Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SoK: The Gap Between Data Rights Ideals and Reality

Yujin Potter, Ella Corren, Gonzalo Munilla Garrido, Chris Hoofnagle, Dawn Song

TL;DR

This paper investigates the gap between data rights ideals and reality by meta-analyzing 201 interdisciplinary sources focused on GDPR data rights. It introduces a three-actor data rights assessment framework (users, companies, regulators) and identifies 15 key questions that reveal substantial variation and systemic limitations in awareness, implementation, usability, and enforcement. The authors propose concrete recommendations for regulators and CS communities, highlight the potential of privacy-enhancing technologies, and discuss alternative governance models such as data fiduciaries and collective privacy. The work underscores that, despite the GDPR's empowering intent, real-world effectiveness hinges on standardization, education, enforceable mechanisms, and innovative technical solutions to enable meaningful data rights in practice.

Abstract

As information economies burgeon, they unlock innovation and economic wealth while posing novel threats to civil liberties and altering power dynamics between individuals, companies, and governments. Legislatures have reacted with privacy laws designed to empower individuals over their data. These laws typically create rights for "data subjects" (individuals) to make requests of data collectors (companies and governments). The European Union General Data Protection Regulation (GDPR) exemplifies this, granting extensive data rights to data subjects, a model embraced globally. However, the question remains: do these rights-based privacy laws effectively empower individuals over their data? This paper scrutinizes these approaches by reviewing 201 interdisciplinary empirical studies, news articles, and blog posts. We pinpoint 15 key questions concerning the efficacy of rights allocations. The literature often presents conflicting results regarding the effectiveness of rights-based frameworks, but it generally emphasizes their limitations. We offer recommendations to policymakers and Computer Science (CS) groups committed to these frameworks, and suggest alternative privacy regulation approaches.

SoK: The Gap Between Data Rights Ideals and Reality

TL;DR

This paper investigates the gap between data rights ideals and reality by meta-analyzing 201 interdisciplinary sources focused on GDPR data rights. It introduces a three-actor data rights assessment framework (users, companies, regulators) and identifies 15 key questions that reveal substantial variation and systemic limitations in awareness, implementation, usability, and enforcement. The authors propose concrete recommendations for regulators and CS communities, highlight the potential of privacy-enhancing technologies, and discuss alternative governance models such as data fiduciaries and collective privacy. The work underscores that, despite the GDPR's empowering intent, real-world effectiveness hinges on standardization, education, enforceable mechanisms, and innovative technical solutions to enable meaningful data rights in practice.

Abstract

As information economies burgeon, they unlock innovation and economic wealth while posing novel threats to civil liberties and altering power dynamics between individuals, companies, and governments. Legislatures have reacted with privacy laws designed to empower individuals over their data. These laws typically create rights for "data subjects" (individuals) to make requests of data collectors (companies and governments). The European Union General Data Protection Regulation (GDPR) exemplifies this, granting extensive data rights to data subjects, a model embraced globally. However, the question remains: do these rights-based privacy laws effectively empower individuals over their data? This paper scrutinizes these approaches by reviewing 201 interdisciplinary empirical studies, news articles, and blog posts. We pinpoint 15 key questions concerning the efficacy of rights allocations. The literature often presents conflicting results regarding the effectiveness of rights-based frameworks, but it generally emphasizes their limitations. We offer recommendations to policymakers and Computer Science (CS) groups committed to these frameworks, and suggest alternative privacy regulation approaches.
Paper Structure (16 sections, 1 figure, 2 tables)

This paper contains 16 sections, 1 figure, 2 tables.

Table of Contents

  1. Introduction
  2. Data Rights Assessment Framework & Method
  3. Users' perspective
  4. Companies' perspective
  5. Regulators' perspective
  6. Towards a better data rights regime
  7. Recommendations for Regulators & CS Communities
  8. Privacy-Enhancing Technologies
  9. Persistent Challenges in Rights-Based Privacy Regimes
  10. Alternative Approaches to Data Rights
  11. Emerging Privacy Challenges in the Age of AI
  12. Conclusion
  13. Framework Questions
  14. Users
  15. Companies & Developers
  16. ...and 1 more sections

Figures (1)

  • Figure 1: A connection between our data rights analysis and recommendations/tensions presented in Section \ref{['sec:future']}. Rec1, 2, 3, 4, and 5 indicate education, standardization, assessing implementation costs, strict enforcement, and automated tools for assisting in data rights implementation/enforcement, respectively. T1 and T2 indicate the two tensions: data rights vs. user burdens, and conflicting interests among users, companies, and regulators.