EDPB updated guidelines on right of access to personal data

The European Data Protection Board (EDPB) a few days ago published updated (second version) guidelines on the rights of data subjects, specifically the right of access to personal data. Any person whose personal data is processed is entitled to the right of access under Art. 15 of the GDPR. The right of access to data is considered one of the key rights under the GDPR, as it allows you to maintain control over what personal data is being processed, by whom, on what legal basis, to whom it has been made available, etc. Although the guidelines are primarily addressed to data controllers, they contain valuable tips for data subjects, providing insight into the actual scope of our rights. It's good to familiarize yourself with them, because as consumers, we leave digital footprints almost everywhere, and as a result, it's good to know what rights we have.

Just not to sound groundless, here are some noteworthy points from the guidelines: 

1. If you ask for access to your data the controller should give you access to all your personal data that are processed, unless you expressly limit your request (e.g. to identification data or data concerning a contract concluded on a particular day). The controller is not entitled to narrow the scope of your request arbitrarily, but may ask you to specify the request if he processes a large quantity of data.

2. Before granting access to personal data, the controller should confirm your identity in order to ensure the security of processing and minimise the risk of unauthorised disclosure of personal data. In this regard the EDPB emphasized that "as a rule, the controller cannot request more personal data than is necessary to enable this authentication, and that the use of such information should be strictly limited to fulfilling the data subjects’ request" (p. 25). The GDPR does not precise how to identify the data subject, so it is up to the controller to decide which authentication method is the most appropriate. However, the method must be proportionate to the circumstances of the processing, including the type of personal data being processed (e.g. special categories of data), the context within which the request is being made, potential damage that could result from improper disclosure of data). It happens that controllers fail to meet this requirement and choose methods that are convenient for them, but disproportionate. The EDPB states: "In practice, authentication procedures often exist and controllers do not need to introduce additional safeguards to prevent unauthorised access to services. In order to enable individuals to access the data contained in their accounts (such as an e-mail account, an account on social networks or online shops), controllers are most likely to request the logging through the login and password of the user, which in such cases should be sufficient to authenticate a data subject. [...] Consequently, it is disproportionate to require a copy of an identity document in the event where the data subject making a request is already authenticated by the controller. [...] Taking into account the fact, that many organisations (e.g. hotels, banks, car rentals) request copies of their clients’ ID card, it should generally not be considered an appropriate way of authentication" (p. 27).

3. Information requested as part of data access right should be provided to the data subject without undue delay and in any event within one month of receipt of the request. This deadline can be extended by a maximum of two months taking into account the complexity and the number of the requests that the controller receives. In such a situation the data subject must be informed about the reasons for delay. But the rule is that the controller should act "without undue delay", which means that the information should be given as soon as possible - "if it is possible to provide the requested information in a shorter amount of time than one month, the controller should do so" (p. 50).

4. Sometimes the controller may limit or refuse to give access to personal data. According to Art. 15(4) GDPR, the right to obtain a copy of data shall not adversely affect the rights and freedoms of others. Another restriction results from Art. 12(5) GDPR which enables controllers to override requests that are manifestly unfounded or excessive, in particular because of their repetitive character. These concepts must be interpreted narrowly. Data access right may be exercised more the once, but as it was indicated in recital 63 of the GDPR - "at reasonable intervals". It is not possible to determine in advance how often it is permissible to make requests for access to data, because it depends on processing circumstances. The EDPB remarks that "the more often changes occur in the database of the controller, the more often data subjects may be permitted to request access to their personal data without it being excessive". For example, "in the case of social networks, a change in the data set will be expected at shorter intervals than in the case of land registers or central company registers" (p. 56).

These are just a few examples worth keeping in mind. For more, I recommend checking out the guidelines. 

It is your right to know the actual identity of recipients to whom your personal data have been or will be disclosed (C-154/21 Österreichische Post)

The General Data Protection Regulation (GDPR) provides individuals (data subjects) with a number of rights. These are listed in Chapter III of the GDPR and include, inter alia, the right to be informed of the processing of personal data (Articles 13 and 14 of the GDPR), right of access (Article 15 of the GDPR), right to rectification (Article 16 of the GDPR), right to erasure (Article 17 of the GDPR) etc. In mid-January 2023, the Court of Justice in Case C-154/21 Österreichische Post answered a question concerning one of those rights, namely the right of access.

As stated in Article 15(1) of the GDPR „the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: […]

(c)  the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; […].

The dispute concerned the fact that the data subject requested from the controller the actual identity of the recipients to whom he was disclosing his personal data. However, the controller did not reveal the identity of the recipients, but informed the data subject of the "categories of recipients", indicating that they were „customers, including advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, non-governmental organisations (NGOs) or political parties” (para. 20). 

Indeed, doubts arise when applying Article 15(1) of the GDPR in practice. The main question is whether it is necessary to inform about the particular recipients of the data, or would it be enough to notice about general categories of these recipients? Similar doubts arise in the context of Articles 13(1e) and 14(1e) of the GDPR, which oblige the controller, as part of its information obligations performed at the time of data collection, to inform about "the recipients or categories of recipients of the personal data, if any".

