Everyone probably knows the saying that the customer is always right. Looking at how things evolve in the world of data protection, I wonder if in the near future, this saying will need to be updated.
A main objective of data protection laws has always been to protect the data subject. However, in the past, this protection was often quite theoretical and data subjects did not have a lot of means - or power - to enforce their rights.
Following the inclusion of the right to data protection in the EU charter of fundamental rights, the GDPR took a drastic turn in this regard. The rights of data subjects were not only expanded with the creation of new rights, like the right to be forgotten or the right to data portability. The GDPR also introduced a number of tools which aimed at giving back the data subjects control. It has now become much easier for data subjects to file complaints, both individually and via class actions. Quite recently, a consumer rights body used ads in the Brussels metro, encouraging people to sign-up to their class action.
Combine all this with an unprecedented hype and you end up in a situation where virtually every data subject in the world is now aware of his/her rights, and not afraid to exercise them.
Most privacy professionals will have experienced or – best case – heard of the SAR horror stories of companies receiving dozens of data subject access requests a day. The emergence of online platforms, which make it extremely easy for data subjects to submit requests to multiple organisations at the same time, will only strengthen this trend.
These examples show that data subjects are indeed taking back (some of) the power on the basis of the GDPR.
However, it seems that their rights may be extending beyond those that the GDPR is granting them. This is why I'm arguing that we are starting to face a risk that data subjects are always right, even when they are not.
Data subjects may always be right because many of them don't take "no" for an answer. Despite their rights being very broad, most of them are not absolute rights. They are subject to specific conditions and exemptions.
As a result, companies may, on many occasions, decide not to honour a request made.
And that is generally where the real problems begin.
Let's take the situation of a data subject that exercises the right to object to a processing activity which is based on the data controller's legitimate interest. The data controller, having examined the request in detail, concludes that there are compelling legitimate grounds for the processing which allow it to continue processing the data subject's personal data.
Try explaining this to the data subject. This is typically not a dialogue but a one-way exchange of arguments. The data subject is simply not interested to take the arguments of the data controller into consideration. He or she is of the opinion that his or her request is well founded. The data subject may even – wrongly – be convinced that his right to object is absolute and that the data controller must honour it.
So, once the data controller has explained its reasons for not honouring the request, the data subject will typically threaten to file (or actually file) a complaint with the DPA.
If this happens once in a while, an organisation will generally not be overly concerned. It has done the balancing act and feels it can justify its point of view, if need be. Moreover, chances are probably slim that the DPA would start investigating on the basis of one such complaint.
But what if these threats occur on a regular basis? If the DPA receives multiple complaints about your organisation, will it not attract their attention? Where there's smoke, there's fire right?!
So, this is the dilemma: in a situation where an organisation may increase the chance of regulatory investigations by defending the position that its rights prevail over those of the data subject, would it not be tempted to take the path of the least resistance: concede to honour a right which it is not legally required to honour?
I am not claiming to have an answer to this dilemma. The response will much depend on your organisation's culture, on your risk appetite, on how comfortable you are with your legal assessment, on the level of GDPR compliance you have already achieved, on how important the processing activity is for your business operations etc. In some cases, it will be better to stand your ground and accept that you may need to explain to the DPA. If you are successful in doing so, you will have settled the issue once and for all, which will be greatly beneficial. In other cases, it will probably be wiser to try and hide from regulatory scrutiny by honouring the data subject's request.
Whatever decision you take, it shows that GDPR compliance is not just about complying with the black letter of the law. There are plenty of other considerations that come in the mix, which further complicate things.