In the latest in our series of articles focusing on aspects of the GDPR, Tim Hickman and Dr. Detlev Gabel review the various rights granted under the GDPR, consider how they differ from the current set of rights set out in the Directive and go on to consider the impact that each such right is likely to have on organisations that act as data controllers.
With the forthcoming General Data Protection Regulation (GDPR) almost in final form, the details of the rights and obligations set out in the GDPR are now largely clear. One issue that is likely to affect all organisations in all sectors is the new set of rights granted to data subjects. Some of these rights are similar to the existing rights provided under Directive 95/46/EC (the Directive) with which many organisations operating in the EU will already be familiar. However, a number of other rights are new, or include important changes from their predecessors in the Directive. The key issue for organisations is to understand what these new or amended rights look like, and to determine how best to react.
Analysis – the rights of data subjects
The right to information
One of the most important rights of data subjects is the right to information. In order to ensure that personal data are processed fairly, data controllers must provide certain minimum information to data subjects, regarding the collection and further processing of their personal data. The GDPR adds that such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. In practical terms, the new requirements in the GDPR are likely to make very little difference to this right, as national Data Protection Authorities (DPAs) have generally implied these requirements into the national laws that implement the Directive.
The right of subject access
The right of subject access is very similar in the GDPR to its previous incarnation in the Directive. In summary, data subjects still have the right to file a subject access request (SAR) and obtain from the data controller a copy of their personal data, together with an explanation of the categories of data being processed, the purposes of such processing, and the categories of third parties to whom the data may be disclosed. The GDPR expands upon this right, requiring data controllers to respond to SARs with additional information, including details of the period for which the data will be stored (or the criteria used to determine that period) and information about other rights of data subjects. One major change to SARs relates to the charging of fees. The national laws that implement the Directive generally permit the charging of a reasonable fee in respect of each SAR. For example, in the UK, the maximum fee is £10 per SAR. However, Article 15 of the GDPR simply states that the data controller must comply with the SAR, and can charge a reasonable fee for 'any further copies requested by the data subject'. Other portions of the GDPR take a similar approach, permitting a reasonable fee to be charged only if a request is 'manifestly unfounded or excessive'. On a literal interpretation, it appears that organisations will be obliged to respond to a first SAR for free, and may charge a fee only in respect of 'further' requests for the same information. This is a potentially significant change. The obligation to pay a small fee for a first-time SAR provided organisations with a buffer against large numbers of frivolous SARs being filed by data subjects who were only vaguely interested in the information to be provided. The removal of this obligation may lead to an exponential increase in the number of SARs received by organisations.
The right to rectification
The right to rectification is almost entirely unchanged in the GDPR. The idea that data subjects should have the right to require the data controller to correct errors in personal data processed by (or on behalf of) that controller is relatively uncontroversial, and the GDPR continues to require organisations to give effect to that right.
The right to erasure (the 'right to be forgotten')
The right to erasure has generally been poorly understood, which is not helped by the fact that the GDPR entitles Article 17, 'Right to erasure ('right to be forgotten')'. The first point that must be made is that the right created by the CJEU in Costeja (Case C-131/12) (confusingly described, at several points in that judgment, as a 'right to be forgotten') is not the same thing as the rights created in Article 17 of the GDPR. The right arising from the Costeja judgment relates only to internet search engines, and provides only a limited right to have information suppressed from the results of searches made on the basis of a data subject's name. The rights arising under Article 17 of the GDPR are much broader. They are enforceable by data subjects against all data controllers (not just internet search engines) and cover a much wider range of circumstances. For example, Article 17 allows data subjects to require data controllers to delete their personal data where those data are no longer needed for their original purpose, or where the processing is based on the consent and the data subject withdraws that consent (and no other lawful basis for the processing exists). Organisations should therefore carefully review their processing activities, to ensure that they are able to permanently delete the relevant data in these circumstances.
EU data protection laws have long recognised the principle that data controllers should give effect to the rights of data subjects promptly, or within specified time periods, in order to avoid the frustration of those rights through excessive delays. Many EU Member States have implemented time-limits for responding to SARs, but few have implemented specific time limits in relation to other rights. The GDPR, on the other hand, imposes a general one-month time-limit for providing data subjects with information about any request to exercise any of their rights discussed above. Organisations should pay careful attention to this point, as the information that they are obliged to provide under the GDPR is substantially broader than under the Directive, and the timeframe for doing so is tight (certainly tighter than the 40-day period that currently applies in the UK). Therefore, organisations should implement systems and policies to ensure that they are able to provide the necessary information no more than a month after receiving a request from a data subject.
