The GDPR – Data Subject Rights
The General Data Protection Regulation (the “GDPR”) will come into effect on 25 May 2018. As previously mentioned, the GDPR will be directly effective in each EU member state, with the aim that the same rules will be applied uniformly within the EU. This marks a shift in the approach to data protection at a European level, which until 25 May 2018 had relied on the individual Member States to implement the applicable Directives. In my previous blog I took a quick look at the overall effect of the GDPR. In response to a question about the effect it will have on an individual who thinks that an organisation has a file on him or her, I will try and explain what a private individual should be able to do in regard to controlling that data.
Overview of individual rights
Chapter 3 (Articles 12-23) is entitled “Rights of the Data Subject” with the Data Subject being the individual seeking to find out what personal data an organisation or government department (“the Data Controller”) has on him or her.
The GDPR extends a number of existing individual rights which individuals can exercise against controllers, as well as introducing a number of new rights. The focus on individual rights, and on the transparency and accountability principles which underpin all of the GDPR, put individuals and their rights at the heart of the GDPR.
As with most laws, they are only as good as their enforcement provisions, and it remains to be seen what practical and accessible means are available to a private individual to enforce his or her rights under the GDPR. Without an effective enforcement mechanism, all the lofty ideals in the world cannot help you.
Article 12(4) provides a first clue:
“4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.”
In other words, it is very similar to the current FOI system. If the data controller does not cooperate, you complain to the regulatory authority, and if you get no satisfaction there, you can go to court. This is highly unsatisfactory as it is both time-consuming and expensive and therefore out of the reach of most citizens. It can be argued that this system is not a real enforcement at all, and in direct violation of the Aarhus Access to Justice provisions.
Another major problem that immediately occurred to me was how does one go about proving a negative? If you ask an organisation whether they have data on you, and they say that they do not, what can you do, legally, to prove otherwise? In other words, the GDPR should really create a presumption that if an organisation has had previous dealings with you, it shall be presumed until otherwise proven by the organisation (the data controller), that the organisation has your personal data.
Whether this can be reasonably enforced is another question. Given the cosy relationship between the government and big business / the banks, I cannot imagine any legislation being passed that will force a commercial organisation to lay bare all its databases so that we can have a scrummage around looking for any bits and pieces they might have on us.
It is against this background that we need to look at the individual rights created by the GDPR.
Right of access
In terms of Article 15 an individual has the right to establish whether a data controller processes information relating to him / her, and to access and obtain a copy of that data and certain additional information in relation to the processing, such as its purposes, the categories of data, the recipients of the data, and the existence of additional rights such as the rights to erasure and objection.
The Article makes it clear that this right of access is “not an absolute right”, and the exercise of that right cannot prejudice the rights of others.
I find the vagueness of these exceptions very troubling because they could be used to essentially negate any right an individual might think he or she has.
Again, the practicalities of enforcement are a cause for concern. The Article says that “The controller shall provide a copy of the personal data undergoing processing”. The word “shall” when used in legislation is known as a mandatory – you have to do it, there is no choice, and if you do not do it, you break the law. All well and good, but how do you force the data controller to give up those details without having to go to the “higher authority” all the time? And will the higher authority have the muscle and wherewithal to scour the controller’s databases for information on you?
Right to be forgotten
The right to have personal data rectified, blocked or erased already exists under current data protection law. They existed, but were hardly ever acted upon, because of the need for the individual to show that the data controller had contravened data protection principles. Once again this was often a matter of proving a negative.
Partly as a result of the Google Spain decision of the Court of Justice of the European Union, however, there has been much more emphasis on the right of erasure or “the right to be forgotten”, and the GDPR has put a fresh focus on this area.
Under the GDPR, every individual has the right to have his / her data erased, or the “right to be forgotten”, in circumstances where:
■ the data is no longer necessary for the purpose for which they were collected;
■ processing is based on consent, but the individual has withdrawn consent and there is no other legal ground for continued processing available to the controller;
■ an individual has exercised his / her right to object, and there is no overriding legitimate interest on which the controller can continue to legitimise its processing;
■ the data is unlawfully processed;
■ the erasure is required by a law applicable to the controller; or
■ the data was collected in connection with the offer of information society services to a child.
Once again Article 17 makes it very clear that this is not an absolute right. For example, the data controller will be allowed to retain your data “on the basis of freedom of expression and information”, whatever that might mean; for reasons of “public interest in the area of public health” or if the processing is required to “establish, exercise or defend legal claims” (would that include the original application to erase?).
Article 17 does not include any specific enforcement mechanisms.
Right to restrict processing
Article 18 says that individuals have the right to require that a data controller restricts its processing of his / her data in some circumstances, including where the data is inaccurate, the data is no longer required in light of the purposes of the processing but the individual requires the data in connection with legal claims, or the data subject has exercised his / her right to object (pending verification of any legitimate grounds of the controller which override those of the data subject).
What is meant by restrict? Article 4(3) defines it as follows:
“(3) ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future”.
That definition begs the question.
‘Restriction’ = ‘Limiting’.
But what does “limiting” mean?
How long is a piece of string?
Right to object
As with the right to be forgotten, the right to object to processing already exists in the current Directive where an individual could object to direct marketing or processing for example, on the grounds that this direct marketing was “likely to cause unwarranted substantial damage or distress”.
In practice it was not used very much. Easier to delete and block the sender.
Under the GDPR, the existing right to object to processing continues, along with some clarifications and expansion. An individual can still object to direct marketing at any time, and in that event, the controller must stop using the information for marketing purposes. However, an individual can also object where:
■ retaining the data is no longer necessary for the purposes for which collected;
■ consent has been withdrawn and there is no other legitimate ground for processing;
■ unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims, the controller must cease the processing;
■ the data has been unlawfully processed;
■ erasure is required by either EU under a legal obligation to which the controller is subject under EU or member state law; or the law of the Member State;
■ the data was collected in the context of the provision of information society services to a child.
