Researcher details how GDPR, privacy laws can be manipulated for identity theft

LAS VEGAS. A PhD researcher at Oxford University has discovered a seam in how companies are complying with the European Union’s General Data Protection Regulation, allowing him to assume the identity of his girlfriend and access her data often with little pushback from data controllers for hotels, educational services, retailers and others.

James Pavur used the GDPR’s “right of access” provision, requiring companies to reveal information they hold on citizens upon their request, to collect data including his girlfriend’s social...