Shattering One-Way Mirrors. Data Subject Access Rights in Practice

International Data Privacy Law (2018) 8(1), pp.4-28

43 Pages Posted: 31 Jan 2018 Last revised: 11 Dec 2018

See all articles by Jef Ausloos

Jef Ausloos

University of Amsterdam - Institute for Information Law (IViR)

Pierre Dewitte

KU Leuven - Centre for IT & IP Law (CiTiP)

Date Written: January 20, 2018


The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures. It can be seen as a necessary enabler for most other data subject rights as well as an important role in monitoring operations and (en)forcing compliance. Despite some high-profile revelations regarding unsavoury data processing practices over the past few years, access rights still appear to be underused and not properly accommodated. It is especially this last hypothesis we tried to investigate and substantiate through a legal empirical study. During the first half of 2017, around sixty information society service providers were contacted with data subject access requests. Eventually, the study confirmed the general suspicion that access rights are by and large not adequately accommodated. The systematic approach did allow for a more granular identification of key issues and broader problematic trends. Notably, it uncovered an often-flagrant lack of awareness; organisation; motivation; and harmonisation. Despite the poor results of the empirical study, we still believe there to be an important role for data subject empowerment tools in a hyper-complex, automated and ubiquitous data-processing ecosystem. Even if only used marginally, they provide a checks and balances infrastructure overseeing controllers' processing operations, both on an individual basis as well as collectively. The empirical findings also allow identifying concrete suggestions aimed at controllers, such as relatively easy fixes in privacy policies and access rights templates.

Keywords: compliance, data subject rights, empirical research, information asymmetries, information society services, right of access

Suggested Citation

Ausloos, Jef and Dewitte, Pierre, Shattering One-Way Mirrors. Data Subject Access Rights in Practice (January 20, 2018). International Data Privacy Law (2018) 8(1), pp.4-28. Available at SSRN:

Jef Ausloos (Contact Author)

University of Amsterdam - Institute for Information Law (IViR) ( email )

Roeterseilandcampus, Building A, 5th floor
Nieuwe Achtergracht 166
Amsterdam, Noord-Holland 1018 WV


Pierre Dewitte

KU Leuven - Centre for IT & IP Law (CiTiP) ( email )

Sint-Michielsstraat 6 box 3443
Leuven, 3000

Register to save articles to
your library


Paper statistics

Abstract Views
PlumX Metrics

Under construction: SSRN citations while be offline until July when we will launch a brand new and improved citations service, check here for more details.

For more information