The most commonly exercised right under the GDPR is the right of access to one’s personal data that is being processed by companies. After all, it’s often the prerequisite to know if there is inaccurate or unlawful personal data that needs to be corrected or deleted. However, a new analysis of noyb cases shows: Only 16.5% of all access requests noyb has sent to companies in the past 8 years received a satisfactory reply, while 53.7% of replies were incomplete – and almost 30% were not answered at all. In other words: while companies are lobbying Brussels to limit people’s right of access because of an alleged “abuse”, the real problem is non-compliance by these exact companies.
No “abuse” by data subjects, but by companies. Following intense lobby pressure (especially by the German industry), the European Commission’s Digital Omnibus proposal argues that there’s a need to restrict data subject rights under the GDPR. Most notably, the proposed changes include a limitation of the right of access (in Articles 12(5) and 15 GDPR) to “data protection purposes”, which is justified with an allegedly wide-spread “abuse” of this right. This means, for example, that if an employee uses an access request in a labour dispute over unpaid hours – for example, to obtain a record of the hours they have worked – the employer could reject it as "abusive". In practice, this would massively limit the rights that Europeans have against companies.
Max Schrems: “The European Commission has fallen for a heavily abused lobbying narrative that the right to access is constantly being ‘abused’, when in reality it is largely companies that violate these laws.”
Real-life data: 83.5% of access requests not properly answered. In practice, however, the primary problem concerning the right of access is not “abusive” complaints, but the huge amount of requests that don’t receive a proper answer. This also explains why a significant number of complaints before authorities concern the lack of a full reply to access requests. To gain more insight into how companies deal with the right of access, noyb analysed 121 access requests that have been filed in relation to noyb cases since 2018*. The results are clear: only 16.5% of those requests received a satisfying reply, while 53.7% were incomplete – and almost 30% were not answered at all. Overall, 83.5% of requests were not responses in line with the law.
Big Tech takes your data, but doesn’t want to give you access. Noticeably, a lot of the analysed access requests were filed with big tech companies, which usually have automated tools to deal with requests. Nonetheless, most of them either received an incomplete reply or none at all. We observe this issue across all noyb cases – and the results would likely be worse for data subjects without legal representation or the resources to send multiple follow-up requests. Our cases against TikTok, AliExpress and WeChat provide a perfect example for this: Despite multiple follow-up requests to an incomplete response to an access request, the companies still failed to fulfil the initial request. This made it impossible for the complainants to check whether their data has been processed in line with the GDPR. Another good example is our case against the advertising broker Xandr (a Microsoft subsidiary), which reported an astonishing 0% response rate to access and erasure requests in 2022.
Access Requests not a relevant workload. At the same time, a recently published noyb survey made clear that the majority (over 70%) of Data Protection Officers (DPOs) working in companies think that data subject rights – and the Right of Access in particular – don’t create a significant workload, while being a useful tool for protecting people’s rights.
Nothing is final. Fortunately, the Commission’s proposals to change the GDPR are just that: proposals. The Digital Omnibus is currently still being discussed in the European Parliament and in the Council and has already received significant resistance. noyb continuously works to preserve and strengthen data subject rights. After all, this analysis clearly shows that the authorities’ enforcement of (and compliance with) the Right of Access is already lacking. A further restriction would hurt millions of people in Europe.
*Note on the methodology: we analysed all access requests that have been filed in relation to noyb cases since 2018. Then, we made sure to only include a maximum of two complaints per company to not distort the picture. This left us with 121 access requests.
