Getting Data Subject Rights Right A submission to the European Data Protection Board from international data rights academics, to inform regulatory guidance

Author:Jef Ausloos, Réne Mahieu, Michael Veale
Position:Postdoctoral Researcher Institute for Information Law, University of Amsterdam/Law, Science, Technology & Society (LSTS), Vrije Universiteit Brussel/Lecturer in Digital Rights & Regulation Faculty of Laws, University College London and the Alan Turing Institute
Pages:283-309
SUMMARY

We are a group of academics active in research and practice around data rights. We believe that the European Data Protection Board (EDPB) guidance on data rights currently under development is an important point to resolve a variety of tensions and grey areas which, if left unaddressed, may significantly undermine the fundamental right to data protection. All of us were present at the recent... (see full summary)

 
FREE EXCERPT
Getting Data Subject Rights Right
2020
283
3
Getting Data Subject Rights Right
A submission to the European Data Protection Board from
international data rights academics, to inform regulatory
guidance
by Jef Ausloos, Michael Veale and René Mahieu
© 2019 Jef Ausloos, Michael Veale and René Mahieu
Everybody may disseminate this ar ticle by electronic m eans and make it available for downloa d under the terms and
conditions of the Digital P eer Publishing Licence (DPPL). A copy of the license text may be obta ined at http://nbn-resolving.
de/urn:nbn:de:0009-dppl-v3-en8.
Recommended citation: Je f Ausloos, Michael Veale and René Mahieu, Get ting Data Subject Rights Rig ht, 10 (2019) JIPITEC
283 para 1.
Summary
We are a group of academics active in research and
practice around data rights. We believe that the
European Data Protection Board (EDPB) guidance
on data rights currently under development is an
important point to resolve a variety of tensions
and grey areas which, if left unaddressed, may
signicantly undermine the fundamental right to
data protection. All of us were present at the recent
stakeholder event on data rights in Brussels on 4
November 2019, and it is in the context and spirit of
stakeholder engagement that we have created this
document to explore and provide recommendations
and examples in this area. This document is based on
comprehensive empirical evidence as well as CJEU
case law, EDPB (and, previously, Article 29 Working
Party) guidance and extensive scientic research
into the scope, rationale, effects and general
modalities of data rights.
A. Main Takeaways
1
The rst half of this document lists recommendations
for the four data subject rights mentioned in the
EDPB’s plan to draft guidelines: right of access (Article
15); right to rectication (Article 16); right to erasure
(Article 17); and the right to restriction of processing
(Article 18). The second half of this document takes
a step back and makes recommendations on the
broader issues surrounding the accommodation of
data subject rights in general.We strongly advise
the EDPB to consider the following points in its
Guidance:
2
The interpretation and accommodation of data
subject rights should follow established CJEU case
law requiring an ‘effective and complete protection
of the fundamental rights and freedoms’ of data
subjects and the ‘efcient and timely protection
of their rights.
3 The right of access plays a pivotal role in enabling
other data rights, monitoring compliance and
guaranteeing due process. Analysis of guidance,
cases, and legal provisions indicates data controllers
cannot constrain the right of access through unfair
le format, scope limitations, boiler-plate response,
and that where data sets are complex, they should
facilitate tools to enable understanding.
4
The right to erasure is not accommodated by
anonymising personal data sets. In case the same
personal data is processed for different processing
purposes some of which may not be subject to the
right to erasure, data controllers should interpret
erasure requests as a clear signal to stop all other
processing purposes that are not exempted.
2020
Jef Ausloos, Michael Veale and René Mahieu
284
3
5
The right to object offers a context-dependent
and individualised re-assessment of the relevant
processing purposes, specically in relation to the
data subject’s concrete situation. Data controllers’
potential compelling legitimate interests should be
detailed, publicly declared and foreseeable, in order
to be able to override data subjects’ clear desire to
