The European Data Protection Board released a report on its Coordinated Enforcement Framework's 2024 initiative exploring the protection and implementation of the right of access under the EU General Data Protection regulation.
The report detailed the coordinated efforts of 30 EU data protection authorities to explore 1,185 data controllers' activities around the right of access. DPAs approached the initiative in their own ways, including "opening formal investigations, assessing whether a formal investigation was warranted and/or carrying out fact-finding exercises."
The CEF aimed to ensure data controllers implemented the agency's right of access guidelines. EDPB Deputy Chair Zdravko Vukíc also indicated improved cross-border enforcement among DPAs as another goal stemming from the initiative.
"The CEF is a valuable initiative that helps strengthen the cooperation among Data Protection Authorities," Vukic said in a statement. "By tackling selected topics in a coordinated fashion, they achieve greater efficiency and more consistency. How controllers implement the right of access lies at the heart of data protection and it is one of the most frequently exercised data subject rights."
Following a review of DPAs' work, the EDPB identified seven challenges facing proper right of access implementation. Those challenges included "the lack of documented internal procedures to handle access requests" and barriers for data subjects, including "formal requirements or being requested to provide excessive identification documents."
DPA contributions
While the EDPB provided results of the CEF through a broader lens, some DPAs released details of their probes and explorations to show more specific peaks and valleys around right of access implementation.
France's DPA, the Commission nationale de l'informatique et des libertés, found that, while organizations worked to process data subjects’ requests for access, the EDPB’s guidelines were "little taken into account by the controlled organisations, or even unknown."
The CNIL's review of 11 public and private entities also showed that responses to DSARs were "only a partial or incomplete response." The regulator highlighted issues with DSAR responses not including sufficient transparency around processing activities while alleging "organisations systematically exclude certain processing or certain categories of personal data from their responses."
Though the initiative highlighted issues involving personal data requests, two-thirds of DPAs found organizations had average to high-levels of compliance. The board's report discussed larger organizations often had the resources to include helpful tools for consumers to submit access requests.
Finland's Office of the Data Protection Ombudsman Deputy Data Protection Commissioner Heljä-Tuulia Pihamaa said the "awareness of the organisations that responded to the survey about their obligations regarding the right to inspect is generally good. Most organisations also have effective processes for handling requests."
For EU institutions, the European Data Protection Supervisor shared five takeaways from its examinations. Notable challenges observed by the EDPS were issues with categorizing requests and identity verification, but EU institutions were also found to receive very few access requests in a given year.
Future Actions
The topic of the next CEF is yet to be determined. The EDPB included discussion of prospective CEF topics in past plenary sessions, but the board has not finalized the 2025 initiative.
The EDPB characterized its CEF program as a "key action" under its 2024-27 strategy. The first two coordinated actions focused on public-sector cloud-based services and data protection officer designation.
The board explained, "The results of these national actions are aggregated and analysed together to generate deeper insight into the topic and allowing for targeted follow-up on both national and EU level."
Lexie White is a staff writer for the IAPP.
