Insight

Understanding Privacy Rights Under the GDPR

The eData Guide to GDPR

September 05, 2019

Protection of the fundamental right to privacy has been the central focus and raison d'etre of European data privacy regulation since the mid-20th century and is the central purpose of General Data Protection Regulation. Navigating the GDPR should thus begin with a clear understanding of the specific privacy rights the regulation aims to protect. Chapter 3 of GDPR enumerates those rights, which range from the well-known “right to be forgotten” in Article 17 to the less well-known right to have incorrect information corrected. This installment of The eData Guide to GDPR provides a definition of these rights and explores their impact in more detail.

Article 15: Right of Access by the Data Subject

At its core, the right of access means the data subject has a right to know whether his or her personal data is being processed. The data controller must provide that information, as well as

  • the purpose for processing the data;
  • the types of data being processed;
  • the source of the data;
  • how long the data will be stored;
  • who has received or will receive the data; and
  • the nature of any “automated decision-making” applied to the data.

In addition, the right of access includes remedial options provided to the data subject such as

  • the right to request corrections to or deletions of the data;
  • the right to restrict or object to processing; and
  • the right to complain to a data protection authority (DPA).

The data subject must be informed of the safeguards in place for data transferred outside the European Union, and the controller must provide a copy of the data being processed upon request.

The Swedish Data Protection Authority, Datainspektionen, launched an investigation in June 2019 based on consumer complaints against the way in which a digital music service processed —or not—requests for access to their personal data. Datainspektionen issued a statement on the investigation, saying, “The authority has become aware that there may be some shortcomings in how the company handles registry extracts, including that the extracts are not complete, and that the information is not sufficiently clear.” The investigation was triggered by individual complaints from data subjects combined with the large amount of personal data held by the service. It is important that data controllers have mechanisms in place to provide timely and complete responses to requests for access by data subjects, or they may find themselves the subject of similar investigations that may result in significant fines.

In a previous eData Guide to GDPR, we provided guidance to controllers on responding to data subject access requests by understanding the right of access process to ensure controllers are prepared to lawfully respond to data access requests, including a Data Access Request Checklist.

Article 16: Right to Rectification

Article 16 states that data subjects have a right for any inaccurate personal data held by a data controller, including incomplete information, to be corrected “without undue delay.” Data subjects may request their information be corrected but the definition of what is appropriate for correction and the timing of “undue delay” is still crystalizing.

The Irish Data Protection Commission (DPC) recently ruled that people do not have an absolute right to have their names spelled correctly on public records. In late 2018, Ciarán Ó Cofaigh filed a complaint against the Irish Health Service (HSE) for spelling his name on official records with fadas, or the accent marks used in the Irish language to indicate long vowels. Other similar complaints were filed with the DPC against banks that also omitted fadas in their customers’ names.

Regarding Mr. Ó Cofaigh’s complaint, the HSE made a statement that fadas were both “necessary to spell words properly” and “an integral part of a person’s given name and surname in Irish,” but that there may be computer system limitations that make the use of diacritics currently impossible. In February, a spokesperson for the DPC said that Article 16 clearly sets out the rights of a person to have their records corrected, but that the DPC was still investigating whether this included fadas.

Ultimately, the DPC, in consultation with other EU countries’ DPAs, concluded that Article 16 did not confer an “absolute right” for individuals to have their records corrected:

The Commission liaised with our counterpart supervisory authorities in the European Union in relation to the inability of certain data controllers’ systems to record diacritical marks when documenting an individual’s name and the effect this may have on the accuracy of that recording. In this process, supervisory authorities expressed the view that the right to rectification was not absolute and that consideration must be given to the particular scenario in which the issue of the non-recording of diacritical marks arises. In particular, weighty consideration must be given to the purposes of the processing that is taking place and whether the alleged inaccurate data is used in an isolated environment or if it is used in conjunction with other personal identifiers.


Although DPC’s press release does not indicate which countries’ DPAs were consulted, it appears that at least some other EU member states do not view the correction of personal information to be an absolute right. Where there is other information available to distinguish the identity of an individual, it appears less likely from this ruling that minute corrections to data would be required.

Article 17: Right to Be Forgotten

One of the most well-known provisions of the GDPR is the “right to be forgotten.” Article 17 affords data subjects the “right to obtain from the controller the erasure of personal data . . . without undue delay,” and also confers an obligation on the controller to erase personal data in the following situations:

  • The data is no longer necessary for the original purpose for which it was collected and processed.
  • The data subject has withdrawn consent or objects, and there is no other legal basis for processing.
  • The data was unlawfully processed.
  • There is a legal obligation that requires that the data be erased.
  • The personal data of a minor was collected in relation to the offer of “information society services.” This would include services requested and provided through electronic means such as internet services or gaming apps directed specifically at children or without any age constraints.

