All businesses operating in the data economy will have to devote additional resources to ensuring that these rights are respected.

Transcription

1 What is it about? The proposed General Data Protection Regulation (GDPR), like the 1995 Directive before it, grants rights to data subjects regarding the processing of their personal data. The GDPR, however, goes beyond the scope of the previous legislation, granting new rights to data subjects in an effort to give them more control over who has access to their data and what can be done with it. All businesses operating in the data economy will have to devote additional resources to ensuring that these rights are respected. According to the GDPR, data subjects are guaranteed the following rights: 1 Right to certain minimum information (Arts. 11 & 14): the data controller shall provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject. 2 Right to access (Art. 15): data subjects have a right to obtain from the data controller at any time, on request (i) the purposes of the processing; (ii) the categories of personal data processed; (iii) the recipients to whom the data are disclosed; (iv) the applicable retention period; (v) information on the source of the data; and (vi) a copy of the data subject s personal data processed by or on behalf of the controller. The right to rectification (Art. 16): data subjects have the right to obtain from the controller rectification of personal data which are inaccurate and to obtain completion of incomplete personal data, including by way of supplementing a corrective statement with very little change. 4 Right to data portability (Art. 18): a general right for data subjects to transfer their data to another service provider. The Parliament s version attempts to encourage data controllers to work towards interoperability. legal obligation. 5 Right to object (Art. 19): the GDPR broadens the current right to object to data processing. In particular, a data subject is always entitled to object to processing carried out on the basis of a legitimate interest of the controller or for the purposes of direct marketing without the need to provide specific justifications. 1

2 Right to be forgotten and erasure (Art. 17) The right to be forgotten represents an attempt on the behalf of the EU to provide data subjects with more ownership and control over their data by ensuring that, if certain conditions hold, they can have it removed, corrected or restricted. These conditions include the data no longer being required for their original purpose, and the withdrawal of the consent on which the processing was based. Exemptions to this, meaning the data controller would not have to delete the data, include on the grounds of freedom of expression, and the need to use the data to carry out a contract between the data subject and the controller. The Commission s proposed text for the GDPR also introduces the obligation that data controllers take all reasonable steps to ensure that third parties to whom the data has been released are notified of the request to delete the personal data. Profiling (Art. 20) Right not to be subject to automated processing Under the GDPR, data subjects have the right not to be subject to automated processing of personal data intended to evaluate, analyse or predict any feature of their behavior, preferences or identity. Measures based on profiling are only permissible if the profiling: (i) is carried out in the course of the performance of, or entering into, a contract; (ii) is expressly authorised by a Member State law that provides suitable safeguards for the data subject s legitimate interests; or (iii) is carried out with the data subject s consent. In addition, there will be a blanket prohibition on profiling based on sensitive personal data and an express obligation to inform data subjects upfront about profiling activities. 2

3 Main challenges for the data industry Right to be Forgotten The right to be forgotten walks a delicate line between the right to privacy and freedom of expression. By including certain conditions and exemptions the institutions have attempted to find the right balance. However, as it is left to Member States to flesh out the exemption regarding freedom of expression (as set out in Art. 80) there is still the danger that this right will not be adequately protected. It should also be noted that the right to be forgotten is in some sense an impossible promise in that it cannot be guaranteed. It is therefore better to focus, both in the title and the text, on the technical actions that can be delivered, such as the deletion or restriction of data, ensuring that the text is as concise and clear as possible. Although the notification of third parties of the request to delete the personal data is worth supporting, it is important to remember that data controllers are themselves unable to ensure compliance by the third party, this is instead an issue for the relevant authorities. The text should reflect this. In addition, it sometimes may not be in data subject s interest to notify the third parties of the request for deletion as this could generate interest that the data subject would prefer to avoid. This phenomenon, known as the Streisand Effect, involves efforts to remove content inadvertently stirring up publicity. The right to be forgotten is not a new right, but was instead established by the previous 1995 Directive combined with ECJ court rulings. If the GDPR is used as an opportunity to clarify the scope and nature of this right, rather than overreaching itself and creating wide-ranging new obligations, it could represent a positive development. The right to be forgotten, as currently formulated, will particularly affect companies such as internet search engines, which will face many requests for pages to be deindexed as a result of it.

4 Profiling Profiling and big data analytics are set to play a pivotal role in the growth of the digital economy. Our digital footprints have created unprecedented opportunities for business development and service delivery. The quality of the rules on profiling will have a crucial effect on the development of a big data economy in Europe. However, the proposed profiling provisions set out in the GDPR are not proportionate or risk-based. Art. 20 seeks to address two separate kinds of risks for data subjects, related to the automated use of sets of data evaluating or predicting a wide range of personal characteristics. It does so by restricting the legal bases that can be used (in most cases only contract or explicit consent). It is important to consider the implications of these legal bases. Contract and explicit consent either require or incentivise full identification of the data subject. Profiling that is carried out using these legal bases will naturally therefore be based on data that is fully personal and linked to directly identified data subjects. The Regulation should instead incentivise the use of more privacy-protective profiles by enabling them to be based on pseudonymous data. The processing of this pseudonymous data would most appropriately be based on legitimate interest and not contract or explicit consent. Right to object The Commission s proposal places the burden of proof on the controller (or third party) to demonstrate compelling reasons why they should be allowed to continue to process data based on their legitimate interest. This introduces legal uncertainty and increases the potential for business disruption for any entity relying on this legal basis. The proposed model would give automatic validity to any frivolous or ill-informed objections, which the controller may not be able to overturn or that would suspend processing while the objection is addressed. 4

5 How to fix it One of the key objectives of the GDPR should be to adapt the EU data protection rules to the risks as well as the opportunities created by technological developments. On the right to be forgotten, the trilogue negotiators should recognize that the right to restrict, block and erase personal data have the same aim of giving data subjects control over their data. They should combine these rights in one article for the sake of clarity, renamed as the right to erasure, blocking and restriction, rather than the too vague right to be forgotten. Recognising the limitations of data controllers to affect third parties and the varied interests of data subjects, the regulation should strongly encourage notification of third parties without making it mandatory. It should maintain reference to reasonable efforts being made to notify third parties. On profiling, any rules that protect people against harmful profiling, while being subjected to a robust harm test, should be welcomed. Such a test would ensure that data subjects are protected, whilst at the same time ensuring that businesses are able to continue to customise their experiences, in line with basic principles of good business. The right to object as currently formulated in the 95 Directive is a better model than the one proposed for the GDPR. This model, whereby the data subject must justify their objections, should be kept. 5