The right to restrict processing
The right to restrict processing is a new right created under the GDPR. It has not been widely discussed, but is nevertheless important. In certain circumstances in which the relevant personal data either cannot be deleted (eg because the data are required for the purposes of exercising or defending legal claims) or where the data subject does not wish to have the data deleted, the data controller may continue to store the data, but the purposes for which the data can be processed are strictly limited (eg the exercise or defence of legal claims; protecting the rights of another person or entity; purposes that serve a substantial public interest; or such other purposes as the data subject may consent to). Organisations should bear in mind that, in order to give effect to this right, they may need to segregate the affected data from their standard data processing systems. Not all organisations will have such functionality built into their systems, and so organisations may need to consider whether any changes are needed in order to address this right.
The obligation to notify relevant third parties
In giving effect to the rights discussed above, the GDPR also imposes a new obligation on data controllers. Where a data controller has disclosed personal data to third parties, and the data subject subsequently exercises any of the rights of rectification, erasure or restriction, the GDPR requires the data controller to inform such third parties of the fact that the data subject has exercised those rights (unless this is 'impossible or involves disproportionate effort'). The data subject is also entitled to request information about the identities of the third parties to whom his or her personal data have been disclosed. For organisations that routinely disclose personal data to a large number of third parties, this may become particularly burdensome.
The right to data portability
Another new feature of the GDPR is the right to data portability. This permits the data subject to receive from the data controller a copy of his or her personal data in a commonly used machine-readable format, and to transfer their personal data from one data controller to another or have the data transmitted directly between data controllers. For example, it would allow users of online services to transfer their profile data from one service provider to another. For some organisations, this new right creates a significant additional burden, requiring substantial investment in new systems and processes to enable such transfers. However, for other organisations, it creates an important opportunity to attract customers from competitors. For example, an online business might struggle, under existing law, to attract new users from competitors because of the difficulties associated with setting up a new account. But under the GDPR, the competitor must allow the account information to simply be transferred, making it much easier for rivals to create competing platforms and services.
The right to object
The right to object to processing has, at a conceptual level, remained the same in the GDPR as it was in the Directive. Data subjects continue to have a right to object to processing of their personal data on certain grounds, in addition to the right to object to processing carried out for the purposes of profiling or direct marketing. However, in terms of its practical implementation, the burden of this right has effectively been reversed. Whereas the Directive permits an organisation to continue processing until the data subject raises an objection and that objection is justified, the GDPR allows the data subject to raise objections and then requires the data controller to demonstrate that it either has compelling grounds for continuing the processing, or that the processing is necessary in connection with its legal rights. If the data controller cannot demonstrate that the relevant processing activity falls within one of these two grounds, it must cease that processing activity. This is likely to prove especially problematic for organisations that currently rely on their own legitimate interests as a lawful basis for processing personal data.
The right to not be evaluated on the basis of automated processing
This right is essentially unchanged from the Directive to the GDPR. It remains the case that, subject to certain narrow exemptions, data subjects have the right not to be subject to decisions based solely on automated processing which significantly affect them. Some of the wording in the GDPR is slightly different, but most organisations are unlikely to see any practical change in their obligations.
The right to bring class actions
The GDPR grants data subjects the right to be collectively represented by not-for-profit bodies. Data subjects may mandate such bodies to act on their behalf and exercise their rights, including the right to bring complaints to DPAs, and to seek judicial remedies against data controllers and data processors. This appears to pave the way for class actions brought by data subjects against organisations that have infringed their data protection rights. As a result, organisations are likely to face substantially greater litigation risks under the GDPR than they face under the Directive.
As its recitals make clear, a key objective of the GDPR is to protect and strengthen the rights of data subjects. The GDPR provides data subjects with a broader set of rights than those provided under the Directive, and enhances the ability of data subjects to enforce those rights. This legislative change is also likely to be accompanied by stricter enforcement from DPAs, together with the possibility of fines of up to the greater of €40 million or 4% of annual worldwide turnover and the possibility of claims by data subjects for damages. Consequently, organisations should plan and implement measures to ensure that they are prepared for the advent of the GDPR. At the very least, these measures should include:
· Review of data processing systems – Each organisation should consider whether practical changes to its data processing systems are needed. For example, do those systems enable the organisation to quickly identify and isolate all copies of all personal data relating to a particular data subject? If not, those systems should be updated to provide this functionality, so that the organisation is capable of giving effect to the rights of data subjects.
· Update privacy policies – Organisations should consider whether their existing privacy policies need to be updated to reflect the additional rights granted to data subjects under the GDPR.
· Employee training – Organisations should ensure that any of their employees who process personal data are appropriately trained, so that they can quickly recognise, and appropriately respond to, requests from data subjects to exercise their rights.
Lastly, it is likely that once the GDPR is published in the Official Journal of the EU, DPAs (together with the newly created European Data Protection Board) will begin to issue public guidance on a range of data protection topics, including the rights of data subjects. In order to determine whether any further changes are needed, organisations should keep an eye out for any such guidance, and should review each of the steps set out immediately above in light of such guidance.
Tim Hickman is an associate in the London office of White & Case LLP.
Dr. Detlev Gabel is a partner in the Frankfurt office of White & Case LLP, and the chair of the Firm's Global Data, Privacy & Cyber Security Practice.