EDPB updated guidelines on right of access to personal data

The European Data Protection Board (EDPB) a few days ago published updated (second version) guidelines on the rights of data subjects, specifically the right of access to personal data. Any person whose personal data is processed is entitled to the right of access under Art. 15 of the GDPR. The right of access to data is considered one of the key rights under the GDPR, as it allows you to maintain control over what personal data is being processed, by whom, on what legal basis, to whom it has been made available, etc. Although the guidelines are primarily addressed to data controllers, they contain valuable tips for data subjects, providing insight into the actual scope of our rights. It's good to familiarize yourself with them, because as consumers, we leave digital footprints almost everywhere, and as a result, it's good to know what rights we have.

Just not to sound groundless, here are some noteworthy points from the guidelines: 

1. If you ask for access to your data the controller should give you access to all your personal data that are processed, unless you expressly limit your request (e.g. to identification data or data concerning a contract concluded on a particular day). The controller is not entitled to narrow the scope of your request arbitrarily, but may ask you to specify the request if he processes a large quantity of data.

2. Before granting access to personal data, the controller should confirm your identity in order to ensure the security of processing and minimise the risk of unauthorised disclosure of personal data. In this regard the EDPB emphasized that "as a rule, the controller cannot request more personal data than is necessary to enable this authentication, and that the use of such information should be strictly limited to fulfilling the data subjects’ request" (p. 25). The GDPR does not precise how to identify the data subject, so it is up to the controller to decide which authentication method is the most appropriate. However, the method must be proportionate to the circumstances of the processing, including the type of personal data being processed (e.g. special categories of data), the context within which the request is being made, potential damage that could result from improper disclosure of data). It happens that controllers fail to meet this requirement and choose methods that are convenient for them, but disproportionate. The EDPB states: "In practice, authentication procedures often exist and controllers do not need to introduce additional safeguards to prevent unauthorised access to services. In order to enable individuals to access the data contained in their accounts (such as an e-mail account, an account on social networks or online shops), controllers are most likely to request the logging through the login and password of the user, which in such cases should be sufficient to authenticate a data subject. [...] Consequently, it is disproportionate to require a copy of an identity document in the event where the data subject making a request is already authenticated by the controller. [...] Taking into account the fact, that many organisations (e.g. hotels, banks, car rentals) request copies of their clients’ ID card, it should generally not be considered an appropriate way of authentication" (p. 27).

3. Information requested as part of data access right should be provided to the data subject without undue delay and in any event within one month of receipt of the request. This deadline can be extended by a maximum of two months taking into account the complexity and the number of the requests that the controller receives. In such a situation the data subject must be informed about the reasons for delay. But the rule is that the controller should act "without undue delay", which means that the information should be given as soon as possible - "if it is possible to provide the requested information in a shorter amount of time than one month, the controller should do so" (p. 50).

4. Sometimes the controller may limit or refuse to give access to personal data. According to Art. 15(4) GDPR, the right to obtain a copy of data shall not adversely affect the rights and freedoms of others. Another restriction results from Art. 12(5) GDPR which enables controllers to override requests that are manifestly unfounded or excessive, in particular because of their repetitive character. These concepts must be interpreted narrowly. Data access right may be exercised more the once, but as it was indicated in recital 63 of the GDPR - "at reasonable intervals". It is not possible to determine in advance how often it is permissible to make requests for access to data, because it depends on processing circumstances. The EDPB remarks that "the more often changes occur in the database of the controller, the more often data subjects may be permitted to request access to their personal data without it being excessive". For example, "in the case of social networks, a change in the data set will be expected at shorter intervals than in the case of land registers or central company registers" (p. 56).

These are just a few examples worth keeping in mind. For more, I recommend checking out the guidelines. 

It is your right to know the actual identity of recipients to whom your personal data have been or will be disclosed (C-154/21 Österreichische Post)

The General Data Protection Regulation (GDPR) provides individuals (data subjects) with a number of rights. These are listed in Chapter III of the GDPR and include, inter alia, the right to be informed of the processing of personal data (Articles 13 and 14 of the GDPR), right of access (Article 15 of the GDPR), right to rectification (Article 16 of the GDPR), right to erasure (Article 17 of the GDPR) etc. In mid-January 2023, the Court of Justice in Case C-154/21 Österreichische Post answered a question concerning one of those rights, namely the right of access.

As stated in Article 15(1) of the GDPR „the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: […]

(c)  the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; […].

