[culturestate]

I'm leaving aside the consent piece, because frankly it's unlikely that they ingested this data without receiving it from a third party to whom you did give explicit consent. This is one of the problems inherent in GDPR as written, and needs to be addressed in the next revision.

> I think you miss the elephant in the room, which is my email address. That's not something that easy to fake, and I'm pretty darn sure they have it in their database.

As I wrote earlier, the issue here is that because they have no direct relationship with people in their data lake, there's no way for them to know with certainty that the email address associated with a person belongs to that person without some form of additional validation.

You can prove that you have access to that email, but you still need to prove that you're you.

> If they have other details about me, like my phone number or address, they can offer to give me a call, or send a letter to confirm my identity

This brings up the same problems as before: what if the number has been recycled? What if the letter is intercepted by someone living at an old address? Then they've given up the store again. Just because someone else is doing it doesn't mean it's a good idea.

> I hope you see the huge imbalance here.

I do, but you also need to look at it from the other side of the screen. As much as you have a legal interest in accessing your own data, they have a legal interest in ensuring that you are actually the one accessing it.

What you've run into here is one of the other...accidental features of GDPR: it incentivizes companies like Acxiom to be as strict as possible when verifying identities for access requests. They'd much rather be forced to defend the stringency of their access policies than to be strung up by the EC for enabling large-scale identity fraud because they weren't vigilant enough.

[gingerlime]

> I'm leaving aside the consent piece, because frankly it's unlikely that they ingested this data without receiving it from a third party to whom you did give explicit consent.

Well, I definitely didn't. Even if I did give consent for processing my data, sharing with Facebook isn't something I would ever in a million years agree to. An explicit consent should have been specific about it. Evidently Acxiom shared my details with Facebook. But let's leave it aside for now.

> You can prove that you have access to that email, but you still need to prove that you're you.

That's where the huge imbalance lies, isn't it? They link my email, along other details, and they also share my email with Facebook. Yet, when I'm contacting them, from the same email address, then suddenly it's not enough.

But let's say one piece of info isn't enough, they have other pieces? let's match them. Send me a letter, give me a phone call, give me the postal code and ask me to complete the address (or other parts of the address), provide a reasonable way for me to prove my identity. Without effectively asking for my entire address history, or compromising even more data about myself.

> it incentivizes companies like Acxiom to be as strict as possible when verifying identities for access requests. They'd much rather be forced to defend the stringency of their access policies than to be strung up by the EC for enabling large-scale identity fraud because they weren't vigilant enough.

We completely agree on this one. They're as strict as possible when subjects try to exercise their rights, but loose as a cannon when it comes to sharing data, making sure they get real and explicit consent etc.

[Silhouette]

I'm leaving aside the consent piece, because frankly it's unlikely that they ingested this data without receiving it from a third party to whom you did give explicit consent.

That seems a rather optimistic assumption, given the historical way data brokers and those who use them have operated. Plenty of businesses, including some household names, have been caught with their hands in the cookie jar on this one before. No doubt plenty are still doing it and hoping not to get caught or that any penalties will be small enough to be worth it.

As I wrote earlier, the issue here is that because they have no direct relationship with people in their data lake, there's no way for them to know with certainty that the email address associated with a person belongs to that person without some form of additional validation.

There are few ways to know anything with true certainty unless someone in your organisation personally knows someone you're dealing with. It is more about being reasonable.

If an organisation maintaining large amounts of personal data about people without their consent can't find a reasonable way to verify identity and allow the data subjects to exercise their rights, the GDPR-esque solution to the problem is to shut that processing down entirely until the organisation can get its house in order, or permanently if it can't find a way to do that. If that kills the data broker's business model, maybe they shouldn't have been using that business model in the first place, or should have discontinued it when the GDPR came into effect.

Allowing the organisation to deny data subjects their legal rights by hiding behind the verification obligation is at best against the spirit of the law but probably against its letter as well, and certainly justifies a regulatory investigation if it's being done systematically by a big organisation that should know better.

[culturestate]

> That seems a rather optimistic assumption

I'm just basing this on my experience working on products in this space and specifically dealing with compliance and "retroactive" consent in the run-up to GDPR implementation. I could definitely be wrong.

> If an organisation maintaining large amounts of personal data about people without their consent can't find a reasonable way to verify identity and allow the data subjects to exercise their rights...

I'm genuinely curious: if you were them, what would you do to resolve this without asking the subject to provide any additional data for verification?

[Silhouette]

I'm genuinely curious: if you were them, what would you do to resolve this without asking the subject to provide any additional data for verification?

There obviously needs to be something confirmed to verify the identity, but by definition personal data is data about an identifiable subject, so there must be something that can be checked.

If a big data hoarder has personal contact details, attempting to reach someone using those in response to a subject request isn't unreasonable. The hoarder will also have obligations under the GDPR regarding keeping data correct and up-to-date, so they should be in a position to do this in most cases or they're probably in violation already.

Some contact details might be checkable against an external reference to confirm they really are still up-to-date before relying on them, in which case a single attempt using that method might be sufficient.

Otherwise, if you can reach someone via two different and reasonably secure methods associated with their profile then it's probably reasonable to assume they are who they say they are.

If the hoarder doesn't have contact details they can use, then apparently there is some other identifying characteristic of the data subjects that makes it personal data, and in that case presumably you'd have to look at that and see how it could be used for verification.