Protection of the fundamental right to privacy has been the central focus and raison d'etre of European data privacy regulation since the mid-20th century and is the central purpose of General Data Protection Regulation. Navigating the GDPR should thus begin with a clear understanding of the specific privacy rights the regulation aims to protect. Chapter 3 of GDPR enumerates those rights, which range from the well-known “right to be forgotten” in Article 17 to the less well-known right to have incorrect information corrected. This installment of The eData Guide to GDPR provides a definition of these rights and explores their impact in more detail.
At its core, the right of access means the data subject has a right to know whether his or her personal data is being processed. The data controller must provide that information, as well as
In addition, the right of access includes remedial options provided to the data subject such as
The data subject must be informed of the safeguards in place for data transferred outside the European Union, and the controller must provide a copy of the data being processed upon request.
The Swedish Data Protection Authority, Datainspektionen, launched an investigation in June 2019 based on consumer complaints against the way in which a digital music service processed —or not—requests for access to their personal data. Datainspektionen issued a statement on the investigation, saying, “The authority has become aware that there may be some shortcomings in how the company handles registry extracts, including that the extracts are not complete, and that the information is not sufficiently clear.” The investigation was triggered by individual complaints from data subjects combined with the large amount of personal data held by the service. It is important that data controllers have mechanisms in place to provide timely and complete responses to requests for access by data subjects, or they may find themselves the subject of similar investigations that may result in significant fines.
In a previous eData Guide to GDPR, we provided guidance to controllers on responding to data subject access requests by understanding the right of access process to ensure controllers are prepared to lawfully respond to data access requests, including a Data Access Request Checklist.
Article 16 states that data subjects have a right for any inaccurate personal data held by a data controller, including incomplete information, to be corrected “without undue delay.” Data subjects may request their information be corrected but the definition of what is appropriate for correction and the timing of “undue delay” is still crystalizing.
The Irish Data Protection Commission (DPC) recently ruled that people do not have an absolute right to have their names spelled correctly on public records. In late 2018, Ciarán Ó Cofaigh filed a complaint against the Irish Health Service (HSE) for spelling his name on official records with fadas, or the accent marks used in the Irish language to indicate long vowels. Other similar complaints were filed with the DPC against banks that also omitted fadas in their customers’ names.
Regarding Mr. Ó Cofaigh’s complaint, the HSE made a statement that fadas were both “necessary to spell words properly” and “an integral part of a person’s given name and surname in Irish,” but that there may be computer system limitations that make the use of diacritics currently impossible. In February, a spokesperson for the DPC said that Article 16 clearly sets out the rights of a person to have their records corrected, but that the DPC was still investigating whether this included fadas.
Ultimately, the DPC, in consultation with other EU countries’ DPAs, concluded that Article 16 did not confer an “absolute right” for individuals to have their records corrected:
The Commission liaised with our counterpart supervisory authorities in the European Union in relation to the inability of certain data controllers’ systems to record diacritical marks when documenting an individual’s name and the effect this may have on the accuracy of that recording. In this process, supervisory authorities expressed the view that the right to rectification was not absolute and that consideration must be given to the particular scenario in which the issue of the non-recording of diacritical marks arises. In particular, weighty consideration must be given to the purposes of the processing that is taking place and whether the alleged inaccurate data is used in an isolated environment or if it is used in conjunction with other personal identifiers.
Although DPC’s press release does not indicate which countries’ DPAs were consulted, it appears that at least some other EU member states do not view the correction of personal information to be an absolute right. Where there is other information available to distinguish the identity of an individual, it appears less likely from this ruling that minute corrections to data would be required.
One of the most well-known provisions of the GDPR is the “right to be forgotten.” Article 17 affords data subjects the “right to obtain from the controller the erasure of personal data . . . without undue delay,” and also confers an obligation on the controller to erase personal data in the following situations:
If the personal data has been shared, the controller who has been requested to erase the data must take “reasonable steps” to inform other controllers processing such data of the data subject’s request. Neither the obligation to erase nor the obligation to inform other controllers applies where
In 2015, the French DPA, CNIL (Commission nationale de l’informatique et des libertés), fined an internet search company 100,000 euros (approximately $110,000) for its failure to apply the right to be forgotten globally on its search engine (although it did comply with respect to French IP addresses). The company appealed that decision through the French courts, and ultimately to the Court of Justice of the European Union (CJEU), on the grounds that CNIL did not take into account the rights to freedom of expression and information provided in Article 17. While the CJEU has not yet ruled on the appeal, the advocate general of the European Union issued a nonbinding opinion in January 2019 that the application of the right to be forgotten should not apply outside the European Union. The judgment from the CJEU is expected later this year.