The dispute concerned the fact that the data subject requested from the controller the actual identity of the recipients to whom he was disclosing his personal data. However, the controller did not reveal the identity of the recipients, but informed the data subject of the "categories of recipients", indicating that they were „customers, including advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, non-governmental organisations (NGOs) or political parties” (para. 20). 

Indeed, doubts arise when applying Article 15(1) of the GDPR in practice. The main question is whether it is necessary to inform about the particular recipients of the data, or would it be enough to notice about general categories of these recipients? Similar doubts arise in the context of Articles 13(1e) and 14(1e) of the GDPR, which oblige the controller, as part of its information obligations performed at the time of data collection, to inform about "the recipients or categories of recipients of the personal data, if any".

In the Court's view, Article 15(1) of the GDPR gives the right to be informed about the specific recipients of personal data and thus to know their actual identity. The Court cites several arguments in this regard:

(1) The data subjects should be guaranteed the right to know and be informed about the processing of their personal data, in particular about the recipients to whom the data are made available. This is emphasised in Recital 63 of the GDPR, which, nota bene, does not refer to the right to information about "categories of recipients of data", but generally to the right to information about "recipients of personal data" (para. 33).

(2) The controller must process personal data in accordance with the principle of transparency, which from the data subject's perspective means that information on how his or her personal data is processed should be easily accessible and comprehensible (para. 35).

(3) „Article 15 of the GDPR lays down a genuine right of access for the data subject, with the result that the data subject must have the option of obtaining either information about the specific recipients to whom the data have been or will be disclosed, where possible, or information about the categories of recipient” (para. 36).

(4) The right of access is often exercised to verify the accuracy of the data or the lawfulness of the processing. In this sense, the right of access frequently determines further actions of the data subject, i.e. the exercise of other rights under the GDPR, e.g. the right to erasure or the right to object to processing. Therefore, the complete and diligent exercise of the right of access is essential to guarantee the effectiveness of the data subject's rights (para. 38).

However, the Court reminded that the right to the protection of personal data is not an absolute right and is subject to limitations. The controller, despite an express request by the data subject, does not have to provide information on the identity of the recipients of the data if "in specific circumstances it is not possible to provide information on specific recipients" (e.g. when it is not possible to identify those recipients - para. 51), and furthermore when the data subject's request is unjustified or excessive in nature [as stated in Article 12(5b) GDPR].

In practice, this means that each request will have to be carefully analysed. It is certainly easier for controllers to provide general information on the categories of recipients rather than precise information on the identity of the recipients. For controllers with large datasets, who share data with many entities and receive many requests of data access, a detailed examination of data flows may be cumbersome. What the judgment lacks, in my view, is a clarification of what the 'special circumstances' that would justify a refusal to disclose the identity of data recipients could consist of. 

It appears from the CJ's reasoning that such a special circumstance may be the lack of knowledge of the future recipients (para. 48). The question is whether such a circumstance could be the difficulty of stating all data recipients due to their large number. In practice, this is a common problem for controllers. Yet, such an interpretation does not seem to be acceptable. It can be said that the Court has spread a protective umbrella over data subjects, obliging controllers to be more accurate, transparent in their processing and to provide reliable and complete information to data subjects. This is a good signal for data subjects, especially consumers of various online services, as the judgment provides clear grounds for demanding detailed information about the processing of personal data. 

December wrap-up of data protection cases (Google, Österreichische Datenschutzbehörde and Pankki S)

The end of the month (and the end of the year as well) is a good moment for summaries. This time we are taking a closer look at events in the area of data protection law. December was a month with a couple of interesting events, so here is a brief recap. 

Dereferencing allegedly inaccurate content (C-460/20 Google)

The case concerned two executives of a group of investment companies (a board member and a proxy) who asked Google to remove search results linking their names to certain articles criticising the group's investment model. They exercised the so-called right to be forgotten, guaranteed under Article 17(1) of the GDPR, claiming that the information presented contained false claims and defamatory opinions. They also wanted Google to remove their thumbnail images from the search results. Google rejected these requests, arguing that it does not know whether the information contained in the articles is true or not.

