By Miles Kenyon @ Citizen Lab

Big data is big business. And companies are increasingly collecting, retaining, controlling, and using more of our data than ever before. But what do they do with this information, who do they share it with, and who retains control over it?

Telecommunication companies, social media platforms, web and mobile applications, and email providers collect and analyze their subscribers’ and users’ data in order to provide more personalized services, present targeted advertisements, make their products or services more engaging, or sell valuable data to third-party data brokers. The majority of the public may not realize the extent to which companies collect their personal data, let alone precisely how it is used, analyzed, processed, stored, secured, and shared.

To help shed light on this opaque environment, the Citizen Lab launched Access My Info (AMI) a project that can help you learn about how companies handle your personal data. AMI includes a web application that helps users send companies data access requests (DARs), and a research methodology designed to understand the responses companies make to these requests. A DAR is a letter you can send to any company with products/services that you use. The request asks that the company disclose all the information it has about you and whether or not it has shared your data with any third-parties. Collecting and analyzing DARs can help consumers and researchers learn about how private companies collect, retain, process, and disclose individuals’ personal data.

Strong privacy rights, data protection law, and data access rights are what make Access My Info projects effective. At the same time, shedding light on the current state of these laws and companies’ compliance or lack thereof—potentially to improve them and to raise public awareness—is one of the primary goals of Access My Info.

Using the AMI approach, partners have launched projects around the world, including in Australia, Canada, Hong Kong, Indonesia, Malaysia, and South Korea. These projects focused on making data access requests to telecommunications companies in each country, led by a local researcher and a team of volunteers. Every country has specific laws, regulations, and corporate mechanisms that present unique challenges and opportunities in accessing data, but the results of each provide insights into the larger ecosystem of data access.

South Korea: Lack of Compliance Leads to Legal Action

Kelly Kim, Open Net Korea

The results of a South Korean AMI project show a significant gap between law and practice. While South Korea has a strong data protection regime in text that guarantees data subjects’ right to access all personal data, the project found very superficial compliance to data access requests by telecommunications companies. While all companies had online data request procedures, the majority of companies only provided copies of their privacy policies in response to the data access requests. Korea Telecom (KT) provided some of the requested account information but did not give a complete response. In reply to this lack of compliance, Open Net Korea filed a lawsuit against KT.

“Although my telecom, KT returned the most information among three telecoms investigated, the response I received was not satisfactory because it missed out a lot of information that KT claimed to collect in its privacy policy,” explains Kelly Kim, (General Counsel for Open Net Korea). “I resorted to suing KT to get the rest of my data.”

During the legal proceedings, KT acquiesced to provide additional information but refused to provide incoming call records. In December 2018, the courts ruled that KT must hand over this info but the victory was only a partial one: the courts made the decision because KT included incoming calls in its privacy policy, not because they constitute personal information under data protection laws, as Kim argued. Kim says she intends to escalate the case all the way to the Supreme Court if necessary.

Since the AMI project, the KCC (Korea Communications Commission) has published revised guidelines on how companies, especially telecommunication service providers, should process and respond to DARs.

Kim says the tactics that have garnered success in Korea might not work elsewhere, suggesting an AMI project might be more challenging in countries with less robust data protection regimes. “In that case,” she says, “referring to the GDPR [the EU General Data Protection Regulation] as a standard would be helpful, as international companies are required to comply with the GDPR.”

Canada: Fees Create Barriers to Access

Christopher Parsons, Citizen Lab, University of Toronto

One consistent finding in the Canadian AMI project was that all telecommunications companies charged participants a fee for access to detailed SMS or call records. DARs issued by participants asked for access to technical data that was associated with the requester, such as IP address logs and geolocation information. Companies were unwilling to provide this data free of charge, and there was significant variation in how much money was required before technical data would be disclosed. In most cases, the proposed fees were in the hundreds of dollars.

“By charging large fees, even for small subsamples of data, Canadian residents cannot generally exercise their privacy rights, nor can they subsequently complain about overbroad or inappropriate data collection practices to either the Office of the Privacy Commissioner of Canada or to their elected representatives,” says Christopher Parsons (Citizen Lab) who led the AMI research in Canada.

The study did reveal some movement toward greater transparency. Previous research done in 2014 showed that telecommunications companies generally did not clearly tell participants if their data had been shared with third parties such as government agencies. In data collected in a 2016 study, however, the majority of companies provided clear responses to the question of third party data sharing. This change follows a 2016 Supreme Court decision that halted a history of telecommunication providers granting government agencies access to subscriber information for criminal investigations without first requiring a warrant or judicial order compelling the provision of such information.

Reflecting on the project, Parsons recommends that supporting a robust set of volunteers and building in extra time for data assessment are key to running successful AMI campaigns. He adds:

“I’d suggest researchers prepare for unexpected allies and outcomes. We have found that these projects can enable privacy advocates internal to organizations to promote and entrench, data access responses systems and more generally encourage an organization to determine what data it is collecting (and why). Further, in the Canadian case, we’ve seen how a project such as this can encourage companies to adopt broader transparency reports, which are helpful for shedding light on companies’ data disclosure practices.”

Hong Kong: Who Defines “Personal Data”?

