The General Data Protection Regulation (GDPR) now being enacted throughout the European Union gives consumers new rights and powers regarding access to and use of their personal data by businesses. While those powers are intended for individuals, they create a unique opportunity for collective action.
A new form of boycott can paralyze noncompliant businesses
Article 15 of the GDPR gives EU citizens the right to demand access to their personal data and a description of how it is being used. Upon request, the data protection officer of the company must provide an overview of the types of data being used, as well as a copy of the actual data, the purposes to which it is being put, who has access to it, and how it was acquired. This must be done within one month of receiving the request. Furthermore, Article 17 provides a right of erasure, meaning citizens can request erasure of all their personal data for a variety of reasons and can ask to never be contacted by that company again, barring a legitimate reason, such as execution of a contract.
On the individual level, these rights and requirements are harmless and work as the GDPR is intended: to provide greater control of privacy and security for EU citizens and their data. However, the legislation does not appear to consider what would happen if a large group of citizens were to coordinate their actions and make their requests at the same time. Subject data access requests cannot be ignored and are not supposed to be unduly delayed once received. The processing of these requests – a nontrivial task – can overwhelm a company's ability to comply, slowing its operations to a crawl in order to process them or subjecting them to significant fines if they fail to comply. In short, if enough people decide to act, they can effectively cripple a company, or at least some of its departments, by performing what is in effect a distributed denial-of-service attack.
Realistically speaking, it is unlikely that such a "consumer strike" will be at all common, as the effort required would probably be reserved for egregiously bad corporate behavior. There are enough cases where normal protests and boycotts have grown beyond a business's ability to tolerate, though, that such a scenario cannot be overlooked. Another consideration is that there does not appear to be any proof required on the part of the citizens that a company is using or accessing their data before they make a disclosure request, so mass actions can quickly grow to immense scope, whether they are based on legitimate complaints or not.
GDPR and the Critical Importance of Locating Personal Data, IT0014-003324 (August 2017)
"Fines aren't the only penalty awaiting businesses under GDPR," INT002-000049 (December 2017)
Marshall Lager, Senior Analyst, Customer Engagement