SoK: The Gap Between Data Rights Ideals and Reality

TL;DR

This paper reviews 201 studies to assess whether data rights laws like GDPR truly empower individuals, revealing limitations and proposing policy and technical improvements.

Contribution

It provides a comprehensive analysis of empirical evidence on data rights effectiveness and offers recommendations for enhancing privacy regulation.

Findings

Rights-based laws often show limited effectiveness

Conflicting results in literature about rights enforcement

Recommendations for policymakers and CS communities

Abstract

As information economies burgeon, they unlock innovation and economic wealth while posing novel threats to civil liberties and altering power dynamics between individuals, companies, and governments. Legislatures have reacted with privacy laws designed to empower individuals over their data. These laws typically create rights for "data subjects" (individuals) to make requests of data collectors (companies and governments). The European Union General Data Protection Regulation (GDPR) exemplifies this, granting extensive data rights to data subjects, a model embraced globally. However, the question remains: do these rights-based privacy laws effectively empower individuals over their data? This paper scrutinizes these approaches by reviewing 201 interdisciplinary empirical studies, news articles, and blog posts. We pinpoint 15 key questions concerning the efficacy of rights allocations. The literature often presents conflicting results regarding the effectiveness of rights-based frameworks, but it generally emphasizes their limitations. We offer recommendations to policymakers and Computer Science (CS) groups committed to these frameworks, and suggest alternative privacy regulation approaches.