Access My Info (AMI) is a project that can help answer these questions by assisting you in making data access requests to companies. AMI includes a web application that helps users send companies data access requests, and a research methodology designed to understand the responses companies make to these requests. Past AMI projects have shed light on how companies treat user data and contribute to digital privacy reforms around the world.
What are data access requests?
A data access request is a letter you can send to any company with products/services that you use. The request asks that the company disclose all the information it has about you and whether or not it has shared your data with any third-parties. If the place where you live has data protection laws that include the right to data access then companies may be legally obligated to respond.
AMI has made personal data requests in jurisdictions around the world and found common patterns.
Together with our partners in each jurisdiction, we have used Access My Info to set off a dialog between users, civil society, regulators, and companies.
Industry: Telecommunications, fitness trackers, online dating services
People who made data access requests encountered a range of barriers including: costs charged for access, identity verification procedures, and data transmission procedures. Based on these results recommendations were made for reducing barriers to access.
Many companies failed to respond to requests. Companies that did reply often provided inconsistent information and guidance to users.
Companies argued that IP addresses and geolocation records were not personal data and therefore that the companies were not required to give users access to this data. With these findings researchers opened a dialog with the Privacy Commissioner of Hong Kong about what constitutes personal data; this led to the Commissioner publicly asserting that IP address and geolocation information constituted personal data.
South Korea has one of the most robust data protection regime in the world. However, researchers discovered very superficial compliance to data requests from companies. As a result a lawsuit was filed against a major Korean telecommunications company for failing to adequately respond to requests. As a result, Open Net Korea filed a lawsuit against Korea Telecom. On December 5, 2018, the trial court ruled in favor of Open Net Korea stating that the company must provide incoming call records to customers. Other data such as IP address logs were given during the course of the lawsuit.
Indonesia currently lacks specific regulations on data protection. Few companies responded to personal data requests and those which did provided very limited information. These results demonstrate the importance of introducing data protection legislation with robust data access rights for individuals.
Data protection legislation has been in place in Malaysia since 2013, but researchers found that telecommunication companies in Malaysia are not yet ready to fully respond to data access requests. The results provide an important educational opportunity for policymakers and industry to better understand the requirements of Malaysia’s Personal Data Protection Act.
Here's how a typical AMI project plays out: