GDPR Transparency as a Research Method

Abstract

Data-driven research is rapidly becoming mainstream across different disciplines in academia and in investigative journalism. One of the key challenges researchers often struggle with is how to obtain good data. Whether one investigates political micro-targeting, discriminatory insurance practices, or physical exercise patterns across demographics, all require high-quality data. Obtaining the necessary data often depends on the goodwill of the entity in control of that data, frequently a private entity carefully guarding its data-assets. Researchers have tried to find ways round this through a range of technical tools (e.g. browser plugins, data scraping), with varying degrees of success. This paper purports to add an important legal tool to the catalogue of data-driven research methods: i.e. GDPR transparency measures, and data subject rights in particular. The reinforced data subject rights in the General Data Protection Regulation (GDPR) have been lauded (and denounced) for their apparent potency. Especially the rights of access, portability and ‘explanation’ are said to ensure important values such as autonomy, accountability and fairness. To make true on this promise, these rights can (should?) be used as a methodological tool for investigative research. Not just to scrutinize the data practices of those holding the data (e.g. uncovering discrimination), but also to enable broader research objectives (e.g. informing health policies). Indeed, these rights offer a legal hook to effectively crowdsource data-driven research. Against this backdrop, the paper will describe the merits, challenges, limitations and best practices of using data subject rights as a research method. It will do so by building on past experiences of some first initiatives in the EU and assessing how the growing number of ‘download my data’ tools are useful/less. After an introductory section setting out some of the issues currently faced in data-driven research, the paper will explain how they might (not) be tackled by some of the key features of using GDPR transparency measures as a research method. The following section (4) is perhaps the core of the paper, describing the legal and practical operationalisation of these novel research methods, as well as the requirements for making them meaningful. The final section then takes a step back, positioning GDPR transparency measures within their broader (research methods and economic-technical) surroundings.