The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.
Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.
With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.
This is the sixth in a series of articles addressing the top 10 operational impacts of the GDPR.
Enhancing existing individual rights and creating new rights to be forgotten and to data portability
As part of its effort to expand individual control over the use of personal data, the GDPR introduces two new rights. First, the regulation codifies a right to be forgotten, following on the recognition of a similar right by a 2014 case from the European Court of Justice. This right allows individuals to request the deletion of personal data, and, where the controller has publicized the data, to require other controllers to also comply with the request. Second, the right to data portability requires controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject so requests.
The GDPR also augments the existing rights of data subjects to receive notice about processing activities, gain access to the information that is being processed, and to have the controller rectify inaccuracies. The data subject’s right to object to processing is broader than under the Directive, moreover, allowing her to object to processing at any time, unless the controller has compelling legitimate grounds.
To keep up with the augmented rights under the regulation, data controllers will have to implement processes for handling and documenting requests from data subjects.
A right to erasure and the right to be forgotten
In a significant departure from Directive 95/46/ec, the GDPR recognizes a “right to erasure.” This right builds on and expands the so-called “right to be forgotten” recognized by the European Court of Justice in its Google Spain v. AEPD and Mario Costeja González ruling in 2014. There, the Court required search engines, upon a person’s request, to remove links to webpages that appear when searching that person’s name unless “the preponderant interest of the general public” in having access to the information justifies the search engine’s refusal to comply with the request.
The GDPR for the first time codifies the right and applies it to all controllers. Under Article 17, controllers must erase personal data “without undue delay” if the data is no longer needed, the data subject objects to the processing, or the processing was unlawful. Recital 65 explains that this right is especially relevant when a child consents to processing and later wants to remove the information, even if he is no longer a child. However, the right is not unlimited. It must be balanced against freedom of expression, the public interest in health, scientific and historical research, and the exercise or defense of legal claims.
The right to erasure extends additional obligations to any controller that makes personal data public, especially online. Where a data subject requests the erasure of data that has been made public, the controller must take “reasonable steps” to inform other controllers that are processing the data about the person’s objection, unless it would require “disproportionate effort.” Any controller processing the data must then erase copies of it or links to it. Whether the steps taken are “reasonable” will depend on the available technology and the cost of implementation.
Article 18 establishes a procedure for when there is disagreement over whether the right to erasure applies. The data subject is entitled to seek the “restriction of processing” for the time needed to verify whether information is accurate if she contests its accuracy. The data subject also may request a restriction where the controller no longer needs the data, but the data subject needs it for a legal claim. Finally, he may request a restriction where he has objected to processing but the controller seeks to prove it has compelling legitimate grounds for overriding the objection.
When a data subject requests the restriction of processing, the controller should temporarily remove the data from a general filing system or from a public website so as to avoid further processing. Recital 67 specifies that controllers should flag the restricted data in a way that makes clear that processing is restricted.
A new right to data portability
One of the responses of the GDPR to the so-called “Big Data” trend is the creation of a new right to data portability that aims to increase user choice of online services.
Where controllers process personal data through “automated means,” Article 20 grants data subjects the right to receive the personal data concerning them. Controllers must provide the data in a commonly used and “machine-readable” format, and data subjects have the right to transmit that data to any other controller. Where feasible, the controller may even be required to transmit the data directly to a competitor. However, Recital 68 specifies that it does not impose an obligation for controllers to adopt processing systems that are technically compatible.
The right to data portability applies only when processing was originally based on the user’s consent or on a contract. It does not apply to processing based on a public interest or the controller’s legitimate interests.
Enhanced rights to notice, access, rectification and to object to processing
Under the Directive, controllers had to provide data subjects with certain minimum information before collecting personal data. These disclosures included the identity of the controller, the purposes of processing, and any recipients of personal data. The Directive also provided data subjects with a right of access to data, which required controllers to confirm what data they were processing and the logic involved in any automatic processing operations. If a controller processed information in violation of the Directive, data subjects could block the processing and request the erasure or rectification of the data. Data subjects could also object in narrow circumstances where they could demonstrate compelling legitimate grounds or where the data was used for direct marketing.
The GDPR increases the number of disclosures a controller must make before collecting personal data. In addition to the identity of the controller, the purposes for processing, and any recipients of personal data, Article 13 requires controllers to disclose how long the data will be stored. Controllers also must inform data subjects of the right to withdraw consent at any time, the right to request access, rectification or restriction of processing, and the right to lodge a complaint with a supervisory authority. Furthermore, these disclosures must be intelligible and easily accessible, using clear and plain language that is tailored to the appropriate audience. Thus, policies aimed at children will have to be drafted in a way that children can understand. For controllers that receive the data from a source other than the data subject – from another controller or a public record, for instance – disclosure is not necessary if it would require a “disproportionate effort.”
Article 15 establishes a right of access that is more robust than what was required by the Directive. Users will have a right to request a copy of their personal data undergoing processing. They may also request to know the purposes of processing, the period of time for which data will be stored, the identity of any recipients of the data, the logic of automatic data processing, and the consequences of any profiling. Controllers will have to set up processes for responding for access requests and, in particular, for verifying the identity of a data subject who requests access. Recital 63 recognizes, however, that the right of access needs to be balanced against other rights, such as intellectual property, trade secrecy and copyright protections for software. In cases where the controller processes “a large quantity of information” about the data subject, it may require the data subject to specify the information or processing activities at issue in the request.
The right to object to processing is significantly expanded under Article 21. Whereas under the Directive, a data subject could only object to processing where she could demonstrate compelling legitimate grounds, the GDPR flips the burden, allowing a data subject to object any time processing is based on public interest (Article 6(1)(e)) or the legitimate interests of the controller (Article 6(1)(f)), unless the controller demonstrates compelling legitimate grounds. This is in addition to the data subject’s right to withdraw consent whenever processing is based on consent. Like the Directive, the GDPR also allows a data subject to object to processing for direct marketing at any time and Article 16 grants the right to correct inaccurate information.
Businesses will need to implement effective user interfaces
In the process of heightening user control over data, these expanded rights will create new challenges for controllers to implement systems that are responsive to user requests concerning their data. To this end, Article 12 requires controllers to provide “modalities” to facilitate the exercise of data subject rights. These modalities likely will include user interfaces and customer support services.
Controllers should communicate with data subjects “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” Where a data subject seeks to exercise one of the above rights, the controller must take the appropriate action “without undue delay” or at the latest within a month of the request. The controller may, however, seek an extension “where necessary” because of a high number of requests. If the controller opts not to grant the request, it must explain its decision to the data subject within one month. All these services must be free of charge, unless the requests are “manifestly unfounded or excessive.”
Controllers will face a difficult challenge in trying to authenticate users to process their requests. Article 12 provides that a controller may refuse to act on a request if it “demonstrates that it is not in a position to identify the data subject.” On the other hand, if it has “reasonable doubts” about the identity of the person making a request, it can ask the person for additional information to confirm his or her identity. Recital 57 lends little in the way of clarity: Controllers are not required to take additional information in order to identify the data subject, but they also should not refuse to take such information if the data subject offers it in the exercise of his rights.
Controllers will have to be thoughtful in implementing systems that on the one hand minimize the collection of data while on the other hand ensure accurate authentication to avoid abuse. The GDPR requires companies that engage in “regular and systematic monitoring of data subjects on a large scale” to appoint data protection officers with responsibility for overseeing these systems.
For these companies, managing access requests and the right to be forgotten likely will be a major focus for their new DPOs.
If you want to comment on this post, you need to login.