This article first appeared in the January/February 2024 issue of PLC Magazine.
The right of access to personal data is expected to be a key focus area for data protection regulators in both the EU and the UK into 2024. The European Data Protection Board (EDPB) has announced that its 2024 harmonized enforcement action will consider how controllers implement the right of access to personal data. In the UK, data subject access requests (DSARs) remain a priority for the Information Commissioner’s Office.
Historically, there have been differences in the way air traffic controllers in European countries handled DSAR. However, in addition to the increased regulatory emphasis in this area, recent European Court of Justice (ECJ) case law has shown that the right of access should not always be interpreted as narrowly as previously. is showing.
Differences in historical interpretation
Article 15 of the General Data Protection Regulation (679/2016/EU) (GDPR) (Article 15) gives data subjects the right to obtain confirmation from the data controller as to whether or not their personal data are being processed. If so, the data subject has the right to know information about the processing, including the purposes of the processing and the categories of personal data being processed. The controller must also provide us with a copy of the personal data being processed.
In a limited sense, the right to obtain copies of personal data does not necessarily entitle the data subject to obtain copies of documents containing personal data. In some EU jurisdictions this more restrictive view was reflected in practice until recently. Depending on the DSAR, data subjects may only be provided with a summary of their personal data rather than a copy of the document.
However, the EDPB’s guidelines on access rights emphasize the need to provide access to personal data, and not just general or categorical descriptions.
Some jurisdictions, including the United Kingdom, have followed this broader view for some time. Indeed, in the UK, data subjects are often provided with copies of documents (including by email), but the nature and amount of this is far greater than what has traditionally been provided by controllers in other European jurisdictions. exceeds.
Challenging limited perspectives
Two cases decided in 2023 considered data subjects’ rights to obtain copies of documents.
In one, the ECJ found that the controller’s obligation to provide a copy of the personal data being processed means that the data subject must be given a “faithful and intelligible copy of all the data” (FF v Osterreichsch Dechtschutzbehelde and CRIF GmbH C-487/21). provide a copy of extracts, entire documents and extracts from databases where this is essential to enable the data subject to effectively exercise his rights under Article 15(3); is needed. CRIF It has the potential to widen the scope of access rights, but much will depend on interpretation by regulators and courts as to when it is essential to provide a copy.
In the second, FT v DWthe ECJ clarified that in the doctor-patient relationship, the patient has the right to obtain a complete copy of the documents in his file (C-307/22). National law may not require the data subject to pay the costs of obtaining a copy, in order to protect the interests of the controller. The ECJ also considered the extent to which the right of access applies even if the request is made for reasons other than those listed in Regulation 63 of the GDPR (Regulation 63). That is, recognizing and verifying the legality of certain data. Controller data processing.in F.T., the data subject sought access to his data in order to take legal action against the controller. The ECJ found that the controller’s obligation to provide data subjects with a copy of their data free of charge applies even if a request is not made for the reasons set out in Recital 63.
Two further ECJ judgments in 2023 considered the right to access.in RW v Osterreichsche Post AGthe ECJ found that if personal data has been or will be disclosed to a third party, the identity of the recipient must be disclosed to the data subject upon request (C-154/21). Indicating the recipient category is sufficient only if the actual recipient cannot be identified or if the administrator can demonstrate that the DSAR is clearly unfounded or excessive.in JM v Panki Sthe ECJ held that data subjects have the right to obtain information about the date and purpose of consultation of their personal data by third parties (C-579/21). They will not be responsible for any employee consulted under the authority of the manager, unless the information is essential for the effective exercise of that right, taking into account the balance between the employee’s rights and freedoms. You have no right to know information about your identity.
Potential impact of the ECJ judgment
In Germany, the impact of these ECJ decisions on regulatory practice is likely to be significant. Some data protection authorities in Germany often adopt a more restrictive position when responding to DSARs, believing that structuring and redacting personal data is sufficient. However, the nature and scope of the right to copying continues to be contested in the courts. There is also support among German courts, particularly the Higher Regional Courts and the German Federal Court, for a more expansive interpretation of how to respond to DSARs. CRIF and F.T. This broader view is likely to apply more frequently.
