One place the EU General Data Protection added some pressure for some data controllers was in its mandate that data subjects have a right to request a copy of the information organizations have on them, and organizations must respond to that request within a month. But an added complication, even if processes are in place to deal with data-subject access requests (let's call them DSARs), is verifying not only that the data subject is who they claim to be, but that it's even a legitimate request.
Privacy professionals charged with monitoring DSAR compliance report seeing some suspicious trends regarding such requests, some seemingly with nefarious motives.
Akiva Miller of Sisence, a New York-based company that does analytics for complex data, recalled an incident recently in which an individual came to the company's website and put their information into an online forum. Less than an hour later, the brand new data subject sent a DSAR.
"So clearly this is someone who went on the website to specifically do some activity, and then requested data about himself," Miller said. "It's not someone who wanted to clean house and enforce his rights."
At the time, Miller deliberated the best course of action. The email had been sent not to the privacy office but as a direct mail through the company's website. In it, the data subject listed, at length, the information he wanted to receive, citing the GDPR and "every single article" that applied to his rights as a data subject, Miller recalled.
Additionally, the email came from a gmail account, the name of whom was different from the person in the email. It also appeared the request was coming from a U.S. server. The behavior pattern was suspicious.
The problem then becomes: What to do? The data subject isn't under a heavy obligation to provide a trove of information to verify themselves. The controller is allowed to ask for "reasonable" but not "burdensome" information to verify identity.
"I can’t ask them to go and get something notarized, that would be burdensome. Or make them jump through hoops to verify who they are, that would be unreasonable. And I think that would present obvious GDPR issues," said Pegah Parsi, the privacy officer for UC San Diego. But the problem is, they also "can’t go under the presumption that this is bogus."
Miller echoed, "It’s not about 'Do we identify you?' But it’s, 'Do we identify you beyond the minimal contact info we have about you? Do we identify where you’re coming from? Whether you are acting in good faith?' All of the other information we need about a person to tell the good people form the bad, we don’t have ability or mandate to require" the data subject to provide.
Karis McLarty of multinational outdoor-advertising company Clear Channel, based in London, is familiar with the problem. When a DSAR comes through, her privacy office then has to contact multiple stakeholders across the company to determine which databases hold the data on that individual.
“Only to see, ‘Oh, he’s not on any list or database. We appear to have never heard of him. Oh look, the 'data subject' is actually a GDPR software marketer whose point was not to submit a legitimate DSAR but to say: ‘Isn’t this process difficult? I’ve got software to help you solve it!’ That is infuriating,” she said.
And while companies could use the administrative fee provision to try and deter such behavior, she said, ‘It would still have to be a reasonable fee, and the old guide of 10 pounds wouldn’t cover the cost of sending the letter requesting the money, so what’s the point?’”
Back in New York, Miller, for his part, wants to know: "Who are these people? It may be speculation, but they're maybe opportunists. [Potential] plaintiffs trying to find companies that aren’t responding properly. It could be companies who are trying to sell their services, GDPR-compliant services, and they're doing it to find companies that don’t comply well."
Parsi's team did some digging into the suspicious DSAR requests they started getting this summer and found a site called deseat.me, which seemed to be the site funneling Stanford DSARs.
"The way it essentially works is you tell it what accounts you have with that email, and it goes trolling around for your email," Parsi said. "And from the best we figured, it was trying to find any email that looked like some kind of subscription or mailing list or something like that and just sending emails out to those lists. And they were all completely canned messages. It would say, 'I want to be completely deleted from your system here’s my email.' It gave no other information."
Which then meant the team had to determine not only which list the data subjects were on but also whether they had in fact meant to unsubscribe, a request Stanford would need to adhere to under CAN-SPAM.
"So after a few of them and after talking with other people seeing similar stuff, I saw the trend that people were treating these as if they were unsubscribe requests, because that’s what they seemed like," Pegah said. The team asked for more information to help determine, within the massive system that is Stanford, "Who are you? Are you an alum, student, patient, someone that randomly signed up to be notified for events?"
If the team couldn't verify them following such a vague email, it wasn't going to go about deleting them. So after 30 days, if there was no response, it was considered a failed request.
Clear Channel's McLarty said she's seen what may be an even more problematic, and rising, trend: the increasing use of DSARs in grievance procedures after an employee has been terminated. “They are the ones where people say, ‘I want everything about myself since the beginning of time.' It is then a business’s job to work out how to manage those expectations, and fulfill their request in accordance with their rights and our responsibilities.”
What’s necessary then, of course, is for McLarty’s team to consider the proportionality provision and determine the correct course of action. The content of emails can be up for debate. She has consulted external counsel to consider in what context, for example, another employee’s opinions about the former employee could count as personal data.
When in a grievance procedure or deciding a performance review, the nature of the disclosure becomes crucial for both sides. DSARS can sometimes be used as a sort of way around eDiscovery limitations. In a DSAR procedure, once the data controller has collected all the data to give to the data subject, they have to review it all to ensure they can disclose it to the subject without breaching other rights — those of the company, or those of other individuals. Unless a good lawyer has properly reviewed and redacted the information, it’s possible for the subject to get some inadvertently useful information to which they wouldn’t normally be entitled. A DSAR can also be administratively burdensome and expensive, and some employment lawyers are advising it routinely as a way to force a company to settle.
“What truly belongs to the data subject? I do think one has a reasonable expectation of privacy around giving an opinion of an employee to another stakeholder — HR, or legal — in a managerial capacity," said McLarty. "Does my opinion suddenly belong to the person about whom I am giving the opinion? DSARs shouldn’t be used like that, the intention of them was not to subvert disclosure or trip up companies because of the burden the search. But strategically, for a data subject’s employment lawyer, you can see why it is tempting,” McLarty said.
For now, companies are still parsing out legitimate requests from illegitimate. And as long as sites like deseat.me continue to proliferate, it doesn't look to become an easier job over time.
Editor's note: An earlier edition of this story indicated Pegah Parsi was at Stanford University's privacy office, when in fact she's at UC San Diego. The article has been amended to reflect this.
Photo credit: wuestenigel Anonymous V for Vendetta Guy Fawkes Kostüm Halloween Maske via photopin (license)