Amidst all the hoo-ha about the General Data Protection
Regulation (GDPR) in terms of increased sanctions, accountability requirements
and nonsense about email marketing, it’s easy to overlook some changes that it
has also (or actually) wrought.
One small, but potentially profound, difference lies in the
provisions around accuracy and data subjects’ rights to rectification.
The GDPR – as did its predecessor, the 1995 Data Protection
Directive – requires data controllers to take ‘every reasonable step’ to ensure
that, having regard to the purposes of the processing, personal data which are
inaccurate are erased or rectified without delay. Under the Directive, the
concomitant data subject right was to obtain from the controller, as
appropriate the rectification, erasure or blocking of data. Under the GDPR,
Article 16, however, there is no qualification or restriction of the right:
The data subject shall have the right to obtain from the
controller without undue delay the rectification of inaccurate personal data
concerning him or her.
I take this to mean that, yes, a controller must in general
only take every reasonable step to ensure that inaccurate data is rectified
(let’s call it the ‘proactive obligation’) but, when put on notice by a
data subject exercising his or her right to rectification, the controller
MUST rectify – and there is no express proportionality get-out (let’s call
this the ‘reactive obligation’).
This distinction, this significant strengthening of the data
subject’s right, is potentially significant, it seems to me, in the recently-reported
case of Alistair Hinton and the Financial Conduct Agency (FCA).
It appears that Mr Hinton has, for a number of years, been
pursuing complaints against the FCA over alleged inaccuracies in its register
of regulated firms, and in particular over an allegation that:
a register entry which gave the impression both him [sic]
and his wife were directors of a firm which the regulator had publicly censured.
This puts into rather simple terms what appears to be a
lengthy and complex complaint, stretching over several years, and which has
resulted in three separate determinations by the Financial Regulators Complaints
Commissioner (FRCC) (two
of which
appear to be publicly available). I no doubt continue to over-simplify when I
say that the issue largely turns on whether the information on the register is
accurate or not. In his February 2017 determination, the FRCC reached the
following conclusions (among others):
You and your wife have been the unfortunate victims of an
unintended consequence of the design of the FSA’s (and now FCA’s) register,
coupled with a particular set of personal circumstances;
…Since 2009 the FSA/FCA have accepted that your register entries
are misleading, and have committed to reviewing the register design at an
appropriate moment;
Although these findings don’t appear to have been directly
challenged by the FCA, it is fair to note that the FCA are reported, in the
determinations, as having maintained that the register entries are ‘technically
and legally correct’, whilst conceding that they are indeed potentially
misleading.
The most recent FRCC determination reports, as does media
coverage, that the Information Commissioner’s Office (ICO) is also currently
involved. Whilst the FRCC‘s role
is not to decide whether the FCA has acted lawfully or not, the ICO can assess
whether or not the FCA’s processing of personal data is in accordance with the
law.
And it occurs to me that the difference here between the
Directive’s ‘reactive obligation’ and the GDPR’s ‘reactive obligation’ to
rectify inaccurate data (with the latter not having any express proportionality
test) might be significant, because, until now, the FCA has apparently relied
on the fact that correcting the misleading information on its register would
require system changes costing an estimated £50,000 to £100,000, and the FRCC
has not had the power to challenge the FCA’s argument that the cost of ‘a
proper fix’ was disproportionate. But if the Article 16 right is in general
terms unqualified (subject to the Article 12(5) ability for a controller to
charge for, or refuse to comply with, a request that is manifestly unfounded or
excessive), can the FCA resist a GDPR application for rectification? And could
the ICO decide any differently?
Of course, one must acknowledge that there is a general
principle of proportionality at European law (enshrined in Article 5 of the
Treaty of the European Union) so a regulator, or a court, cannot simply
dispense with the concept. But there was clearly an intention by the European
legislature which chose not to put an express qualification on the right to
rectification (and by extension the reactive obligation it places on controllers),
and that will need to be the starting point for any assessment by said
regulator, or court.
Jon Baines is Data Protection Adviser at Mishcon de Reya LLP
[https://www.mishcon.com/people/jon-baines] .
This article originally appeared as a blog post on his personal blog at [https://informationrightsandwrongs.com/2018/09/04/gdpr-an-unqualified-right-to-rectification/].