In the Court's view, Article 15(1) of the GDPR gives the right to be informed about the specific recipients of personal data and thus to know their actual identity. The Court cites several arguments in this regard:

(1) The data subjects should be guaranteed the right to know and be informed about the processing of their personal data, in particular about the recipients to whom the data are made available. This is emphasised in Recital 63 of the GDPR, which, nota bene, does not refer to the right to information about "categories of recipients of data", but generally to the right to information about "recipients of personal data" (para. 33).

(2) The controller must process personal data in accordance with the principle of transparency, which from the data subject's perspective means that information on how his or her personal data is processed should be easily accessible and comprehensible (para. 35).

(3) „Article 15 of the GDPR lays down a genuine right of access for the data subject, with the result that the data subject must have the option of obtaining either information about the specific recipients to whom the data have been or will be disclosed, where possible, or information about the categories of recipient” (para. 36).

(4) The right of access is often exercised to verify the accuracy of the data or the lawfulness of the processing. In this sense, the right of access frequently determines further actions of the data subject, i.e. the exercise of other rights under the GDPR, e.g. the right to erasure or the right to object to processing. Therefore, the complete and diligent exercise of the right of access is essential to guarantee the effectiveness of the data subject's rights (para. 38).

However, the Court reminded that the right to the protection of personal data is not an absolute right and is subject to limitations. The controller, despite an express request by the data subject, does not have to provide information on the identity of the recipients of the data if "in specific circumstances it is not possible to provide information on specific recipients" (e.g. when it is not possible to identify those recipients - para. 51), and furthermore when the data subject's request is unjustified or excessive in nature [as stated in Article 12(5b) GDPR].

In practice, this means that each request will have to be carefully analysed. It is certainly easier for controllers to provide general information on the categories of recipients rather than precise information on the identity of the recipients. For controllers with large datasets, who share data with many entities and receive many requests of data access, a detailed examination of data flows may be cumbersome. What the judgment lacks, in my view, is a clarification of what the 'special circumstances' that would justify a refusal to disclose the identity of data recipients could consist of. 

It appears from the CJ's reasoning that such a special circumstance may be the lack of knowledge of the future recipients (para. 48). The question is whether such a circumstance could be the difficulty of stating all data recipients due to their large number. In practice, this is a common problem for controllers. Yet, such an interpretation does not seem to be acceptable. It can be said that the Court has spread a protective umbrella over data subjects, obliging controllers to be more accurate, transparent in their processing and to provide reliable and complete information to data subjects. This is a good signal for data subjects, especially consumers of various online services, as the judgment provides clear grounds for demanding detailed information about the processing of personal data. 

Right to be forgotten vs. right of access to information. AG opinion in Google case (C-460/20)

Freepik (iconicbestiary)

One of the characters in a well-known movie called "The Social Network" said that the internet's not written in pencil, but it's written in ink. We know that information, once posted online, does not die, but circulates for many years. However, the General Data Protection Regulation (GDPR) guarantees us the right to erasure of our personal data (also known as the right to be forgotten), and the right to object to processing. Both rights can be exercised in certain situations specified in the regulation, such as when the data is processed unlawfully or because of a particular situation of the data subject. I will not go into details, as the purpose of this post is not to comment on the GDPR provisions, but to give an overview of an opinion delivered recently in the case C-460/20 Google by Advocate General Giovanni Pitruzzella. Although this is not the first case concerning deletion of personal data available on the Internet (see, for example, judgments of the Court of Justice in cases: C-131/12 Google Spain and Google, C-136/17 GC and Others, C-18/18 Glawischnig-Piesczek), this issue still raises doubts and will probably be the subject of preliminary questions more than once.

The case concerns the processing of personal data of a man holding important positions in financial services companies and his ex-partner who was a proxy in one of those companies. One of the websites published three articles that questioned the investment model adopted by some of the companies. In addition, it posted photos of the man and his ex-partner in a luxury car, a helicopter and in front of a plane. The photos, as well as the content of the articles, suggested that they were leading a sumptuous life at the expense of third parties. Because Google's search engine displayed links to pages with the articles in its search results, as well as thumbnail images of the articles, the plaintiffs requested that both the links to the pages and the thumbnails be removed from the list of search engine results. They claimed that they contained a number of erroneous allegations and defamatory opinions based on untrue facts. In their opinion, they were victims of blackmail by the website.

The German Bundesgerichtshof (Federal Court of Justice) has raised doubts about the interpretation of Article 17(3a) of the GDPR, a provision that entitles a controller to refuse to delete personal data if the processing is necessary for the exercise of the right to freedom of expression and information. The questions referred for a preliminary ruling thus concern the balancing of two conflicting fundamental rights guaranteed by the Charter of Fundamental Rights of the European Union: the right to information and freedom of expression, and the right to respect for private life and protection of personal data.