Interestingly, in conjunction with the possible expansion of the response approach to DSAR, Germany is expected to expand the list of exceptions under which air traffic controllers can refuse to provide information in response to DSAR. New proposed language in the Federal Data Protection Act provides that if performance of a DSAR would disclose business secrets or trade secrets of the controller or a third party, and the interests of confidentiality override the interests of the data subject. Exceptions are provided in certain cases. Although the criteria for overriding the benefit of confidentiality are not yet clear, such an exemption would nevertheless be welcomed by administrators.
In the Netherlands, the position of the Dutch Data Protection Authority (DPA) allows for situations in which it is not necessary to provide a copy.That guidance has been updated as follows CRIF, the controller is required to provide copies of all documents containing the data subject’s personal data, if these documents are essential for a proper understanding of the context in which the data are processed. However, the guidance adds that in most cases the entire document is not required for this purpose, and a complete overview of the data is sufficient. DPA has published an example overview document for organizations to follow. This indicates that you need to provide information such as the document, date, purpose of processing, personal data, source, recipient and storage period. A similar approach was confirmed in a recent Amsterdam court case (ECLI:NL:RBAMS:2023:5815, Rechtbank Amsterdam, 22/4916).
Regarding the purpose of the request, the DPA recently confirmed in its guidance that organizations are not obliged to provide copies of documents if the data subject is seeking to collect information to substantiate a complaint or objection . Start the procedure. Recent Dutch case law allows controllers to consider access rights to be abused if they are used solely for purposes other than checking whether personal data is processed correctly and lawfully. It is stipulated that An organization seeking to invoke this defense has a high burden of proof.Impact of F.T. We don’t know yet in this area.
In France, a June 2023 decision by the National Freedom of Information Commission (CNIL) against online advertising specialist CRITEO requires controllers not only to provide the requested personal data, but also to explain how they will do so. The need to do so was emphasized. Read the data or documentation to help you understand the information provided. It also emphasized the need for administrators to provide complete information. France generally has a strict attitude towards providing copies, but requests have become more frequent in recent years, increasing the burden on administrators.
Directions for travel in the UK
ECJ decisions are not binding in the UK. However, it is generally practice in the UK to provide data subjects with a copy of the document.
The Data Protection and Digital Information Bill currently going through Parliament will make several changes in this area (See the news brief ‘New Data Protection and Digital Information Bill: What will change?’). With the aim of easing organizational capacity constraints when responding to DSARs, the Government is proposing to amend the criteria by which administrators can refuse to respond to requests or charge a reasonable fee. Masu. The current “manifestly unfounded or excessive” standard will be amended to “objectionable or excessive” in line with the Freedom of Information Act 2000. The impact of this change is unknown at this stage.
Important points about controllers
At present, due to the influence of CRIF and FT v DW Cases remain. EDP B’s focus on his DSAR in 2024 and guidelines in 2022 suggest that EU regulators will focus on ensuring that data subjects can exercise their access rights in a meaningful way. Masu. In the UK, this is also likely to remain a regulatory concern, despite proposed changes to the law.
Broader views on responding to DSARs have received mixed support from courts and regulators in Germany and the Netherlands, although France’s CNIL appears to have taken a stricter position. Many EU jurisdictions currently do not have access exemptions such as the one that exists under the UK’s Data Protection Act 2018. and the extent to which the general and limited exemptions of the GDPR are interpreted and the compilation of information in response to withholding and DSARs. There is no doubt that this will be of some concern if her approach to DSAR in the EU approaches the UK position.
While there may be uncertainty about how far-reaching rights will be needed in the future, administrators should continue to prepare for successful response to claims by focusing on process. Can be done. Maintaining processes and systems to identify and escalate requests, locate appropriate systems, collate information, and provide responses within time limits can be challenging. However, as data subjects become increasingly aware of their right to access, the effort spent in this area will be valuable.
Thanks to George Hairs for contributing to this article.