Getting Data Subject Rights Right A submission to the European Data Protection Board from international data rights academics, to inform regulatory guidance

• Author: Jef Ausloos, Réne Mahieu, Michael Veale
• Position: Postdoctoral Researcher Institute for Information Law, University of Amsterdam/Law, Science, Technology & Society (LSTS), Vrije Universiteit Brussel/Lecturer in Digital Rights & Regulation Faculty of Laws, University College London and the Alan Turing Institute
• Pages: 283-309

Getting Data Subject Rights Right

2020

283

3

Getting Data Subject Rights Right

A submission to the European Data Protection Board from

international data rights academics, to inform regulatory

guidance

by Jef Ausloos, Michael Veale and René Mahieu

© 2019 Jef Ausloos, Michael Veale and René Mahieu

Everybody may disseminate this ar ticle by electronic m eans and make it available for downloa d under the terms and

conditions of the Digital P eer Publishing Licence (DPPL). A copy of the license text may be obta ined at http://nbn-resolving.

de/urn:nbn:de:0009-dppl-v3-en8.

Recommended citation: Je f Ausloos, Michael Veale and René Mahieu, Get ting Data Subject Rights Rig ht, 10 (2019) JIPITEC

283 para 1.

Summary

We are a group of academics active in research and

practice around data rights. We believe that the

European Data Protection Board (EDPB) guidance

on data rights currently under development is an

important point to resolve a variety of tensions

and grey areas which, if left unaddressed, may

signicantly undermine the fundamental right to

data protection. All of us were present at the recent

stakeholder event on data rights in Brussels on 4

November 2019, and it is in the context and spirit of

stakeholder engagement that we have created this

document to explore and provide recommendations

and examples in this area. This document is based on

comprehensive empirical evidence as well as CJEU

case law, EDPB (and, previously, Article 29 Working

Party) guidance and extensive scientic research

into the scope, rationale, effects and general

modalities of data rights.

A. Main Takeaways

1

The rst half of this document lists recommendations

for the four data subject rights mentioned in the

EDPB’s plan to draft guidelines: right of access (Article

15); right to rectication (Article 16); right to erasure

(Article 17); and the right to restriction of processing

(Article 18). The second half of this document takes

a step back and makes recommendations on the

broader issues surrounding the accommodation of

data subject rights in general.We strongly advise

the EDPB to consider the following points in its

Guidance:

2

The interpretation and accommodation of data

subject rights should follow established CJEU case

law requiring an ‘effective and complete protection

of the fundamental rights and freedoms’ of data

subjects and the ‘efcient and timely protection’

of their rights.

3 The right of access plays a pivotal role in enabling

other data rights, monitoring compliance and

guaranteeing due process. Analysis of guidance,

cases, and legal provisions indicates data controllers

cannot constrain the right of access through unfair

le format, scope limitations, boiler-plate response,

and that where data sets are complex, they should

facilitate tools to enable understanding.

4

The right to erasure is not accommodated by

anonymising personal data sets. In case the same

personal data is processed for different processing

purposes some of which may not be subject to the

right to erasure, data controllers should interpret

erasure requests as a clear signal to stop all other

processing purposes that are not exempted.

2020

Jef Ausloos, Michael Veale and René Mahieu

284

3

5

The right to object offers a context-dependent

and individualised re-assessment of the relevant

processing purposes, specically in relation to the

data subject’s concrete situation. Data controllers’

potential compelling legitimate interests should be

detailed, publicly declared and foreseeable, in order

to be able to override data subjects’ clear desire to

stop the respective processing operation.

6 The right to restriction of processing — currently

ignored by most data controllers — should be

prioritised in time and effectively ‘freeze’ any

further processing operations. Information society

services should offer this through an interface.

7 The right to rectication applies to opinions and

inferences of the data controller, including proling,

and must consider that the vast majority of data is

highly subjective.

8

(Joint) controllers have an explicit duty to facilitate

the exercise of data subject rights and cannot

require specic forms or legislative wording as a

precondition for accommodating them.

9 Restrictions or limitations on how data rights are

accommodated (eg rights and freedoms of others,

excessiveness, repetitiveness) need to be foreseeable

and interpreted narrowly and specically in light

of the concrete and specic right, data subject and

context at hand.

B. Background

10

Data subject rights are of critical importance in

the European data protection regime. Throughout

all discussions of their scope and limits, it must be

recalled that rights are not simply a way to police

that sufcient data protection is occurring, but they

are an intrinsic part of the fundamental right to data

protection enshrined in the Charter of Fundamental

rights, which states that:

Everyone has the right of access to data which has been

collected concerning him or her, and the right to have it

rectied.1

11 Data rights must, in general, be implemented with

several observations of the Court of Justice of the

European Union in mind.2 The Court has held that

one of the key objectives of data protection law

is the effective and complete protection of the

fundamental rights and freedoms of natural persons

with respect to the processing of personal data.3

1 Charter, art 8(2).

2 We refer to the Court of Justice as the Court in the remainder

of this article.

3 Case C-131/12 Google Spain SL and Google Inc v Agencia Española

12 We can see this principle in operation in relation to

data rights which are prerequisites to others. The

Court held that the right of access is a pre-requisite

to the ‘rectication, erasure or blocking’ of data, and

thus the existence (and extent) of the right of access

must allow effective use of other data rights.4

13

The Court has also held that provisions of data

protection law must be interpreted as to give

effect to the efcient and timely protection of

the data subject’s rights.5 Furthermore, it is critical

to consider data rights in light of the overarching

principles of transparency and fairness in the

GDPR. Data controllers are not permitted to frustrate

data subjects in their attempts to benet from the

high level of protection that follows from their

fundamental rights. Indeed, they have to both

implement data rights6 as well as facilitate the

exercise of such rights.7

14

Relatedly, the Court has also highlighted that

data protection should be understood within the

framework of the responsibilities, powers and

capabilities of a data controller.8 As the European

Data Protection Board has already pointed out,

‘information society or similar online services that

specialise in automated processing of personal data’

are highly capable at classifying, transmitting and

managing personal data in automated ways, and as

a result9 meet data rights in an effective, complete,

efcient, and timely manner.

15

Finally, the Court has also linked the ability to

effectively exercise data subject rights with the

fundamental right to effective judicial protection

in Article 47 Charter. Specically, it stressed that

‘legislation not providing for any possibility for an

de Protección de Datos (AEPD) and Mario Costeja González

EU:C:2014:317 [53]; Case C-73/16 Peter Puškár v Finančné

riaditeľstvo Slovenskej republiky and Kriminálny úrad nančnej

správy EU:C:2017:725 [38].

4 Case C434/16 Peter Nowak v Data Protection Commissioner

EU:C:2017:994 [57]; Case C-553/07 College van burgemeester en

wethouders van Rotterdam v MEE Rijkeboer EU:C:2009:293 [51].

5 Case C-49/17 Fashion ID GmbH & CoKG v Verbraucherzentrale

NRW eV EU:C:2019:629 [102].

6 GDPR, art 25 (‘Data protection by design and by default’).

7 GDPR, art 12(2).

8 Google Spain (n 3) [38]; Case C136/17 GC and Others v

Commission nationale de l’informatique et des libertés (CNIL)

EU:C:2019:773 [37].

9 Article 29 Working Party, ‘Guidelines on the Right to Data

Portability (WP 242)’ (13 December 2016) 12.