic workflow model, a formal language for representing provider-specific DSAR processes, and an extendable repository with a browser extension for automated execution.

Findings

Formalized DSAR workflows for 15 service providers

Developed a browser extension for one-click DSARs

Enabled automated, efficient data access requests

Abstract

Transparency and data portability are two core principles of modern privacy legislations such as the GDPR. From the regulatory perspective, providing individuals (data subjects) with access to their data is a main building block for implementing these. Different from other privacy principles and respective regulatory provisions, however, this right to data access has so far only seen marginal technical reflection. Processes related to performing data subject access requests (DSARs) are thus still to be executed manually, hindering the concept of data access from unfolding its full potential. To tackle this problem, we present an automated approach to the execution of DSARs, employing modern techniques of web automation. In particular, we propose a generic DSAR workflow model, a corresponding formal language for representing the particular workflows of different service providers (controllers), a publicly accessible and extendable workflow repository, and a browser-based execution engine, altogether providing ``one-click'' DSARs. To validate our approach and technical concepts, we examine, formalize and make publicly available the DSAR workflows of 15 widely used service providers and implement the execution engine in a publicly available browser extension. Altogether, we thereby pave the way for automated data subject access requests and lay the groundwork for a broad variety of subsequent technical means helping web users to better understand their privacy-related exposure to different service providers.