The Advocate General recognized and emphasized in his opinion the important role of "gatekeepers" played by search engines. Their activity is essential in ensuring universal, even democratic, access to information. As he points out, "in the vast ocean of information created on the Internet, much information would remain virtually inaccessible without the intermediation of these search engines" (para. 2). At the same time, search engines exercise control over the circulation of information on the Internet, since the inclusion of a link to certain websites in a search list, on the one hand, facilitates access to information for any Internet user and contributes to the dissemination of that information, while on the other hand, it may constitute a serious intrusion into the private sphere of the individuals to whom the information relates. Nevertheless, the right to respect for private life and to protect personal data are not absolute. According to the AG Pitruzzella, given the context of the case, and in particular the fact that the data subject performs a public function (more or less important, political or economic), it must be assumed that the right to information overrides the right to protection of personal data. He notes that "the confidence both of other economic operators and of consumers is a prerequisite for the proper functioning of the market. This confidence requires public access to information about persons in professional roles that is likely to affect market dynamics and consumer interests, sometimes even more markedly than the acts of policy makers. Naturally, this information is essentially that which relates to their professional roles, but can also extend to aspects of their private sphere where they are connected or, in any event, likely to impact their professional activity and affect public confidence" (para. 28). 

However, there are exceptions to the rule. The right to information will not prevail if the information presented is false, even if it concerns a person who plays an important role in society. Incorrect information not only violates the protection of personal data but also the dignity of the data subject by distorting his or her identity (para. 31). In such a situation, the right to data protection will enjoy priority. This conclusion was drawn by the Advocate General based on the principle of data accuracy formulated in Article 5(1d) of the GDPR, according to which personal data must be accurate and, where necessary, updated, while data that are inaccurate in light of the purposes of the processing must be erased or rectified without delay (para. 32). Data accuracy is one of the basic principles of the processing of personal data and its violation implies unlawfulness of the processing.

Freepik (rawpixel.com)

A special role in this aspect is played by the operator of the Internet search engine, who acts as a data controller and is therefore responsible for the entire data processing. Its task is to assess whether a request to remove links to websites or images, i.e. a de facto request to delete personal data, should be accepted. The search engine operator, acting as a controller under the GDPR, must balance the mentioned fundamental rights. How it should be done? In the AG's view, some kind of "procedural data due process" should be introduced. This is to impose certain obligations on both the data subject and the controller, which, although not explicitly stipulated in the regulation, can be interpreted from its content and are intended to serve the effective implementation of the right to be forgotten. First, if the data subject claims that information about him or her is false, he or she should provide a prima facie evidence for its falsity unless "this is, in particular in view of the nature of the information concerned, manifestly impossible or unduly difficult" (para. 44). Secondly, the controller should carry out the verification of the disputed information "which is within the scope of his concrete capacities". Thus, he should analyze all data in his possession as the operator of the search engine, using the technological tools available. Moreover, the operator of the search engine, where possibile, should "initiate rapidly an adversarial debate with the web publisher who initially disseminated the information, who will then be able to set out the reasons supporting the truth of the personal data processed and the lawfulness of the processing" (para. 45). Then, the operator will have to decide whether or not to grant the request for de-referencing. The request may be dismissed only "if substantial doubts remain as to whether the information in question is true or false, or if the weight of the false information in the context of the publication in question is manifestly insignificant and that information is not of a sensitive nature" (para. 46). The search engine operator is thus supposed to act as a quasi court or like an arbiter by actively seeking the truth. In conclusion, the AG believes that appropriate activity should be required on the part of the data subject (by making it plausible that the information is false) and on the part of the controller (by comprehensively verifying the accuracy of the information).

As far as the removal of thumbnail images displayed in the results of an image search is concerned, the AG Pitruzzella considers that the same principles should be applied here. The controller must also balance the rights, and in this case should take into account only the informational value of the images as such, regardless of the content they illustrate on the website from which they originate. Conversely, if "in connection with a request for de-referencing of the link to a web page, the display of photographs in the context of the content of that web page were contested, it would be the informative value that those photographs have in that context which should be taken into account for the purposes of that balancing exercise" (para. 56).

The AG's opinion is not surprising, as it is in line with the existing case law of the Court. The question is whether this position, assuming that the Court will follow it, will contribute to strengthening the position of data subjects vis-à-vis the controllers, i.e. Internet search engines? It seems that the argument of universal access to information, especially information about public figures (and in the age of the Internet the boundary between "public person" and "private person" is extremely fluid and unclear), can always be used as a justification for refusing to remove links to websites from the list of search results. The right to protection of personal data interferes here not only with the right to information, but indirectly also conflicts with the economic interests of the search engine operator who makes profits from such a business model. The more information, links, clicks and views, the better. The same is true for website operators who publish content on their portals. Even imposing high fines for unjustified refusal of a data deletion request, and thus violating GDPR regulations, does not deter the "big players". However, in order not to end with such a pessimistic tone, let's hope that as time goes by, this trend will reverse and the right to be forgotten will become an effective tool for removing incorrect information online that undermines someone's reputation. Like a metaphorical eraser that wipes off the ink with which one writes on the Internet*. 

*I refer to the words of Advocate General Maciej Szpunar in his opinion in Case C-18/18 (para. 2).