TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

""

""

One place the EU General Data Protection added some pressure for some data controllers was in its mandate that data subjects have a right to request a copy of the information organizations have on them, and organizations must respond to that request within a month. But an added complication, even if processes are in place to deal with data-subject access requests (let's call them DSARs), is verifying not only that the data subject is who they claim to be, but that it's even a legitimate request. 

Privacy professionals charged with monitoring DSAR compliance report seeing some suspicious trends regarding such requests, some seemingly with nefarious motives. 

Akiva Miller of Sisence, a New York-based company that does analytics for complex data, recalled an incident recently in which an individual came to the company's website and put their information into an online forum. Less than an hour later, the brand new data subject sent a DSAR.

"So clearly this is someone who went on the website to specifically do some activity, and then requested data about himself," Miller said. "It's not someone who wanted to clean house and enforce his rights." 

At the time, Miller deliberated the best course of action. The email had been sent not to the privacy office but as a direct mail through the company's website. In it, the data subject listed, at length, the information he wanted to receive, citing the GDPR and "every single article" that applied to his rights as a data subject, Miller recalled. 

Additionally, the email came from a gmail account, the name of whom was different from the person in the email. It also appeared the request was coming from a U.S. server. The behavior pattern was suspicious. 

The problem then becomes: What to do? The data subject isn't under a heavy obligation to provide a trove of information to verify themselves. The controller is allowed to ask for "reasonable" but not "burdensome" information to verify identity. 

"I can’t ask them to go and get something notarized, that would be burdensome. Or make them jump through hoops to verify who they are, that would be unreasonable. And I think that would present obvious GDPR issues," said Pegah Parsi, the privacy officer for UC San Diego. But the problem is, they also "can’t go under the presumption that this is bogus."

Miller echoed, "It’s not about 'Do we identify you?' But it’s, 'Do we identify you beyond the minimal contact info we have about you? Do we identify where you’re coming from? Whether you are acting in good faith?' All of the other information we need about a person to tell the good people form the bad, we don’t have ability or mandate to require" the data subject to provide. 

Karis McLarty of multinational outdoor-advertising company Clear Channel, based in London, is familiar with the problem. When a DSAR comes through, her privacy office then has to contact multiple stakeholders across the company to determine which databases hold the data on that individual.

“Only to see, ‘Oh, he’s not on any list or database. We appear to have never heard of him. Oh look,  the 'data subject' is actually a GDPR software marketer whose point was not to submit a legitimate DSAR but to say: ‘Isn’t this process difficult? I’ve got software to help you solve it!’ That is infuriating,” she said.

And while companies could use the administrative fee provision to try and deter such behavior, she said, ‘It would still have to be a reasonable fee, and the old guide of 10 pounds wouldn’t cover the cost of sending the letter requesting the money, so what’s the point?’”

Back in New York, Miller, for his part, wants to know: "Who are these people? It may be speculation, but they're maybe opportunists. [Potential] plaintiffs trying to find companies that aren’t responding properly. It could be companies who are trying to sell their services, GDPR-compliant services, and they're doing it to find companies that don’t comply well."

Parsi's team did some digging into the suspicious DSAR requests they started getting this summer and found a site called deseat.me, which seemed to be the site funneling Stanford DSARs. 

"The way it essentially works is you tell it what accounts you have with that email, and it goes trolling around for your email," Parsi said. "And from the best we figured, it was trying to find any email that looked like some kind of subscription or mailing list or something like that and just sending emails out to those lists. And they were all completely canned messages. It would say, 'I want to be completely deleted from your system here’s my email.' It gave no other information."

Which then meant the team had to determine not only which list the data subjects were on but also whether they had in fact meant to unsubscribe, a request Stanford would need to adhere to under CAN-SPAM. 

"So after a few of them and after talking with other people seeing similar stuff, I saw the trend that people were treating these as if they were unsubscribe requests, because that’s what they seemed like," Pegah said. The team asked for more information to help determine, within the massive system that is Stanford, "Who are you? Are you an alum, student, patient, someone that randomly signed up to be notified for events?"

If the team couldn't verify them following such a vague email, it wasn't going to go about deleting them. So after 30 days, if there was no response, it was considered a failed request. 

Clear Channel's McLarty said she's seen what may be an even more problematic, and rising, trend: the increasing use of DSARs in grievance procedures after an employee has been terminated. “They are the ones where people say, ‘I want everything about myself since the beginning of time.' It is then a business’s job to work out how to manage those expectations, and fulfill their request in accordance with their rights and our responsibilities.

