Attempting to protect people’s information, the EU made it more vulnerable.
The European Union’s General Data Protection Regulation (GDPR) is thought to provide the strongest set of data protection rules. After all, it was designed to modernize already tight laws protecting the personal information of individuals.
In such safety, concerning cracks appear. The rights granted to individuals may be exercised by bad actors.
Responses to data subject requests, under the GDPR, must be made promptly. (CCPA rights requests lead to similar problems: explored in this article in the IAPP’s Daily Digest.) This process is meant to allow data subjects to exercise their rights without being subjected to automated decision-making and profiling. This includes the rights of access and rectification, data portability, right to withdraw consent, right to object, right to be forgotten, and right to restriction of processing.
Companies must snap into responsiveness considering they may be penalized for either making the request process too burdensome for the data subjects or for collecting excessive amounts of personal data just for the authentication itself. The penalties for these offenses could be significant with administrative fines up to 20,000,000 euros.
Ph.D. student and cybersecurity researcher James Pavur, in conducting research, used the enumerated rights to extract sensitive information about his fiancé. As a starting point, Pavur found his fiance’s full name, e-mail addresses, home address, and phone number that he was able to find through basic online searches. This is small potatoes. As Womble Bond Dickinson partner Ted Claypoole wrote in his book Protecting Your Internet Identity, ”If you need more information to perform ID theft or stalk a family member, you’ll find that general searches can unearth employment information, family and genealogy data, social media postings made by family members themselves, and much, much more.”
Using these data points, Pavur sent requests to companies, pretending to be his fiancé in exercising her enumerated GDPR rights. He was able to obtain his fiance’s social security number, date of birth, mother’s maiden name, passwords, previous home addresses, travel logs, high school grades, partial credit card numbers, and her engagement with online dating.
Two thirds of companies Pavur contacted responded with sufficient information to reveal the existence of an account in Pavur’s fiance’s name. A quarter of the responsive companies provided sensitive data without verifying the identity of the requestor. Another 15 percent requested information from him that could have easily been forged.
However, the GDPR in Article 11, also says that, if the purposes for which a controller processes personal data do not or no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with the GDPR.
Entities that are able to demonstrate that they cannot sufficiently verify the data subject requestor’s identity should inform the requestor of this issue and maintain compliance with the GDPR. In sum, the fear of enforcement actions by entities can lead them to providing sensitive information to bad actors. But if the entities are not promptly responding or requesting verification information deemed to be too invasive, they would be subject to enforcement actions as well. Damned if you do, damned if you don’t.