GDPR: When the Right to Access Personal Data Becomes a Threat

One year following the entry into force of the GDPR, all websites and data controllers have updated their procedures to store users' data. The GDPR does not only cover how and what data should be saved by the service providers, but it also guarantees an easy way to know what data are collected and the freedom to export them. In this paper, we carry out a comprehensive study on the right to access data provided by Article 15 of the GDPR. We examined more than 300 data controllers, requesting access to personal data to each of them. We found that almost each data controller has a slightly different procedure to fulfill the request and several ways to provide data back to the user, from a structured file like CSV to a screenshot of the monitor. We measure the time needed to complete the access data request and the completeness of the information provided. After this phase of data gathering, we analyze the authentication process followed by the data controllers to establish the identity of the requester. We find that 50.4% of the data controllers that handled the request have flaws in their procedures of identifying users or in their phase of sending the data, exposing users to new threats, even if these data controllers store data in compliance with the GDPR. Our surprising and undesired results show that, in its present deployment, the GDRP has actually decreased the privacy of users of web services.