September 19, 2019

September 18, 2019

Subscribe to Latest Legal News and Analysis

September 17, 2019

Subscribe to Latest Legal News and Analysis

September 16, 2019

Subscribe to Latest Legal News and Analysis

The Problem in the Solution

Attempting to protect people’s information, the EU made it more vulnerable.

The European Union’s General Data Protection Regulation (GDPR) is thought to be strongest data protection rules. After all, it was designed to modernize already tight laws protecting the personal information of individuals.

In such safety, concerning cracks appear. The rights granted to individuals may be exercised by bad actors.

Responses to data subject requests, under the GDPR, must be made promptly. (CCPA rights requests lead to similar problems: explored in WBD Partner, Peter McLaughlin’s article in the IAPP’s Daily Digest.) This process is meant to allow data subjects to exercise their rights without being subjected to automated decision-making and profiling. This includes the rights of access and rectification, data portability, right to withdraw consent, right to object, right to be forgotten, and right to restriction of processing.

Companies must snap into responsiveness considering they may be penalized for either making the request process too burdensome for the data subjects or for collecting excessive amounts of personal data just for the authentication itself. The penalties for these offenses could be significant with administrative fines up to 20,000,000 euros.

Ph.D student and cybersecurity researcher James Pavur, in conducting research, used the enumerated rights to extract sensitive information about his fiancé. As a starting point, Pavur found his fiance’s full name, e-mail addresses, home address, and phone number that he was able to find through basic online searches. This is small potatoes. As WBD partner Ted Claypoole wrote in his book Protecting Your Internet Identity ”if you need more information to perform ID theft or stalk a family member, you’ll find that general searches can unearth employment information, family and genealogy data, social media postings made by family members themselves, and much, much more.”

Using these data points, Pavur sent requests to companies, pretending to be his fiancé in exercising her enumerated GDPR rights. He was able to obtain his fiance’s social security number, date of birth, mother’s maiden name, passwords, previous home addresses, travel logs, high school grades, partial credit card numbers, and her engagement with online dating.

Two thirds of companies Pavur contacted responded with sufficient information to reveal the existence of an account in Pavur’s fiance’s name. A quarter of the responsive companies provided sensitive data without verifying the identity of the requestor. Another 15 percent requested information from him that could have easily been forged.

However, the GDPR in Article 11, also says that, if the purposes for which a controller processes personal data do not or no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with the GDPR.

Entities that are able to demonstrate that they cannot sufficiently verify the data subject requestor’s identity should inform the requestor of this issue and maintain compliance with the GDPR. In sum, the fear of enforcement actions by entities can lead them to providing sensitive information to bad actors. But if the entities are not promptly responding or requesting verification information deemed to be too invasive, they would be subject to enforcement actions as well. Damned if you do, damned if you don’t.

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Dominic Dhil Panakal Womble Atlanta
Associate

Dominic is a member of the firm’s IP Transactions, FinTech, and Privacy and Cybersecurity practices.

Dominic advises clients on international and domestic data privacy laws.  He also assists in drafting Software as a Service agreements, privacy policies, terms of use, and licensing contracts.

404.879.2481