What do they have on us?

Accessing and Assessing the Data Subject Access Request process �- Ameya Naik, UC Berkeley School of Information

Under guidance of Prof. Michael Buckland

Table of Contents

• DSARs
• GDPR and DSARs
• CCPA and DSARs
• The “Data” in DSARs
• Implementation
• Case studies: Spotify, Quora

​

Data Subject Access Requests

An individual (data subject) may submit a Data Subject Access Request (DSAR) to a company to find out what information has been collected and stored about them or to ask that certain actions be taken with their data. A DSAR can be used to request that data be deleted, incorrect information be corrected, or that future data collection be opted out of.

​

Art. 15 GDPR : Right of access by the data subject

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

1. the purposes of the processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
6. the right to lodge a complaint with a supervisory authority;
7. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

​

California Consumer Privacy Act.

California Consumer Protection Act defines the rights has collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.

Organizations must follow these steps to respond to a DSAR include:

1. Verify the requester's identity to determine if they have information on the individual and whether to provide access to the data.
2. Understand the nature of the request (e.g., to see the data the organization has collected or correct the information) to see if they can fulfill it within the 45-day timeframe.
3. Review and approve the data to be shared with the requester to ensure that it only contains their information.
4. Deliver the information via secure channels.

​

​

​

The “Data” in Data Subject Access Request

GDPR’ Personal information:

Personal data means any information relating to an identifiable or identified natural person. Eg. identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons.

​

CCPA’s Personal Data:

The CCPA take broader approach towards what constitutes as personal information - it does contain browsing history, records of visitor’s interaction with the website/ application. Also includes, inferences drawn from the profile of the data subjects - eg consumer personas, etc.

​

​

Implementation

We all have multiple applications on our mobile phones with which we interact more than even with other humans. These application could be categorized under different labels depending on the their purpose. As per my the top frequently used applications on my IOS I have :

1. Music Streaming: Spotify, Amazon Prime, Apple Music etc.
2. Video Streaming : Netflix, Prime, Hulu etc.
3. Messaging: Messenger, Whatsapp, Slack, Discord
4. Social Medias : Facebook, Instagram, Linkedin

Evaluating the DSARs on different criterias

Research on the Parent organization

Since lot of application shared the data across hence, I had do research about the parent organisation and developer of the application.

Eg. Peacock Tv, is under NBCUniversal hence for the data request it had to be done through NBCUniversal ( which was still difficult to find )

CCPA is applicable to business:

The CCPA applies to for-profit businesses that do business in California and meet any of the following:

• Have a gross annual revenue of over $25 million;
• Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
• Derive 50% or more of their annual revenue from selling California residents’ personal information.

Spotify DSAR process

• Steps: Profile-> Privacy Setting -> Manage Data -> Data
• DSAR raised on Sep 30, 2022
• Received concise data within 1 hour.
• Received more detailed logged information

​

​

Quora DSAR process:

Steps:

Privacy Settings -> Privacy Policy -> ( this document would come with lots of content)

​

​

Future Scope

1. Analysis of the data- After the data from all the company has been received.
2. Usability Study - Qualitative analysis of the process on 3 metrics.
3. Institutional DSARs- What about data stored by University ?

​

Thank you!

Questions/Comments/Suggestions are Welcomed!

References:

• Data Subject Access Request (DSAR) – All You Need to Know - (here)
• GDPR- Personal Data (here)
• CCPA and GDPR Comparison Chart ( here)