In June 2019, the advocate general released a seemingly contradictory opinion in another case involving the removal of defamatory materials on a social media site. In that case, an Austrian court found the post in question to be defamatory and ordered its removal. The site complied on a local level, but said that complying on a global level would be in violation of Directive 2000/31, which prohibits general monitoring obligations. The directive, however, does not prohibit specific monitoring obligations, and the plaintiff did not base her arguments on privacy, but rather on a defamation claim under Austrian law. The advocate general’s opinion in this case would allow for a national court to extend its reach in ordering removal of data in certain cases beyond the borders of the European Union.
The two opinions from the CJEU should be out later in 2019, which should provide a framework for removal of data under the right to be forgotten and settle the contradictory opinions currently available on this issue.
Individuals have the right to restrict the processing of their personal data for the following reasons and in the following ways:
The data may be stored during the verification period, but otherwise no processing can occur without the individual’s consent, or, similar to Article 17, where the data is necessary for prosecution or defense of legal claims or for an important public interest. When the restriction is lifted, the controller must inform the data subject. Data can be restricted by “temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website.”[1] What this right provides the data subject is a measure of control over how and by whom data may be used once it is given over to the controller. Generally controllers will need to respond to requests, either by confirming compliance or rejecting the request, without “undue delay,” which has been defined by various data protection organizations as being within a month’s time.
Article 19 provides that controllers must notify each recipient of personal data when the information is corrected or erased under Article 16 or 17, or when a processing restriction is put in place under Article 18. Note that this notification requirement is effectively a restatement of the obligation already provided in Article 17, with the addition of exceptions for impossibility or “disproportionate effort.” The controller must also inform the data subject requesting the correction that subsequent parties have been notified of the change.
Data subjects have the right to receive their personal data from a controller where the processing is based on the consent of the data subject or in the context of a contract. This right is already provided for in Article 15, but Article 20 provides additional details concerning whether the data must be provided to the data subject in a “structured, commonly used and machine-readable format.”
Data portability includes the right of data subjects to have their personal information transferred from one controller to another, as long as the processing is automated and is based on the individual’s consent. The exceptions to the right of portability are where the processing is done in the public interest or by exercise of an official authority, or where it impacts the rights of others.
The Dutch DPA, Autoriteit Persoonensgegevens, provides guidance on the portability of medical records; namely, that information “actively and knowingly provided” or provided “indirectly through the use of a service or device” can be transferred from one service provider to another. An example of information provided indirectly through a device would be data from a blood pressure monitor. Information not directly or indirectly provided is not portable per the Dutch DPA, such as “conclusions, diagnoses, suspicions or treatment plans that your healthcare provider establishes on the basis of the information you provide.” CNIL defines the concept of the data subject to portability more broadly as data that is “pertinent and not excessive with respect to the purpose of the new processing that the person wishes to perform.”
For data controllers subject to the right of portability, it is important to have systems and processes in place which both comply with the data subject’s request, but also have the ability to separate out the data that has to be transferred from the data that does not.
Finally, the GDPR establishes a right to challenge the processing of data where the reason for processing is a “legitimate interest,” a public interest,[2] or the exercise of official authority. In those cases, the controller must show “compelling legitimate grounds” for the processing, which either must be for the prosecution or defense of a legal claim or must override the rights of the data subject.
When the reason for processing is “direct marketing purposes,” the data subject can object at any time without exception. Upon request the controller must stop processing the data. In any case, the controller must notify data subjects of their right to object to processing the first time they communicate with them, and provide the means for objection in a similar manner in which they provided consent, such as through “automated . . . technical specifications.”[3]
CNIL defines limitations of the right to object, saying that the right is not absolute: “[F]or example, only a breach of contract allows the deletion of an account at your mobile operator or an e-commerce site.” If the data subject’s request to stop processing does not relate to direct marketing, the controller can justify its refusal to stop processing where
The right of the data subject to object to processing is not available in many situations outside of direct marketing purposes. When faced with a request to stop processing data under Article 21, it is important to understand the relationship between the controller and the subject when assessing whether compliance with the request is necessary.
The GDPR affords many rights and remedies to data subjects with respect to their personal data. The extent and nuances of these rights are still largely undefined as courts and local data protection authorities continue to interpret the regulations. In the meantime, data controllers are advised to understand these enumerated rights, and to put systems and processes in place to comply with the various request requirements found in Chapter 3.
[1] GDPR Recital 67.
[2] As defined in GDPR Art. 6(1)(e) and (f).
[3] GDPR Art. 21(5).