In cases involving the erasure of data from a search engine operator's search results, two rights usually collide: the public's right of access to information (especially about persons holding public positions) and the individual's right to protection of his or her personal data, including the right to erasure, protection of his or her good name, image, etc. The same problems were considered in this case, as we wrote about when reporting on the AG's opinion issued in the proceedings. In the ruling of 8th December 2022 the Court held that the person requesting the deletion of data is obliged to show that the information is manifestly inaccurate. "However, in order to avoid imposing on that person an excessive burden which is liable to undermine the practical effect of the right to de-referencing, that person has to provide only evidence that, in the light of the circumstances of the particular case, can reasonably be required of him or her to try to find in order to establish that manifest inaccuracy" (para. 68). It means that such a person cannot be required to present a judicial decision made against the publisher of the website in question, even in the form of a decision given in interim proceedings, since it would be an unreasonable burden imposed on such a person. At the same time "the operator of the search engine concerned cannot be required to investigate the facts and, to that end, to organise an adversarial debate with the content provider seeking to obtain missing information concerning the accuracy of the referenced content" (para. 71). Therefore, if the person who made a request for de-referencing submits relevant and sufficient evidence showing the manifest inaccuracy of the information found in the referenced content, the operator of the search engine is required to accede to that request for de-referencing. But an operator should not grant a request if the inaccurate character of the information is not obvious in the light of the evidence presented (para. 72&73). 

As regards the thumbnails the Court concluded that "a separate weighing-up of competing rights and interests is required depending on whether the case concerns, on the one hand, articles containing photographs which are published on an internet page and which, when placed into their original context, illustrate the information provided in those articles and the opinions expressed in them, or, on the other hand, photographs displayed in the list of results in the form of thumbnails by the operator of a search engine outside the context in which they were published on the original internet page" (para. 101). The Court also stated that the informative value of those images should be taken into account independently of the context of their publication on the website from which they originate, nevertheless taking into account all the content that directly accompanies the display of those images in the search results and that can explain the informative value of those images (para. 108).

The concept of a "copy of personal data" under the Article 15(3) of the GDPR. AG Pitruzzella opinion on Österreichische Datenschutzbehörde case (C‑487/21)

The dispute arose over the interpretation of Article 15(3) of the GDPR, which provides that a data subject, as part of the right of access to one's personal data, may obtain a copy of that data. The complainant requested an exact copy of the data processed by the controller, including full copies of documents containing his personal data. However, the controller provided only some of the requested information as an aggregate that reproduced the stored personal data of the data subject in a table broken down by name, date of birth, street, postal code, and place, and in a statement summarising corporate functions and powers of representation. As part of the proceedings, the national court decided to refer several questions concerning the interpretation of Article 15(3) of the GDPR to the Court. 

On 15 December 2022, the AG delivered an opinion stating that the concept of “copy” referred to in Article 15(3) of the GDPR must be understood as "a faithful reproduction in intelligible form of the personal data requested by the data subject, in material and permanent form, that enables the data subject effectively to exercise his or her right of access to his or her personal data in full knowledge of all his or her personal data that undergo processing – including any further data that might be generated as a result of the processing, if those also undergo processing – in order to be able to verify their accuracy and to enable him or her to satisfy himself or herself as to the fairness and lawfulness of the processing so as to be able, where appropriate, to exercise further rights conferred on him or her by the GDPR". The AG underlined that this provision does not, in principle, entitle the data subject to obtain a full copy of documents containing the personal data, but, at the same time, does not exclude the need to provide that person with extracts from documents, whole documents or extracts from databases if that is necessary to ensure that the personal data undergoing processing are fully intelligible.

Right to know the identity of the persons who had access to one's personal data. AG Campos Sánchez-Bordona on Pankki S case (C-579/21)

The third case also concerned the right of access to personal data, but from a different perspective. Data subject wanted to know who exactly (among the employees of the financial institution) had access to his personal data at the time when he was a customer of that institution and an employee thereof. The controller refused to provide names of the employees arguing that Article 15 of the GDPR does not apply to log data of the institution's data processing system and that the information requested does not relate to personal data of the data subject, but to the personal data of the employees. 

The AG approved the controller's view and stated that Article 15(1) of the GDPR "does not give the data subject the right to know, from among the information available to the controller (where applicable, through records or log data), the identity of the employee or employees who, under the authority and on the instructions of the controller, have consulted his or her personal data". In justifying his opinion, he pointed out that "the identity of individual employees who have handled the processing of customer data is particularly sensitive information from a security point of view, at least in certain economic sectors" (para. 76). Disclosure of employees' data could expose them to attempts by customers of the banking institution to exert pressure and influence. Nevertheless, the AG noted that if a data subject has reasonable doubts about the integrity or impartiality of an individual who has participated on behalf of the controller in the processing of his or her data, this could justify the interest of that customer in knowing the identity of the employee in order to exercise the customer's right to take an action against that employee (para. 78; nb. in the relevant case the data subject made his request, in particular, in order to clarify the reasons for his dismissal).

