The CNIL’s Digital Innovation Lab (LINC) recently conducted an in-depth study of access pathways to copies of personal data across ten popular social networks. This report, which aims to assess the practices of platforms regarding users’ access rights, reveals the existence of good practices while identifying areas needing improvement. By examining specific criteria, the study seeks to raise awareness among stakeholders about the importance of increased transparency and ease in handling data access requests.
The framework of the study conducted by the LINC
In 2024, the LINC undertook a systematic analysis of the heuristics underlying access to personal data on networks such as Discord, Facebook, and Instagram, among others. The study was carried out in two phases: the first involved executing two access requests for each network, followed by an evaluation using a analysis grid consisting of 30 specific questions. This grid provided an overview of the practices implemented and highlighted recommendations.
The issues of the right of access under the GDPR
The right of access is a fundamental principle of the General Data Protection Regulation (GDPR). It grants individuals the power to know whether their personal data is being processed and to obtain it in a clear format. This right also includes the ability to verify the accuracy of the data and to request its rectification or deletion if necessary. In this respect, the study by the LINC emphasizes the need for platforms to provide transparent communication regarding data processing.
The social networks studied
As part of this study, the LINC scrutinized the practices of ten widely used social networks in Europe and France, such as YouTube, TikTok, and Snapchat. Each of these platforms was evaluated on its ability to allow users to request copies of their personal data, with a particular focus on the user experience during each step of the process.
Results and key observations from the analysis
Overall, the results show that between 44% and 76.5% of the good practices identified by the analysis grid are already implemented across the examined social networks. It was noted that on average, a user must perform about four clicks to access the request form from a network’s homepage, indicating a relative ease of access, although there are still areas for improvement.
Access pathways to data: a dimension to improve
The three fundamental steps evaluated include: preliminary information, the exercise of the access request, and the receipt and consultation of data. These steps demonstrated that most networks have indeed implemented automated access pathways, but there are still points for improvement, particularly concerning the adaptation of information for underage users.
A rigorous methodology for the analysis
The methodology adopted for this study incorporates specific questions that allow for an objective evaluation of the processes in place. In total, 27 criteria were observed to analyze the user journey up to the receipt of the data, without the LINC providing judgment on the quality or completeness of the data itself. This approach underscores the LINC’s commitment to improving user experience through practical guides and recommendations.
Perspectives and recommendations for social networks
The findings of this study invite reflection on the practices of social networks, which should not only comply with the GDPR but also strive to enhance user experience in terms of data access. Other actions by the CNIL, such as practical sheets, are also highlighted to assist organizations in better understanding their obligations regarding access rights.
In conclusion, the LINC emphasizes that ongoing attention is required to adapt practices to users’ realities, in order to preserve the rights related to their personal data in an ever-changing digital environment. The conclusions of this study may also serve as a basis for further reflections on improving data access beyond social networks.