Automated decision making and profiling
Under the GDPR, an individuals will continue to have the right (created by the current Directive) not to be subject to decisions based solely on automated processing in a similar manner. Article 22 introduces additional restrictions to automated processing of special categories of data.
Profiling seems to be the main target, and the GDPR defines profiling as “any form of automated process to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
There are exceptions to this blanket-like prohibition, and on paper they seem more restrictive than the current Directive. For example, under the Directive such processing was permitted in the course of considering ‘whether to enter into a contract’, or ‘with a view to entering into a contract’ or ‘for the performance of a contract’. Under the GDPR, automated processing will only be permitted, in the context of contract, where it is a “contractual necessity”, which is a more restrictive test with a seemingly higher threshold.
However, I would suggest that ‘necessity’ is a highly subjective concept. Some people’s luxuries are regarded as other people’s necessities, depending on, for example, your socio-economic standing or your business targets. Surely it is a contractual necessity for a business to chase your custom?
The other aspect that seems to have been beefed up is the question of consent. Where a controller seeks to rely on consent, it must be explicit consent to automated decision making. This really means a written consent (including e-mail and/or electronic signature) to the use of a specified piece of data for a specified purpose.
The right to data portability is a new right introduced by the GDPR, and allows individuals to obtain and, importantly, reuse their personal data. A data subject can either obtain the data him / herself, and, in turn, provide it to a third party (if he / she so wishes), or require the data controller to transfer the personal data directly to a third party.
Compliance with individual requests
Individuals must be in a position to exercise their rights free of charge, and a controller must respond (and comply) to a request without undue delay, which means within one month, with a maximum two month extension depending on the complexity and the number of requests.
The GDPR does insist that all these transactions are done electronically, but it does say that data controllers must provide the means for electronic requests, in particular where the data is processed by electronic means. In other words, a data controller can still shower you with paper, but this is frowned upon.
The increased transparency required under the GDPR means that individuals must be clearly and fully informed of their rights. The burden of proof is on the data controller to demonstrate compliance. This will have a substantial impact on the content of the ‘small print’ (notifications and privacy statements), but it will still be small print, so read it carefully before committing to anything.
An Irish organisation called the GDPR Awareness Coalition have produced this very handy infographic outlining the basic rights of the data subject:
The EU Commission has also produced some handy visual material explaining your rights.
Enforcement and sanctions under the GDPR
Onto the big question: Can these rights be effectively enforced or will they be evaded with ease or too expensive and difficult to pursue?
The approach to penalties under the General Data Protection Regulation (GDPR) seems to follow a tried and tested formula: the Big Stick. The financial penalties are stiff: offenders can be hit with fines of up to 4% of total global annual turnover to a maximum of €20 million.
These tough penalties have certainly grabbed the attention of the media, which is a good thing, as Big Business cannot feign ignorance.
The big question is how will the Irish Supervisory Authority wield this big stick? The other question is to what extent will the Irish Supervisory Authority co-operate with the Supervisory Authorities of other EU Member States to protect the rights of its citizens dealing with foreign enterprises?
Under the GDPR, Supervisory Authorities are given a number of powers which can be placed into two broad categories: investigative and corrective (punitive).
Supervisory Authority investigative powers include:
- to order the controller/processor to provide any information;
- carry out data protection audits;
- review certifications;
- notify controller/processor of any alleged infringement of the GDPR;
- obtain from controller/processor access to all personal data and all information necessary to perform its tasks; and
- obtain access to any premises of controller and processor including data processing equipment.
These powers are extensive and if used properly could do a lot of good in protecting the rights of the citizen against invasive or unlawful data collection practices.
Supervisory Authority corrective powers include:
- issue warnings or reprimands to a controller or processor where processing operations have infringed provisions of the GDPR;
- order the controller or processor to comply with the law;
- order the controller to communicate a personal data breach to the data subject;
- impose a temporary or definitive limitation including a ban on processing;
- order the rectification, restriction or erasure of data or order a certification body not to issue a certificate;
- impose fines (which should be “effective, proportionate and dissuasive”);
- order the suspension of data flows to a recipient in a third country or to an international organisation.
Importantly, it can be seen that a lot of these powers can be applied to both data controllers and data processors. This might become very important as one of the major loopholes of current data protection legislation is that processors were calling themselves controllers and so evading large sections of the law. It would have been nice if the GDPR had completely collapsed the distinction between controllers and processors, but at least it is a start.
While it is much too early to tell how different Supervisory Authorities will use these powers, it seems virtually inevitable that there will be a range of approaches across Member States. Although this is a Regulation, it is silent on a number of aspects which will have to be dealt with by the laws of the particular Member State.
The most obvious of these will be what (if any) criminal sanctions will be imposed on offenders who infringe the GDPR? Whilst fines might seem huge, the maximum values do not have to be imposed, and it might be that there will be better compliance if individual directors could face jail time.
Again, Irish governments have an extremely poor record when it comes to prosecuting big business for financial crimes, so it is unlikely that this will change to any large degree.
What is clear is that from an EU perspective, the Supervisory Authorities in the different Member States will need to co-operate closely to have any hope of the GDPR being an effective mechanism, given the truly international nature of electronic commerce. We can only hope that Ireland lives up to this expectation.
Our Data Protection Commissioner (who will be the Supervisory Authority in Ireland) has been somewhat hampered by the very clumsy provisions of the Data Protection Act when it comes to prosecuting offenders. Hopefully the GDPR will to some extent fill this large gap in our law, or at least provide the impetus for a complete overhaul of our existing law which needs to be replaced by a system with teeth.