As the Data Protection Directive (DPD) is gradually closing on its last year of legal existence, the key provisions of the new General Data Protection Regulation (GDPR) are ever more likely to continuously appear in the spotlight of legal analysis here at the Cybergarden. One of the key aims of the GDPR is to truly empower data subjects and put them in full control of their personal data. This empowerment is to be achieved on the basis of a broad set of data subject rights established by the GDPR.
The GDPR reinforces the existing rights of the data subjects as set up by the DPD and further introduces new extensive rights. The rights to access and rectify personal data and to object to certain types of processing are all retained and strengthened. At the same time, ground-breaking new rights are introduced – the right to erasure, the right to data portability and the right to restrict processing of personal data. As a result, the broad palette of data subject rights in the GDPR gives serious substance to the privacy-related interests of natural persons when they deal with data controllers such as social networks, online search engines and other IT businesses that process vast amounts of personal data on a daily basis.
A significant novelty in the legal framework is the fact that the GDPR now imposes a mandatory deadline for controllers when they respond to requests from data subjects. The scope of such requests can be broad – not just for access to personal data but also for rectification, erasure, restriction of processing, objection to processing or data portability. The time frame that the Regulation imposes on data controllers to respond to a request and to provide information to the data subject is a period of one month from receipt of the request. That period could however be extended by two further months due to the complexity and the number of the requests. In case the data subject makes the request by electronic means, for example through e-mail, the information will have to be provided in a commonly used electronic form. Additionally, when the controller decides not to take action on the request of a data subject, it will have to inform the data subject of the reasons for not taking action and about the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. It is important to note that the information supplied by the controller under Articles 13-14 and any communication under Articles 15-22 and 34 of the GDPR will have to be provided to the data subject free of charge. However, the controller will have the option to either charge a reasonable fee or refuse to act on requests in case they are manifestly unfounded or excessive, for example due to their repetitiveness. Naturally, the burden to demonstrate such excessive or unfounded character of the requests will be upon the controller.
Article 13 of the GDPR greatly expands the set of information that the controller has to provide to the data subject when collecting personal data from him. In particular, in addition to the information requirements established under the Data Protection Directive, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information: (i) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; (ii) the legal basis for the processing; (iii) the existence of the right to erasure of personal data, restriction of processing and the right to object to processing and the right to data portability; (iv) the existence of the right to withdraw consent at any time; (v) the right to lodge a complaint with a supervisory authority; (vi) the existence of automated decision-making, including profiling, and meaningful information about the logic involved in it; (vii) the fact that the controller intends to transfer personal data to a third country and the existence or absence of adequacy decision by the European Commission in view of that third country. In addition to all these obligations, in case the controller has not obtained the personal data from the data subject, it will have to inform him/her about the source from which the personal data originates and whether it came from publicly available sources. However, a significant drawback of the regime is that in this second scenario which is quite prevalent in contemporary processing operations (personal data not obtained from the data subject) data controllers will enjoy certain exemptions. For example, the right of the data subject to receive information will not apply when the provision of such information proves impossible or would involve a disproportionate effort.
The GDPR retains the access right of the data subject and further strengthens it. Natural persons will still be able to lodge subject access requests in order to obtain a copy of their personal data. What is new is that the data controllers will be obliged to respond to the requests free of charge. That will probably lead to a great increase in the number of such access requests and most large data controllers will need to put in place designated processes and internal procedures in order to deal properly with the administrative burden and the extensive document flow. For any further copies requested after the first one the controllers will however be able to charge a fee based on their administrative costs.
Article 17 of the GDPR introduces a fully-fledged right to erasure of personal data. A right to erasure existed in the DPD but in a more basic form as it allowed erasure of personal data when its processing was non-compliant with the Directive. Two examples were given for such non-compliance pointing to the incomplete or inaccurate nature of the personal data. Now, Article 17 of the GDPR goes in far greater detail when establishing the grounds for applying the right to erasure. In particular, the data subject can obtain erasure of his/her personal data when: (i) the personal data are no longer necessary for the purpose for which they were collected or processed; (ii) the data subject withdraws his consent for processing and there is no other legal ground for processing; (iii) the data subject objects to the processing and there are no overriding legitimate grounds for the controller to continue with the processing; (iv) the personal data have been unlawfully processed; (v) the personal data have to be erased as part of a legal obligation of the controller; (vi) the personal data have been collected in relation to the offer of information society services directly to a child. At the same time, the right to obtain erasure is not absolute. It can be overridden and subsequently not apply to the extent that personal data processing is necessary: (i) for exercising the right of freedom of expression and information; (ii) for compliance with a legal obligation which requires processing by Union or Member State law; (iii) for reasons of public interest in the area of public health; (iv) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or (v) for the establishment, exercise or defense of legal claims. A significant stimulus for the establishment of the right to erasure in the GDPR was provided by the landmark Google Spain decision of the Court of Justice of the European Union. As a result of the decision over the last 3 years search engines have introduced policies and internal processes for removing search results on request by natural persons when they have a right for certain information to be no longer linked to their name in search returns.