Lokman Tsui (Chinese University of Hong Kong)

In Hong Kong, the AMI project revealed disagreement over the definition of personal data. Telecommunication companies and Internet providers in Hong Kong argue that IP addresses and geolocation records are not personal data and therefore are not required to give users access to this data. This belief presents problems with enforcing the rights laid out in the Personal Data Privacy Ordinance (PDPO), the first major personal data protection framework in the Asia-Pacific region.

Lead researcher Lokman Tsui explains that the study

“Speaks to larger issues concerning who gets to define what is personal data, especially in an age where more and more devices in our lives collect increasingly more sensitive (and I would argue personal) data of us. The research also highlights a potential conflict of interest: those who collect this data and have the incentive to sell this data (whether personalized or in aggregate) will therefore have the incentive to say this is not personal data because then the usual protections under the personal data protection law do not apply.”

Because of this disconnect, the only data volunteers received were call records and account information. Tsui argues that it would be helpful to have clear guidelines on what is and what is not considered personal data, including potentially sensitive data such as IP addresses associated with accounts and geolocation records.

The study also revealed that companies did not tell users whether their data had been shared with third parties such as law enforcement agencies. In order to create an environment of increased transparency, Tsui researchers suggest it would be helpful for telecommunication companies to provide a transparency report, including an overview of the data types they collect, and for how long they keep this data.

Australia: Uneven Compliance

Adam Molnar (University of Waterloo / Deakin University)

This study indicates that a number of Australian telecommunications entities struggle to adhere to their lawful requirements under privacy laws. Numerous requests by volunteers went unheeded and, for those that did respond, it seemed clear that internal procedures were lacking. Overall, DARs were unevenly responded to by service providers, leading to uneven outcomes that posed significant barriers to access.

“Failure to respond to requests underscores the important connection between legislative protections and the shoddy behaviour of telcos,” says lead researcher Adam Molnar (Deakin University). “If companies fail to adhere to their obligations under existing law, these protections are virtually meaningless.”

He suggests that it is the responsibility of privacy regulators to step into the fray when companies shirk their responsibilities. Unfortunately, regulators are often diminished in their powers to do much.

The study also revealed that companies demanded fees before processing some requests, which were either prohibitive for everyday consumers or were not clearly communicated.

Molnar says he has not observed any significant policy changes since the initial AMI project. And while he notes there will be new legislative reforms proposed to the Privacy Act later this year, he says that a useful path is for Australians to exercise their existing rights under the Privacy Act, even if the responses are not always ideal.

“In the absence of documented failures, enforcement and any subsequent change in behaviour amongst rights-infringing telcos should not be assumed.”

Malaysia: Lack of Legal Readiness

Sonny Zulhuda (International Islamic University Malaysia)

On the surface, Malaysian telecommunication companies are willing to comply with data requests by disclosing basic personal data of customers. However, digging a bit deeper reveals they are not willing to share more personal information, including the purposes of personal data processing and usage, call records, and SMS messages. Taken together, we find inconsistent practices and incomplete data.

Generally, all telcos included in the study are not yet ready to provide clear and concrete mechanisms on data access requests, suggesting that the legal requirements under Malaysia’s 2010 Personal Data Protection Act have not been fully implemented.

Sonny Zulhuda suggests that the responses to AMI requests reflect a great deal about how willing a country is to abide by legal requirements on issues of data protection.

“It is interesting to investigate how much compliance of data access request depends on the level of society’s awareness about the data protection law.

Despite the slow implementation of presiding privacy laws, Zulhada remains optimistic as new processes are crafted.

“I expect things to improve soon as the Malaysian telco industry has now started to draft a self-regulatory code to regulate various matters including data requests.”

Indonesia: Insufficient Regulation

Sinta Dewi Rosadi (Padjadjaran University)

Telecom companies in Indonesia are tight-lipped. None of the providers that were petitioned in the study provided user data in response to the Data Access Requests. However, the companies did respond to the majority of questions asked about their data practices, stating that they never disclose any consumer personal data information to third parties.

Lead researcher Sinta Dewi Rosadi (Padjadjaran University) says this is related to the lack of clear, concise, and cogent data protection laws in Indonesia. Indonesia only has the Ministry of Communications and Informatics Regulation on Personal Data Protection in Electronic System. She argues this regulation is insufficient, as it does not impose strong obligations on telecommunications operators to protect user data and only establishes administrative—as opposed to criminal—penalties.

“These conditions are additionally aggravated by low consumer awareness of their privacy rights,” says Rosadi.

But change may be coming. The Ministry of Communication and Informatics (MOCI) has drafted a New Data Protection Law and in 2019 submitted the draft bill to the Parliament as a prioritized law for Parliament’s deliberation.

“This presents some opportunities because the people of Indonesia are now more aware of their privacy rights, at least in urban areas, and companies are beginning to build public awareness by attending privacy awareness training.”

Running Your Own AMI project

Citizen Lab provides resources for researchers and advocates who are interested in running their own AMI project. The Access My Info Playbook walks through all the requirements for setting up an AMI project including detailed descriptions of research methods and communications strategies. The AMI web application is open source and can be customized for specific jurisdictions and companies.

For the full report, visit: https://citizenlab.ca/2019/10/measuring-data-access-rights-around-the-world/