Cookies, Google Analytics, transfers of PRN data and new guidelines on the right of access… Wrapping-up January events in data protection

The New Year brought us some interesting developments in the data protection landscape. There are a few January facts worth noting:

Fines imposed on Google and Facebook for non-compliance with the cookie rules 

At the beginning of January*, the French supervisory authority, Commission Nationale de l'Informatique et des Libertés (CNIL), imposed a 150 million euro fine on Google and a 60 million euro fine on FACEBOOK IRELAND LIMITED - both for violations related to the use of cookies. According to the authority, users of sites owned by the companies (namely google.fr, youtube.com and facebook.com) cannot reject cookies as easily as they can accept them. Accepting cookies is possible with a single click of a button on the page, while the equivalent option is not available for refusing cookies. Denying consent to cookies requires more involvement on the part of the user and at least several clicks. As a result, such a complicated refusal mechanism may act as a disincentive for users, so that they are more likely to accept cookies against their will. This in turn violates Article 82 of the French law transposing the provisions of the e-Privacy Directive. It also fails to meet the requirements of legally binding consent under the GDPR.

Freepik.com

As a reminder, this is not the first sanction imposed by the CNIL on Google. In December 2020, the CNIL also fined Google LLC and Google Ireland Limited 100 million euro, because a large number of cookies used for advertising purposes was automatically deposited on a user's computer, without obtaining prior consent and without providing adequate information. The Google companies filed an appeal against the decision, but the French Council of State in late January 2022 upheld the CNIL's decision. 

Use of Google Analytics not compliant with the GDPR

January was not a successful month for Google in terms of data protection. In addition to the above penalties, the Austrian Data Protection Authority found that a tool used on many websites, Google Analytics, violates the protection of EU citizens' personal data.** Why? Because the tool transfers personal data to the United States, and in the US, Europeans' personal data is not adequately protected. Previously, personal data from the EU to the US could be transferred under the EU Commission's decision on the adequacy of the protection provided by the EU-US Privacy Shield, but since the CJEU declared that decision invalid in mid-July 2020, data controllers should base data transfers on a different legal ground (for example, on standard contractual clauses). The problem is that the US law does not provide sufficient protection against access to personal data by various public authorities, regardless of the legal basis on which personal data is transferred. And regardless of the fact that EU-US data transfers became illegal literally overnight, many companies continue to transfer personal data to the United States, mainly using IT tools provided by US companies, just like Google Analytics or other similar technologies. The decision of the Austrian authority is therefore not surprising, but it certainly provides another confirmation that transfers of personal data to the US are legally questionable. Companies should examine their practices and consider choosing alternative European IT tool providers. But not only companies! Looks like the European Parliament should too - the European Data Protection Supervisor also issued a decision in January this year in which he questioned the legality of data transfers collected via cookies on one of the EP's websites. 

Freepik.com

EU rules on the collection of air passenger information are in line with the EU Charter of Fundamental Rights and the GDPR, but with some reservations

On the 27th of January, AG Pitruzzella delivered his opinion in case C-817/19 Ligue des droits humains concerning, inter alia, the interpretation of the provisions of Directive 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. AG Pitruzzella assumes that the transfer of PNR data and the pre-travel screening of air passengers by means of automated processing of such data is generally compatible with Articles 7 and 8 of the EU Charter of Fundamental Rights. However, he also pointed out that such data should only be stored when necessary in view of a serious and genuine threat to security and for a period limited to the minimum necessary. 

This case deserves a wider comment and a separate blog post, so we will come back to this topic shortly, as soon as the English version of the opinion is published on the Court's website. 

Guidelines on data subject rights - right of access

Finally, at the end of January, the European Data Protection Board published new guidelines on data subjects' rights, specifically on the right of access to data. For the time being, this is the version for public consultation. The feedback period is now open, so make your voice heard until March 11th!

* To be precise - CNIL's decisions were issued on December 31, 2021, but the information about the fines was published on the authority's official website in the first days of January. 

** Again, the decision was issued just before Christmas, but published on January 12, 2022.