The details of the case
First, let’s consider what Pavur claims to have done. His focus was on the Rights of Access provision in the GDPR, which empowers European citizens to request all of the data held on them by a particular provider. Many journalists and amateur investigators have already tried similar processes, requesting, for example, all of the data held on them by the dating app Tinder.
Pavur, then, sent off data subject access requests (DSARs) in his fiancée’s name to over 150 separate organizations to see what the results were. The results were varied. 13% of organizations ignored the request outright, presumably finding Pavur’s claim of his fiancée’s identity unconvincing. 39% of the requests were ultimately denied, with the organizations in question requesting stronger proof of ‘Pavur’s’ identity than just the email address and phone number he provided.
However, 24% of the organizations that Pavur contacted handed over the information they held on his fiancée with only an email address and phone number accepted as proof of ‘her’ identity. Another 16% requested easily forged identity information as a next step.
Pavur’s claim, then, is that this same mechanism could easily be deployed by bad actors seeking to steal individuals’ identities for a wide range of fraudulent and criminal activities. In other words, the GDPR provides an effective ‘cover story’ for individuals seeking to harvest personal data from companies – data which they may then use for nefarious ends.
Digging into the details of Pavur’s experiment does suggest that the claim that GDPR can help malicious cybercriminals to steal people’s identities is certainly feasible. Especially considering the rate of success despite the self-imposed limitations on not creating forgeries of documents or submitting to telephone interviews.