Global Compliance with Data Subject Requests
Ty Ehuan, Political Science B.A. & Economics B.S., the university of North Carolina at Chapel Hill
As the United States fails to pass comprehensive federal privacy legislation, various countries across the world have enacted laws to protect individual’s data privacy. Establishing coordination between these laws has been a challenge—strength and enforceability remain extremely divergent—but nonetheless companies are being forced to adjust to regulation. What shape a U.S. law would take remains to be seen, but a few fundamental rights have remained consistent across the globe.
The right to access, correct, and delete one’s data are fundamental in the field of data privacy. These rights, collectively referred to as the data subject request (DSR), appear easy to comply with at first glance. If a consumer wishes to do something with their own data, all they have to do is send a request to the company. Yet following through on these requests can be surprisingly difficult for both consumers and businesses, and when billions of dollars in fines are at stake doing it correctly is absolutely vital.
To address this problem companies have arisen to ease the DSR process. More commonly these products are focused on the business side. Manually responding to these requests is costly and time consuming to verify an identity and ensure every piece of data about an individual is found. Products which help automate this process help reduce the time and difficulty of these requests, and in doing so incidentally help consumers exercise their rights. However, there also needs to be companies focused on helping consumers protect their privacy. This is where Mine enters.
Mine is a consumer oriented company which helps people see who hold their data. And rather than using automation to reduce business costs, Mine instead helps individuals automate their data subject deletion requests. Not only is this a critical function—many consumers are unaware of which companies hold their data or how to go about deleting it—but Mine also uses a standardized deletion request around the world. As a result, Mine is able to generate data on how companies respond to DSRs in different countries. This data set will be a valuable resource for privacy researchers.
The research team at the Duke University Cyber Policy Program and the Triangle Privacy Research Hub (TPRH) has partnered with Mine to analyze this data, and early results are promising. The data has two components. The first is country level data of Mine’s overall completion rate results for user and business location. This overall data provides a comparative overview of the effect of differing data privacy regulations. The other data source is a longitudinal study of the 600 companies which receive the most DSRs. It examines their completion rate and time to complete and we further break it down by industry and the origin of the DSR to allow for more granular analysis. As trends develop within this data stream we will post updates highlighting our findings but some early observations have already emerged.
The country data is drawn from Mine’s total results and provides a large sample. We excluded any nation that didn’t have at least 1000 requests and this revealed that the U.S. had the lowest compliance rate at approximately 19% for both requests to U.S. domains and those originating from U.S. individuals. With no comprehensive privacy legislation like the GDPR or LGPD, this was perhaps an unsurprising result. Nonetheless it provided evidence to support our hypotheses that companies do not respond to DSRs equally. Further evidence supporting this conclusion can be seen by the compliance rates in Spain. Spain’s Data Protection Authority has enforced over 3.5 times more GDPR fines than any other member of the EU. Domains based in Spain also completed DSRs at a rate of over 32%, far surpassing any other country. We cannot say with certainty that this greater level of privacy enforcement has led to greater responsiveness to DSRs but the overall Spanish and U.S. results provide an important correlation backing up existing public perceptions about privacy.
Some charts visualizing findings from the country level data can be found below, but going forward our research will more narrowly focus on the longitudinal data we receive from Mine. We are waiting for a longer time period to fully confirm any conclusions, but even from the first 3 months some trends are apparent.
During these months the top 600 companies received a total of 33,232 deletion requests from Mine. To our surprise over this period the compliance rate was above 59%, a significant increase over the country results. These DSRs were more recent than those found in our other dataset and its possible that responsiveness has simply increased. However, it is more likely that this is simply a result of our selection. Because we choose the 600 companies that received the most deletion requests from Mine, it stands to reason that they are also the businesses most familiar with them. Thus it is very possible that this disparity exists because of numerous smaller domains who generally don’t respond to DSRs as often as entities more familiar with them do.
Other areas of note involve the time to complete requests and industry categorizations. Our results showed a slightly positive correlation between the average completion rate and the average hours to complete a request, showing that companies who completed more deletion requests actually took longer to do so. This offers an important note of caution about using the time it takes a company to respond to a DSR to define their support for consumer privacy. When splitting by industry we found a broad range of success rates going from 68.01% for Health & Wellness to 43.53% for Email & Search. It is reassuring that companies handling potentially sensitive health based data have the best response rates but nonetheless having such a large range amongst different industries is a cause for concern.
The conclusions we’ve found so far are fascinating, and with more time to study this we hope to provide other observations on how companies are responding to DSRs. However, more time is still needed to have better sample of data and greater certainty in our observations. As this data stream grows we will continue to put out updates on the results we see over time and will integrate this with our other research to provide a clearer picture on the state of data privacy today.
*Mine has provided general research funding to the Duke University Sanford School of Public Policy Cyber Policy Program, but does not exercise any control over the content or conclusions of this research.