Access My Info (AMI) is a project that can help answer these questions by assisting you in making legally binding data access requests to companies. AMI includes a web application that helps users send companies data access requests, and a research methodology designed to understand the responses companies make to these requests. Past AMI projects have shed light on how companies treat user data and contribute to digital privacy reforms around the world.
What are data access requests?
AMI has made personal data requests in jurisdictions around the world and found common patterns.
Together with our partners in each jurisdiction, we have used Access My Info to set off a dialog between users, civil society, regulators, and companies.
Industry: Telecommunications, fitness trackers, online dating services
The Citizen Lab has identified a range of barriers which people encounter when trying to access complete copies of their data. Barriers have included costs charged for access, identity verification procedures, and data transmission procedures. Based on these results the Citizen Lab has made a range of recommendations for reducing barriers to access.
Many companies failed to respond to requests. Companies that did reply often provided inconsistent information and guidance to users.
Companies argued that IP addresses and geolocation records were not personal data and therefore that the companies were not required to give users access to this data. With these findings we opened a dialog with the Privacy Commissioner of Hong Kong about what constitutes personal data; this led to the Commissioner publicly asserting that IP address and geolocation information constituted personal data.
South Korea has one of the most robust data protection regime in the world. However, we found very superficial compliance to data requests from companies. As a result a lawsuit was filed against a major Korean telecommunications company for failing to adequately respond to requests.
Indonesia currently lacks specific regulations on data protection. Few companies responded to personal data requests and those which did provided very limited information. These results demonstrate the importance of introducing data protection legislation with robust data access rights for individuals.
Data protection legislation has been in place in Malaysia since 2013, but our research shows that telecommunication companies in Malaysia are not yet ready to fully respond to data access requests. The results provide an important educational opportunity for policymakers and industry to better understand the requirements of Malaysia’s Personal Data Protection Act.