EDPB updated guidelines on right of access to personal data

The European Data Protection Board (EDPB) a few days ago published updated (second version) guidelines on the rights of data subjects, specifically the right of access to personal data. Any person whose personal data is processed is entitled to the right of access under Art. 15 of the GDPR. The right of access to data is considered one of the key rights under the GDPR, as it allows you to maintain control over what personal data is being processed, by whom, on what legal basis, to whom it has been made available, etc. Although the guidelines are primarily addressed to data controllers, they contain valuable tips for data subjects, providing insight into the actual scope of our rights. It's good to familiarize yourself with them, because as consumers, we leave digital footprints almost everywhere, and as a result, it's good to know what rights we have.

Just not to sound groundless, here are some noteworthy points from the guidelines: 

1. If you ask for access to your data the controller should give you access to all your personal data that are processed, unless you expressly limit your request (e.g. to identification data or data concerning a contract concluded on a particular day). The controller is not entitled to narrow the scope of your request arbitrarily, but may ask you to specify the request if he processes a large quantity of data.

2. Before granting access to personal data, the controller should confirm your identity in order to ensure the security of processing and minimise the risk of unauthorised disclosure of personal data. In this regard the EDPB emphasized that "as a rule, the controller cannot request more personal data than is necessary to enable this authentication, and that the use of such information should be strictly limited to fulfilling the data subjects’ request" (p. 25). The GDPR does not precise how to identify the data subject, so it is up to the controller to decide which authentication method is the most appropriate. However, the method must be proportionate to the circumstances of the processing, including the type of personal data being processed (e.g. special categories of data), the context within which the request is being made, potential damage that could result from improper disclosure of data). It happens that controllers fail to meet this requirement and choose methods that are convenient for them, but disproportionate. The EDPB states: "In practice, authentication procedures often exist and controllers do not need to introduce additional safeguards to prevent unauthorised access to services. In order to enable individuals to access the data contained in their accounts (such as an e-mail account, an account on social networks or online shops), controllers are most likely to request the logging through the login and password of the user, which in such cases should be sufficient to authenticate a data subject. [...] Consequently, it is disproportionate to require a copy of an identity document in the event where the data subject making a request is already authenticated by the controller. [...] Taking into account the fact, that many organisations (e.g. hotels, banks, car rentals) request copies of their clients’ ID card, it should generally not be considered an appropriate way of authentication" (p. 27).

3. Information requested as part of data access right should be provided to the data subject without undue delay and in any event within one month of receipt of the request. This deadline can be extended by a maximum of two months taking into account the complexity and the number of the requests that the controller receives. In such a situation the data subject must be informed about the reasons for delay. But the rule is that the controller should act "without undue delay", which means that the information should be given as soon as possible - "if it is possible to provide the requested information in a shorter amount of time than one month, the controller should do so" (p. 50).

4. Sometimes the controller may limit or refuse to give access to personal data. According to Art. 15(4) GDPR, the right to obtain a copy of data shall not adversely affect the rights and freedoms of others. Another restriction results from Art. 12(5) GDPR which enables controllers to override requests that are manifestly unfounded or excessive, in particular because of their repetitive character. These concepts must be interpreted narrowly. Data access right may be exercised more the once, but as it was indicated in recital 63 of the GDPR - "at reasonable intervals". It is not possible to determine in advance how often it is permissible to make requests for access to data, because it depends on processing circumstances. The EDPB remarks that "the more often changes occur in the database of the controller, the more often data subjects may be permitted to request access to their personal data without it being excessive". For example, "in the case of social networks, a change in the data set will be expected at shorter intervals than in the case of land registers or central company registers" (p. 56).

These are just a few examples worth keeping in mind. For more, I recommend checking out the guidelines. 

Cookies, Google Analytics, transfers of PRN data and new guidelines on the right of access… Wrapping-up January events in data protection

The New Year brought us some interesting developments in the data protection landscape. There are a few January facts worth noting:

Fines imposed on Google and Facebook for non-compliance with the cookie rules 

At the beginning of January*, the French supervisory authority, Commission Nationale de l'Informatique et des Libertés (CNIL), imposed a 150 million euro fine on Google and a 60 million euro fine on FACEBOOK IRELAND LIMITED - both for violations related to the use of cookies. According to the authority, users of sites owned by the companies (namely google.fr, youtube.com and facebook.com) cannot reject cookies as easily as they can accept them. Accepting cookies is possible with a single click of a button on the page, while the equivalent option is not available for refusing cookies. Denying consent to cookies requires more involvement on the part of the user and at least several clicks. As a result, such a complicated refusal mechanism may act as a disincentive for users, so that they are more likely to accept cookies against their will. This in turn violates Article 82 of the French law transposing the provisions of the e-Privacy Directive. It also fails to meet the requirements of legally binding consent under the GDPR.

