A key area of proposed change under the General data Protection Regulation (“GDPR“) relates to individual rights. The proposal is both to refresh individuals’ existing rights, by clarifying and extending them, and to introduce new rights. Most notably, the GDPR creates two new rights: the (in)famous “right to be forgotten” and the right to data portability.
What does the law require today?
Currently, individuals have the following rights under the Data Protection Directive:
- The right to be provided with fair processing information – this right requires the data controller to provide individuals with certain minimum information regarding the processing of their personal data;
- The right of access – this right permits individuals to query the data controller as to whether personal data related to them are being processed. Upon request, the data controller must also provide a copy of any such personal data. This copy must be provided without excessive delay and may be subject to payment of a small fee;
- The right to object to the processing of their data – this right applies in certain limited circumstances prescribed by the Data Protection Directive;
- The right to rectification, erasure or blocking of data – this right can only be exercised when the processing is not in compliance with the Data Protection Directive;
- The right not to be subjected to solely automated processes – this right applies where such processes evaluate the individual’s personal attributes, resulting in a decision that significantly affects him or has legal consequences for him.
What will the General Data Protection Regulation require?
Proposed extension of existing rights
Most proposed modifications to the existing rights bring clarity without extending them too much.
- The right to be provided with fair processing information will be expanded. The bottom line is that the data controller will need to provide more detailed information, such as the source of the data and the retention period. In addition, the GDPR requires this information to be provided in an intelligible form, using clear and plain language that is adapted for the individual. The practical effect of this requirement is that policies will need to be drafted differently depending on whether they are aimed at children or adults.
- Regarding the right of access, under the GDPR proposals, data controllers will be required to provide additional information to individuals (e.g. storage period of the data). Further, the proposed new requirements are somewhat more burdensome for businesses – in particular, businesses will need to set up a specific process in order to deal with access requests. Further, unless the request is “manifestly excessive“, data controllers will in principle be obliged to provide the information free of charge.
- The rectification right is mostly the same and the changes will have very limited practical impact.
- More significantly, the right to object is now broader as, when the processing is based on the legitimate interests of the controller or is undertaken for direct marketing purposes, the individual can object without having to provide specific justifications.
Proposed new rights
A controversial right from the start, the proposed right to be forgotten was influenced by the CJEU’s decision in the Costeja v. Google case. Following this ruling, the Parliament proposed renaming it the “right to erasure” and the Council has proposed dropping the obligation on the data controller to ensure third parties also erase the data. It therefore remains to be seen what form this right will take in the finalised GDPR.
- It is likely though that this right would apply in one of the following scenarios:
- The data are no longer needed for the original purpose;
- The data subject has withdrawn his/her consent and there are no other grounds for the processing of the data;
- The data subject has objected to the processing;
- A court order requiring the erasure of the data has been issued;
- The processing is unlawful.
Another proposed new right is the right of data portability. This right was created in order to improve the interoperability of data processing. The proposal of the Commission puts a heavy burden on the data controller as it imposes a requirement to provide personal data to the data subject in a commonly used format. The rationale behind the proposal is to facilitate the ease of transfer of personal data from one data controller to another.
The Parliament suggests that data portability should not be a right but rather that data controllers should be encouraged to promote interoperability, whereas the Council is of the view that this right should apply only to cases where the data subject has transmitted the relevant personal data to the data controller.
As things stand, we will have to wait to see what form this right will take or whether it will be scrapped in favour of some form of encouragement for data controllers to provide data in a commonly used format.
As regards other new rights, both the European Parliament and Council have proposed a definition of profiling as a form of automated processing. One key departure from the Data Protection Directive vis-à-vis such automated processing is that explicit consent is likely to be required for profiling which produces a legal effect or significantly affects an individual. This topic will be discussed in further detail in our next blog on the GDPR.
What are the practical implications?
- All businesses will have to update and revamp their privacy policies and data protection notices to make sure that the extended rights are properly addressed. Businesses should check that the data protection notices that they provide to individuals contain all the required information.
- Businesses will need to assess whether they should put in place new or updated processes and procedures to deal with the practical implications of the extended rights, e.g. a specific data procedure for dealing with access requests.
- Finally, the right to be forgotten (and the right of portability) may require changes to companies’ operational processes and IT systems, depending on what these rights will look like in their final form.