Article 18 of the GDPR establishes the right to restrict processing of personal data which builds upon the right to block processing that exists in the DPD. The GDPR defines ‘restriction of processing’ as the marking of stored personal data for the direct purpose of limiting their processing in the future. As per the new right, the data subject can obtain restriction of processing from the controller in one of the following situations: (i) when he contests the accuracy of the personal data, restriction is granted for a period enabling the controller to verify the accuracy; (ii) when the processing is unlawful and the data subject opposes the erasure of the personal data and requests restriction of their use instead; (iii) when the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; (iv) when the data subject has objected to processing pending verification whether the legitimate grounds of the controller override those of the data subject. It must be noted that when processing of personal data has been restricted in line with Article 18 of the GDPR, such personal data can continue to be stored by the controller but it cannot be further processed.
Another novelty in the GDPR is the introduction of the right to data portability. As developed in Article 20 of the GDPR, the data subject will have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. Further, the data subject shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been initially provided, in case the processing is based on consent or contract and the processing is carried out by automated means. It has to be clarified that the right to data portability only applies to personal data that the data subject has provided to the controller. This notion of “data provided by the data subject” has been elucidated in great detail by the Article 29 Working Party in its Guidelines on the right to data portability. Pursuant to the guidelines, two types of data fall into this definition: i) data that is actively and knowingly provided by the data subject (such as e-mail address, user name, age, etc.) and ii) observed data that is indirectly provided by the data subject by way of using a service or a device (search history, transaction history, traffic data, location data or even raw data such as calories burned or heartbeat recorded by fitness or health trackers). Outside of the scope of the definition remains inferred data or derived data which is created by the data controller on the basis of the provided data and which is not subject to data portability. Typical examples are a credit score or an assessment of the health of the data subject. It must also be noted that the right to data portability will have a serious impact on the development of interoperability functions of internet social networks. So far such social platforms enjoyed a competitive benefit in the form of a lock-in effect where their users created and developed personal profiles but could not easily extract their personal data out of the respective platform and port it out to another controller. However, with the new right put in place, users will have the full freedom to move their set of personal data from one social network to another.
The right to object to processing of personal data which was also initially introduced in the Data Protection Directive is now further improved in the GDPR. The exercise of the right to object inevitably involves a balancing exercise – the natural person is interested in having his/her data no longer processed and at the same time the controller may invoke his interest to continue processing such data despite the objection of the natural person on the basis of his legitimate interests. Until now data subjects were empowered to object to processing of personal data when it is based on the pursuit of the legitimate interests of the controller, when it is necessary for the performance of a task carried out in the public interest and when the data is processed for direct marketing purposes. The novelty in the GDPR is that now data subjects can also object to data processing on the above grounds when it includes profiling. The GDPR defines profiling as any form of automated processing of personal data when the data is used to evaluate certain personal aspects relating to a natural person, such as analyzing or predicting performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. The result of the objection by the data subject is that the data controller is obliged to stop the processing and further present proof that there are compelling and legitimate grounds for the personal data processing in case it wants to continue with the processing. Another strengthening of the protective regime of the GDPR is demonstrated by the new rule that objection to direct marketing purposes has an absolute effect and the controller can no longer process the personal data in question for such purposes even if it demonstrates a compelling legitimate interest to do so. Additionally, in the context of the widespread take-up of information society services data subjects will be able to exercise their right to object by automated means using technical specifications – an example in point is the use of privacy settings in internet browsers.
Last but not least, the GDPR retains the right of natural persons not to be subjected to decisions that are based on automated processing of personal data and profiling. This is part of the larger societal concern about the dehumanization of organizational processes. Examples of such automated decision-making practices are the use of automated CV assessment and grading tools in the process of hiring, computer-generated decisions to grant or deny credit or automated assessments of performance at work. This established layer of protection will not apply on three instances: (i) if the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller; (ii) if it is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and legitimate interests; or (iii) if the data subject has explicitly consented to the automated decision-making. Even in such instances however, the data controller will be obliged to implement suitable measures to safeguard the data subject’s rights and interests, and in particular the right for the data subject to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.