Obtaining personal data and asking for erasure: Do app vendors and website owners honour your privacy rights?

Dominik Herrmann, Jens Lindemann


EU Directive 95/46/EC and the upcoming EU General Data Protection Regulation grant Europeans the right of access to data pertaining to them. Consumers can approach their service providers to obtain all personal data stored and processed there. Furthermore, they can demand erasure (or correction) of their data. We conducted an undercover field study to determine whether these rights can be exerted in practice. We assessed the behaviour of the vendors of 150 smartphone apps and 120 websites that are popular in Germany. Our deletion requests were fulfilled in 52 to 57% of the cases and less than half of the data provision requests were answered satisfactorily. Further, we observed instances of carelessness: About 20% of website owners would have disclosed our personal data to impostors. The results indicate that exerting privacy rights that have been introduced two decades ago is still a frustrating endeavour most of the time.

GI SICHERHEIT 2016: Sicherheit – Schutz und Zuverlässigkeit. Bonn, Apr 5–7, 2016.
February, 2016