What’s necessary then, of course, is for McLarty’s team to consider the proportionality provision and determine the correct course of action. The content of emails can be up for debate. She has consulted external counsel to consider in what context, for example, another employee’s opinions about the former employee could count as personal data.

When in a grievance procedure or deciding a performance review, the nature of the disclosure becomes crucial for both sides. DSARS can sometimes be used as a sort of way around eDiscovery limitations. In a DSAR procedure, once the data controller has collected all the data to give to the data subject, they have to review it all to ensure they can disclose it to the subject without breaching other rights — those of the company, or those of other individuals. Unless a good lawyer has properly reviewed and redacted the information, it’s possible for the subject to get some inadvertently useful information to which they wouldn’t normally be entitled. A DSAR can also be administratively burdensome and expensive, and some employment lawyers are advising it routinely as a way to force a company to settle.

“What truly belongs to the data subject? I do think one has a reasonable expectation of privacy around giving an opinion of an employee to another stakeholder — HR, or legal — in a managerial capacity," said McLarty. "Does my opinion suddenly belong to the person about whom I am giving the opinion? DSARs shouldn’t be used like that, the intention of them was not to subvert disclosure or trip up companies because of the burden the search. But strategically, for a data subject’s employment lawyer, you can see why it is tempting,” McLarty said.

For now, companies are still parsing out legitimate requests from illegitimate. And as long as sites like deseat.me continue to proliferate, it doesn't look to become an easier job over time.

Editor's note: An earlier edition of this story indicated Pegah Parsi was at Stanford University's privacy office, when in fact she's at UC San Diego. The article has been amended to reflect this.

Photo credit: wuestenigel Anonymous V for Vendetta Guy Fawkes Kostüm Halloween Maske via photopin (license)

8 Comments

If you want to comment on this post, you need to login.

  • comment Chris Hails • Jan 29, 2019
    The deseat.me tool is an interesting source of auto-generated DSARs. A quick look at the website suggests it indexes Gmail and Microsoft email accounts locally on the user's machine and then generates the 'delete' / unsubscribe request out to the identified list manager. Run out of Sweden with a detailed privacy policy.
  • comment Emma Butler • Jan 30, 2019
    I've always taken the view that it would be worse to disclose personal data to the wrong person than to delay or refuse a request because of insufficient identity information. So I think DPOs are justified in asking for more information to make sure the person is who they say they are. I've also heard anecdotally in the UK of an increase in third parties offering a service to make mass requests to all the companies you have a relationship with. However, they're not doing proof or ID nor authority to act on behalf of the individual, so DPOs are quite rightly ignoring them, not releasing data to them and instead dealing directly with the individual.
  • comment Bleneta Carr • Jan 30, 2019
    This is a very interesting article.  I actually heard that somewhere in Europe a company was fined by a regulator for requesting more identification than was deemed necessary to verify a data subject so as data controllers we will need to consider exactly what is appropriate and not excessive.  It also highlights how important it is to delete data that is no longer required because once it is discovered, you can't exactly take a decision to delete it because you shouldn't have it anyway !
  • comment Patrick Harrigan • Jan 31, 2019
    We have also seen vendors use the DSAR portal to introduce themselves and offer services.  We also experienced two requests from fraudsters seeking information on a particular customer.  We did follow up calling to confirm the fraudulent attempt.  I certainly agree with Emma's point below: I would rather have an issue with a slow response because I needed to verify the legitimacy of the request than provide personal data to a fraudster.
  • comment Derek Lackey • Jan 31, 2019
    One of our clients received 2 bogus (competitors trying to be a pain) within the first 2 weeks of GDPR enforcement. Based on several elements we determined these were not legit and did nothing. Management was 100% sure it was a competitor trying to cause trouble.  Verification is required, as you do not wan to provide personal information without knowing who is really asking.
  • comment Ian Garratt • Feb 1, 2019
    It should only become excessive if an organisation is requesting data as proof of ID which it doesnt already hold.
  • comment Karen Cheeseman • Feb 4, 2019
    Good article, highlighting the problems that many organisations are having large and small. Organisations need a clear and simple process to follow for DSARs, in order that everyone involved knows the part they play in the process and when if necessary to raise an alarm.  If an organisation is unsure as to the identity of the individual then it would by my view that you do not divulge the information and if that means you go over the 30days whilst trying to verify the identity then in those cases it is justified.
  • comment Mark Keddie • Feb 4, 2019
    We saw a couple of these last year, but they seem to have since found more entertaining things to do. The need to ensure ID verification should never be in doubt.