I'll summarize our study on app vendors' responses to Subject Access Requests ("What data do you have on record about me?"), which was presented at #ares2020 – and received the Best Paper Award 🥳. @ARES_Conference #sar #apps #privacy #gdpr #dataprotection 1/18 
Link to paper (open access): dl.acm.org/doi/abs/10.114…. This was a 4-year longitudinal study (2015–2019) and joint work of Jacob Kroeger (@JWI_Berlin), Jens Lindemann (@unihh) and myself (@uni_bamberg_of). 👀 Watch our 15-min talk on vimeo (vimeo.com/444158701). 2/18
Background: EU citizens can ask companies about what personal data they process according to Art. 15 GDPR. We performed an undercover study with 225 vendors of popular iOS and Android apps to figure out how vendors process such SARs. 3/18
At the start of the study, we installed the apps and set up an account with personal data, pretending to be an ordinary German citizen. Then, we interacted with each app for a while. Over the next 4 years, we sent each vendor 3 SARs. 4/18
We contacted vendors via email or a contact form. The 1st SAR was written very informally, the 2nd and 3rd were using formal language (at that point there were widely shared template texts for effective SARs available). 5/18
Here is the results summary. Only 70–81% of vendors *did* respond; some did not reply or were not reachable, i.e., our emails bounced. Most responses, however, did not contain the personal data we had requested. 6/18
For the insufficient responses, we observed technical, organizational, and communication problems. One particularly worrying mistake was that a support agent responded to our request with the personal data of *another* customer! 7/18
Some vendors (7–13%) tried to fool us and lied to us, citing various reasons why they – unfortunately – couldn't fulfill our request. 8/18
We assumed that some of those who did not respond were just playing dead. Thus, we sent them another mail (posing as a different citizen), asking them for permission to mention their app on a YouTube video – and got many quick responses! 9/18
Quite worrisome, most vendors who answered our SARs did not bother with authentication (also look at the really cool work @dimartinomar at ). 10/18
There is one more issue we documented, which we call dissolution of personal data. Let me briefly explain what we mean with that. 11/18
A non-negligible number of accounts vanished during our study – without any prior notification. 9% of apps ceased to exist, 18% of accounts vanished. 12/18
Some vendors seem to delete stale accounts – which is arguably a good practice (stale accounts can be seen as a privacy risk). 13/18
Some vendors, however, seem to have deleted our accounts in response to our SARs – without asking us in advance, of course. Apparently, they felt that this was the easiest solution for the problem. 14/18
Interestingly, we observed that the rate of acceptable answers *declined* between 2018 (before GDPR) and 2019 (after GDPR). One reason may be the lack of GDPR enforcement by data protection authorities (DPAs), who are overwhelmed at the moment. 15/18
Implications: Given the frustrating experiences, we mandate standardized APIs and processes for SARs to enable small and medium businesses to handle SARs more professionally. 16/18
Random (automated?) compliance checks by DPAs would also be desirable, but they would need additional resources first. 17/18
A final remark: This line of research has a lot of interesting ethical implications. For instance, we did *not* debrief the vendors to protect the employees from negative repercussions. More ethical considerations are explained in the paper. 18/18