Freepik.com

As a reminder, this is not the first sanction imposed by the CNIL on Google. In December 2020, the CNIL also fined Google LLC and Google Ireland Limited 100 million euro, because a large number of cookies used for advertising purposes was automatically deposited on a user's computer, without obtaining prior consent and without providing adequate information. The Google companies filed an appeal against the decision, but the French Council of State in late January 2022 upheld the CNIL's decision. 

Use of Google Analytics not compliant with the GDPR

January was not a successful month for Google in terms of data protection. In addition to the above penalties, the Austrian Data Protection Authority found that a tool used on many websites, Google Analytics, violates the protection of EU citizens' personal data.** Why? Because the tool transfers personal data to the United States, and in the US, Europeans' personal data is not adequately protected. Previously, personal data from the EU to the US could be transferred under the EU Commission's decision on the adequacy of the protection provided by the EU-US Privacy Shield, but since the CJEU declared that decision invalid in mid-July 2020, data controllers should base data transfers on a different legal ground (for example, on standard contractual clauses). The problem is that the US law does not provide sufficient protection against access to personal data by various public authorities, regardless of the legal basis on which personal data is transferred. And regardless of the fact that EU-US data transfers became illegal literally overnight, many companies continue to transfer personal data to the United States, mainly using IT tools provided by US companies, just like Google Analytics or other similar technologies. The decision of the Austrian authority is therefore not surprising, but it certainly provides another confirmation that transfers of personal data to the US are legally questionable. Companies should examine their practices and consider choosing alternative European IT tool providers. But not only companies! Looks like the European Parliament should too - the European Data Protection Supervisor also issued a decision in January this year in which he questioned the legality of data transfers collected via cookies on one of the EP's websites. 

Freepik.com

EU rules on the collection of air passenger information are in line with the EU Charter of Fundamental Rights and the GDPR, but with some reservations

On the 27th of January, AG Pitruzzella delivered his opinion in case C-817/19 Ligue des droits humains concerning, inter alia, the interpretation of the provisions of Directive 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. AG Pitruzzella assumes that the transfer of PNR data and the pre-travel screening of air passengers by means of automated processing of such data is generally compatible with Articles 7 and 8 of the EU Charter of Fundamental Rights. However, he also pointed out that such data should only be stored when necessary in view of a serious and genuine threat to security and for a period limited to the minimum necessary. 

This case deserves a wider comment and a separate blog post, so we will come back to this topic shortly, as soon as the English version of the opinion is published on the Court's website. 

Guidelines on data subject rights - right of access

Finally, at the end of January, the European Data Protection Board published new guidelines on data subjects' rights, specifically on the right of access to data. For the time being, this is the version for public consultation. The feedback period is now open, so make your voice heard until March 11th!

* To be precise - CNIL's decisions were issued on December 31, 2021, but the information about the fines was published on the authority's official website in the first days of January. 

** Again, the decision was issued just before Christmas, but published on January 12, 2022. 

EDPB creates cookie banner taskforce

Last week European Data Protection Board (EDPB), which is a body that represents European data protection authorities (DPAs), decided to establish a cookie banner taskforce. Why? Because of 422 complaints filed with ten different DPAs by a non-profit organization None of Your Business (NOYB), founded by Max Schrems. Responding to all these complaints certainly requires coordinated action in order to ensure uniform application of GDPR across the EU, as well as to support DPAs and to facilitate communication between them. Hopefully, this will also accelerate national proceedings and provide better consumer protection in the context of cookies and data processing. 

Cookies and other tracking technologies have attracted the attention of some authorities in recent years. Some of them have adopted guidelines or FAQs (see for example Spanish DPA guidelines or French DPA guidelines and recommendations). The issue is important because in many cases the use of cookies is not in compliance with the GDPR, especially when it comes to providing information about them, collecting consent to data processing or allowing the withdrawal thereof. Not to mention that cookie banners can be annoying and rather discourage people from reading complex cookie policies. This is why NOYB analysed several thousand websites available in the EU to identify the most common breaches and then filed complaints where necessary. But firstly, letters notifying the infringements were sent directly to the site controllers. What’s interesting, based on NOYB statistics - 42% of all violations were remedied within 30 days. This is not a bad result, but certainly falls short of expectations. The most frequent violations include, inter alia: no option to reject cookies on the first layer, pre-ticked boxes, lack of possibility to withdraw consent as easily as it was given and using a deceptive contrast or color for the „reject button”. 

What do the violators say? According to an informal feedback that NOYB received, the companies usually fear that if they comply with the requirements they risk falling behind their competitors. Some of them also prefer to wait for a clear explanation from the DPAs before complying. 

In other words, the question remains the same - how to have your cake and eat it too?