The debate about how to govern personal data has intensified in recent years. The European
Union’s General Data Protection Regulation, which comes into effect in 2018, relies on
transparency mechanisms codified through obligations for organizations and citizen rights. While
some of these rights have existed for decades, their effectiveness is rarely tested in practice. This
paper reports on the exercise of the so-called right of access, which gives citizens the right to get
access to their personal data. We study this by working with participants—citizens for whom the
law is written—who collectively sent over a hundred data access requests and shared the responses
with us. We analyze the replies to the access requests, as well as the participant’s evaluation of
them. We find that non-compliance with the law’s obligations is widespread. Participants were
critical of many responses, though they also reported a large variation in quality. They did not find
them effective for getting transparency into the processing of their own personal data. We did find a
way forward emerging from their responses, namely by looking at the requests as a collective
endeavor, rather than an individual one. Comparing the responses to similar access requests creates
a context to judge the quality of a reply and the lawfulness of the data practices it reveals.
Moreover, collective use of the right of access can help shift the power imbalance between
individual citizens and organizations in favor of the citizen, which may incentivize organizations to
deal with data in a more transparent way.