[culturestate]

> how does that resolve the issue of them operating illegally?

Which part of the process described is illegal? The GDPR explicitly requires[1] controllers to verify subjects' identities in an access request:

The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.

1. https://gdpr.eu/recital-64-identity-verification/

[Silhouette]

That is true, but the word "reasonable" is significant. Taking reasonable steps to confirm a data subject's claimed identity is fair and necessary. Giving them the run around and hiding behind that verification obligation as an excuse is not.

[culturestate]

I mean, sure, but OP indicated that he didn't want to provide the info they requested for verification. I don't see how their action here could be considered unreasonable.

"I promise you that I am the only person on earth with this name" doesn't really seem like a sufficiently secure attestation.

[gingerlime]

OP here. My name is unique globally (there are no other people with this name), easily searchable, linked to my personal domain, and my personal email address on that domain.

But even if we can't go by that, I gave them plenty of options that won't involve me disclosing my entire address history. How on earth am I supposed to give all my address history to a company I never heard of, and who shared my data without my consent...

They didn't come up with any concrete suggestions that won't involve disclosing much more information about myself than I think it's reasonable to require in order to release my own personal info.

I think I was very reasonable, and they weren't. Legally I'm not sure what the situation is. IANAL.

[culturestate]

I'll be honest - based entirely on your description of events, with no other context, I wouldn't have approved this request either. Here's my reasoning:

> They then asked me to provide my address to confirm my identity...I wasn't keen on it.

This means one of the primary avenues of verification (possibly the only avenue for some shops) is unavailable. In the scope of GDPR, it's important to remember that they aren't allowed to retain any information you provide for this purpose for any reason other than keeping a record of the request.

> I mentioned that my full name is globally unique, but they refused.

I would have absolutely no way to validate this, because I don't have a comprehensive listing of all 7 billion-odd people in the world. Even if I did, and it was, it's still only a single factor - I doubt you'd want me to release your data to anyone else based only on them knowing your name and that it's unique.

> My name is...easily searchable, linked to my personal domain, and my personal email address on that domain

This can't be relied on, obviously, because there's no identity verification on (most) domain registrations. For all I know, the email address that I have attached to your profile isn't even yours (because we have no preexisting relationship, this has never been proven.)

> I tried to ask them to share some masked data that I can confirm in full...They refused.

I don't think this is actually allowed under GDPR, but assume it is. Let's say you do this twice with two different data controllers - they each provide you with a masked address, but they've masked different parts (because there's no standard).

If you were a malicious actor, you'd now have the subject's complete address and could use that to gain access to the rest of their data. It opens up a significant attack vector.

> How on earth am I supposed to give all my address history to a company I never heard of, and who shared my data without my consent...

Assuming this was someone unknown and not Acxiom, this is a valid point and unfortunately I don't think there's a great answer. In this case, it is Acxiom and you could've quite easily discovered that they're a major corporation and not a random data harvesting shop.

> I think I was very reasonable, and they weren't.

At the end of the day, you're going to have to give them something to prove who you are. If you won't even provide your old addresses, then absent a government-issued ID (which I assume you also would be reticent to provide on the same grounds) I don't know how else I would even attempt to conduct verification.

[gingerlime]

I think you miss the elephant in the room, which is my email address. That's not something that easy to fake, and I'm pretty darn sure they have it in their database.

If they have other details about me, like my phone number or address, they can offer to give me a call, or send a letter to confirm my identity (btw, another company I filed a request with did just that). This won't expose any further details. The fact is, they didn't suggest any reasonable alternative.

> Assuming this was someone unknown and not Acxiom, this is a valid point and unfortunately I don't think there's a great answer. In this case, it is Acxiom and you could've quite easily discovered that they're a major corporation and not a random data harvesting shop.

The fact that they're big is irrelevant. They already shared my data without my explicit consent. They're a company I never ever signed-up for, interacted with in any way, yet they hold data on me. They share it and make profit out of it. I'm definitely not keen on sharing any additional info with a company that aggregates my data as their core business.

I hope you see the huge imbalance here. To get my data I need to jump through hoops and expose even more data about myself (to a data broker which makes money off of it). To sell, aggregate, share and abuse my data without my consent and very likely in violation of GDPR requires no validation that indeed the data belongs to me, nor even an attempt to contact me and ask for consent.

[culturestate]

I'm leaving aside the consent piece, because frankly it's unlikely that they ingested this data without receiving it from a third party to whom you did give explicit consent. This is one of the problems inherent in GDPR as written, and needs to be addressed in the next revision.

> I think you miss the elephant in the room, which is my email address. That's not something that easy to fake, and I'm pretty darn sure they have it in their database.

As I wrote earlier, the issue here is that because they have no direct relationship with people in their data lake, there's no way for them to know with certainty that the email address associated with a person belongs to that person without some form of additional validation.

You can prove that you have access to that email, but you still need to prove that you're you.

> If they have other details about me, like my phone number or address, they can offer to give me a call, or send a letter to confirm my identity

This brings up the same problems as before: what if the number has been recycled? What if the letter is intercepted by someone living at an old address? Then they've given up the store again. Just because someone else is doing it doesn't mean it's a good idea.

> I hope you see the huge imbalance here.

I do, but you also need to look at it from the other side of the screen. As much as you have a legal interest in accessing your own data, they have a legal interest in ensuring that you are actually the one accessing it.

What you've run into here is one of the other...accidental features of GDPR: it incentivizes companies like Acxiom to be as strict as possible when verifying identities for access requests. They'd much rather be forced to defend the stringency of their access policies than to be strung up by the EC for enabling large-scale identity fraud because they weren't vigilant enough.

[shostack]

This. I would go out on a limb and offer that Axciom has likely invested more in compliance in this regard than most other companies on the planet.

People may not agree with their stance, but it has yet to be successfully challenged in court to my knowledge.