Requests for CCTV footage were "particularly problematic", with seven out of 10 requests for CCTV footage being met by "restrictive practices" from data controllers or their representative.
While loyalty card scheme operators were "generally facilitative" in disclosing personal data (86 percent of cases), they did not perform as strongly in providing information about automated decision making processes (only 50 percent of cases).
Requests made to banks did not yield much information about third party data sharing, with only 30 percent of responses disclosing this.
Norris said: "In our view there is an urgent requirement for policy-makers to address the failure of law at the European level and its implementation into national law.
"Organisations must ensure that they conform to the law. In particular, organisations need to make it clear who is responsible for dealing with requests from citizens, and they need to train their staff so they are aware of their responsibilities under law. They also need to implement clear and unambiguous procedures to facilitate citizens making access requests."
The Increasing Resilience in Surveillance Societies (IRISS) project is led by the Institute for the Sociology of Law and Criminology in Austria.
Sign up for MIS Asia eNewsletters.