stop the respective processing operation.
6 The right to restriction of processing — currently
ignored by most data controllers — should be
prioritised in time and effectively ‘freeze’ any
further processing operations. Information society
services should offer this through an interface.
7 The right to rectication applies to opinions and
inferences of the data controller, including proling,
and must consider that the vast majority of data is
highly subjective.
8
(Joint) controllers have an explicit duty to facilitate
the exercise of data subject rights and cannot
require specic forms or legislative wording as a
precondition for accommodating them.
9 Restrictions or limitations on how data rights are
accommodated (eg rights and freedoms of others,
excessiveness, repetitiveness) need to be foreseeable
and interpreted narrowly and specically in light
of the concrete and specic right, data subject and
context at hand.
B. Background
10
Data subject rights are of critical importance in
the European data protection regime. Throughout
all discussions of their scope and limits, it must be
recalled that rights are not simply a way to police
that sufcient data protection is occurring, but they
are an intrinsic part of the fundamental right to data
protection enshrined in the Charter of Fundamental
rights, which states that:
Everyone has the right of access to data which has been
collected concerning him or her, and the right to have it
rectied.1
11 Data rights must, in general, be implemented with
several observations of the Court of Justice of the
European Union in mind.2 The Court has held that
one of the key objectives of data protection law
is the effective and complete protection of the
fundamental rights and freedoms of natural persons
with respect to the processing of personal data.3
1 Charter, art 8(2).
2 We refer to the Court of Justice as the Court in the remainder
of this article.
3 Case C-131/12 Google Spain SL and Google Inc v Agencia Española
12 We can see this principle in operation in relation to
data rights which are prerequisites to others. The
Court held that the right of access is a pre-requisite
to the ‘rectication, erasure or blocking’ of data, and
thus the existence (and extent) of the right of access
must allow effective use of other data rights.4
13
The Court has also held that provisions of data
protection law must be interpreted as to give
effect to the efcient and timely protection of
the data subject’s rights.5 Furthermore, it is critical
to consider data rights in light of the overarching
principles of transparency and fairness in the
GDPR. Data controllers are not permitted to frustrate
data subjects in their attempts to benet from the
high level of protection that follows from their
fundamental rights. Indeed, they have to both
implement data rights6 as well as facilitate the
exercise of such rights.7
14
Relatedly, the Court has also highlighted that
data protection should be understood within the
framework of the responsibilities, powers and
capabilities of a data controller.8 As the European
Data Protection Board has already pointed out,
‘information society or similar online services that
specialise in automated processing of personal data’
are highly capable at classifying, transmitting and
managing personal data in automated ways, and as
a result9 meet data rights in an effective, complete,
efcient, and timely manner.
15
Finally, the Court has also linked the ability to
effectively exercise data subject rights with the
fundamental right to effective judicial protection
in Article 47 Charter. Specically, it stressed that
‘legislation not providing for any possibility for an
de Protección de Datos (AEPD) and Mario Costeja González
EU:C:2014:317 [53]; Case C-73/16 Peter Puškár v Finančné
riaditeľstvo Slovenskej republiky and Kriminálny úrad nančnej
správy EU:C:2017:725 [38].
4 Case C434/16 Peter Nowak v Data Protection Commissioner
EU:C:2017:994 [57]; Case C-553/07 College van burgemeester en
wethouders van Rotterdam v MEE Rijkeboer EU:C:2009:293 [51].
5 Case C-49/17 Fashion ID GmbH & CoKG v Verbraucherzentrale
NRW eV EU:C:2019:629 [102].
6 GDPR, art 25 (‘Data protection by design and by default’).
7 GDPR, art 12(2).
8 Google Spain (n 3) [38]; Case C136/17 GC and Others v
Commission nationale de l’informatique et des libertés (CNIL)
EU:C:2019:773 [37].
9 Article 29 Working Party, ‘Guidelines on the Right to Data
Portability (WP 242)’ (13 December 2016) 12.

To continue reading

REQUEST YOUR TRIAL