A person exercises their GDPR right to access and receives a 300-page PDF containing raw data exports they cannot understand, database field names without context, and no explanation of how information has been used. Another person requests deletion and receives confirmation their data has been removed, then discovers the company retained information under exemptions for legal compliance, fraud prevention, and legitimate business interests that were never explained. Someone attempts to download their data from a platform they have used for a decade and receives a file missing years of activity, with no way to verify completeness. A fourth person successfully obtains their data, understands exactly what was collected, requests corrections to inaccuracies, and watches the company comply promptly and fully. Data access and control rights promise to shift power from organizations to individuals, enabling people to understand what information exists about them and exercise meaningful control. Whether these rights actually empower people or create procedural exercises that change nothing about how organizations treat personal data remains profoundly contested.
The Case for Robust Access and Control Rights
Advocates argue that individual data rights are essential for shifting the power imbalance between people and organizations that collect information about them. From this view, rights to access, portability, correction, and deletion transform people from passive data subjects into active participants who can understand what is known about them, verify accuracy, move their data between services, and demand removal when relationships end. Access rights enable discovery. People cannot protect information they do not know exists. Seeing what organizations have collected reveals surveillance that would otherwise remain invisible. Access also enables correction. Inaccurate data affecting credit decisions, employment screening, or insurance pricing can be challenged only if people can see it. Portability prevents lock-in. When people can export their data and import it elsewhere, they can leave platforms without losing years of content, connections, and history. This enables competition because switching costs decrease when data travels with users. Deletion rights establish that organizations are custodians, not owners, of personal information. When relationships end, when consent is withdrawn, or when data is no longer needed, people should be able to demand removal rather than having information retained indefinitely for purposes they never authorized. From this perspective, current rights need strengthening: access responses should be understandable to ordinary people, not raw database exports; portability should include standardized formats enabling actual transfer between competitors; deletion should mean actual removal, not archiving under vague exemptions; verification mechanisms should confirm organizations actually comply; and penalties for non-compliance should be severe enough to change behavior rather than representing cost of doing business.
The Case for Practical Limitations and Organizational Needs
Others argue that individual data rights, while valuable in principle, create unworkable burdens when implemented broadly and ignore legitimate organizational interests in retaining information. From this perspective, responding to access requests at scale requires enormous resources. Organizations must locate data across multiple systems, compile it into usable formats, verify requester identity to prevent disclosure to imposters, and provide responses within tight timelines. Large companies receive millions of requests annually. Compliance costs are passed to all users through higher prices or reduced services. Moreover, complete deletion is often technically impossible or legally prohibited. Backup systems, audit logs, and redundant storage mean data exists in multiple places. Legal requirements for record retention in financial services, healthcare, and other sectors prevent deletion regardless of individual requests. Fraud prevention requires keeping records of bad actors. Legitimate business interests in defending against lawsuits require evidence preservation. From this view, rights must be balanced against practical realities: reasonable timeframes rather than immediate response; machine-readable formats rather than customized presentations; fees for excessive or repetitive requests; clear exemptions for legal compliance, security, and legitimate interests; and recognition that some data cannot be deleted without compromising essential functions. Additionally, portability creates competitive concerns. Requiring companies to enable data export to competitors may reduce investment in building valuable services if others can free-ride on those investments. Whether portability promotes competition or discourages innovation depends on context and implementation.
The Verification and Identity Challenge
Responding to data access or deletion requests requires confirming that requesters are actually the data subjects. From one view, verification must be robust because disclosing data to imposters or deleting data at an attacker's request causes serious harm. Organizations need flexibility to require sufficient identity verification before acting. From another view, burdensome verification requirements become barriers that discourage people from exercising rights. Requiring government ID, notarized documents, or complex authentication processes makes exercising rights so difficult that few bother. Whether verification should be minimal to encourage rights exercise or rigorous to prevent unauthorized access involves trade-offs between accessibility and security that different organizations resolve differently, creating inconsistent experiences.
The Understandability Gap
Access rights mean little if responses are incomprehensible. Raw database exports with field names like "usr_bhvr_trk_id" and numerical codes provide technical compliance while practical obscurity. From one perspective, organizations should be required to provide data in understandable formats with plain language explanations of what information means, where it came from, how it has been used, and who has received it. The purpose of access is enabling informed decisions, which requires comprehension. From another perspective, requiring organizations to interpret and contextualize every data point is unreasonably burdensome. Data exists in formats optimized for processing, not human reading. Expecting customized explanations for every access request would be enormously expensive. Whether access rights require understandability or merely availability determines what organizations must provide.
The Deletion Illusion
Deletion requests often result in confirmations that data has been removed while information persists in backup systems, archives, third parties who received it, and derived products like models trained on now-deleted data. From one view, meaningful deletion requires comprehensive removal: from primary systems, backups, archives, and third parties, with verification that deletion actually occurred. From another view, this is technically impossible without compromising system integrity. Backup deletion would require restoring and modifying every backup. Model retraining would be prohibitively expensive. Third-party deletion cannot be enforced. Whether deletion means complete erasure or removal from active use determines what the right actually provides.
The Third-Party Data Problem
Access and control rights typically apply to organizations that collected data directly, but information flows through ecosystems where data brokers, advertising networks, and partners hold copies people never knew about. From one perspective, rights should follow data wherever it goes. If an organization shared information with third parties, those third parties should be obligated to respond to access and deletion requests, and original collectors should be required to facilitate this. From another perspective, holding every entity that ever touched data responsible for rights compliance creates unworkable chains of obligation. Organizations cannot track or control what third parties do with shared information. Whether rights apply only to direct collectors or extend throughout data ecosystems determines how much control people actually have.
The Portability Promise and Reality
Data portability rights promise that people can take their data when leaving services, preventing lock-in and enabling competition. In practice, portability often provides exports that competitors cannot import because formats are incompatible, that are incomplete because not all data is included, or that are useless because value came from the platform, not the data itself. From one view, meaningful portability requires standardized, interoperable formats that actually enable switching, with regulatory requirements for compatibility. From another view, forcing interoperability reduces incentives to innovate because investments in better services can be immediately replicated by competitors accessing the same data. Whether portability should be practical or merely theoretical determines its competitive impact.
The Collective Versus Individual Rights Tension
Individual data rights assume people exercise them personally, yet most people never make access or deletion requests. From one perspective, this means rights are working—people who want control can exercise it. From another perspective, it reveals that individual rights cannot address collective harms. When most people do not exercise rights, business models built on data extraction continue largely unaffected. Collective mechanisms—class actions, representative organizations exercising rights on behalf of groups, regulatory enforcement—may be necessary because individual action cannot change systemic practices. Whether individual rights are sufficient or whether collective enforcement is necessary determines what rights can accomplish.
The Question
If rights to access, correct, port, and delete personal data exist in major privacy frameworks yet most people never exercise them and those who do often receive incomprehensible responses or hollow compliance, do these rights represent meaningful empowerment or procedural theater that changes nothing about data practices? When organizations can comply technically while defeating purposes through raw data dumps, vague exemptions, and deletion that does not actually delete, whose interests do current rights frameworks serve: individuals seeking control or organizations seeking compliant appearance? And if exercising data rights requires technical sophistication, time, and persistence that most people lack, should rights be redesigned around collective enforcement rather than individual exercise, or does that sacrifice autonomy for protection in ways that raise their own concerns?