If the personal data has been shared, the controller who has been requested to erase the data must take “reasonable steps” to inform other controllers processing such data of the data subject’s request. Neither the obligation to erase nor the obligation to inform other controllers applies where

  • the rights to freedom of expression and information might be inhibited;
  • there is a legal obligation not to erase the data;
  • there is a public health or academic research interest in the data being maintained; or
  • the data is necessary for the prosecution or defense of legal claims.

In 2015, the French DPA, CNIL (Commission nationale de l’informatique et des libertés), fined an internet search company 100,000 euros (approximately $110,000) for its failure to apply the right to be forgotten globally on its search engine (although it did comply with respect to French IP addresses). The company appealed that decision through the French courts, and ultimately to the Court of Justice of the European Union (CJEU), on the grounds that CNIL did not take into account the rights to freedom of expression and information provided in Article 17. While the CJEU has not yet ruled on the appeal, the advocate general of the European Union issued a nonbinding opinion in January 2019 that the application of the right to be forgotten should not apply outside the European Union. The judgment from the CJEU is expected later this year.

In June 2019, the advocate general released a seemingly contradictory opinion in another case involving the removal of defamatory materials on a social media site. In that case, an Austrian court found the post in question to be defamatory and ordered its removal. The site complied on a local level, but said that complying on a global level would be in violation of Directive 2000/31, which prohibits general monitoring obligations. The directive, however, does not prohibit specific monitoring obligations, and the plaintiff did not base her arguments on privacy, but rather on a defamation claim under Austrian law. The advocate general’s opinion in this case would allow for a national court to extend its reach in ordering removal of data in certain cases beyond the borders of the European Union.

The two opinions from the CJEU should be out later in 2019, which should provide a framework for removal of data under the right to be forgotten and settle the contradictory opinions currently available on this issue.

Article 18: Right to Restriction of Processing

Individuals have the right to restrict the processing of their personal data for the following reasons and in the following ways:

  • Individuals can stop the processing of their data until the controller is able to verify its accuracy.
  • The processing of the data is unlawful but the data subject does not want it to be erased.
  • The controller no longer needs the data, but the data subject has requested it for a legal claim.
  • Pending verification of “legitimate grounds” where the data subject has objected. These might include a public interest in processing the data or a “legitimate interest” on the part of the controller, such as where the data subject is a client.

The data may be stored during the verification period, but otherwise no processing can occur without the individual’s consent, or, similar to Article 17, where the data is necessary for prosecution or defense of legal claims or for an important public interest. When the restriction is lifted, the controller must inform the data subject. Data can be restricted by “temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website.”[1] What this right provides the data subject is a measure of control over how and by whom data may be used once it is given over to the controller. Generally controllers will need to respond to requests, either by confirming compliance or rejecting the request, without “undue delay,” which has been defined by various data protection organizations as being within a month’s time.

Article 19: Right to Notification of Corrections

Article 19 provides that controllers must notify each recipient of personal data when the information is corrected or erased under Article 16 or 17, or when a processing restriction is put in place under Article 18. Note that this notification requirement is effectively a restatement of the obligation already provided in Article 17, with the addition of exceptions for impossibility or “disproportionate effort.” The controller must also inform the data subject requesting the correction that subsequent parties have been notified of the change.

Article 20: Right to Data Portability

Data subjects have the right to receive their personal data from a controller where the processing is based on the consent of the data subject or in the context of a contract. This right is already provided for in Article 15, but Article 20 provides additional details concerning whether the data must be provided to the data subject in a “structured, commonly used and machine-readable format.”

Data portability includes the right of data subjects to have their personal information transferred from one controller to another, as long as the processing is automated and is based on the individual’s consent. The exceptions to the right of portability are where the processing is done in the public interest or by exercise of an official authority, or where it impacts the rights of others.

The Dutch DPA, Autoriteit Persoonensgegevens, provides guidance on the portability of medical records; namely, that information “actively and knowingly provided” or provided “indirectly through the use of a service or device” can be transferred from one service provider to another. An example of information provided indirectly through a device would be data from a blood pressure monitor. Information not directly or indirectly provided is not portable per the Dutch DPA, such as “conclusions, diagnoses, suspicions or treatment plans that your healthcare provider establishes on the basis of the information you provide.” CNIL defines the concept of the data subject to portability more broadly as data that is “pertinent and not excessive with respect to the purpose of the new processing that the person wishes to perform.”

For data controllers subject to the right of portability, it is important to have systems and processes in place which both comply with the data subject’s request, but also have the ability to separate out the data that has to be transferred from the data that does not.

Article 21: Right to Object to Processing

Finally, the GDPR establishes a right to challenge the processing of data where the reason for processing is a “legitimate interest,” a public interest,[2] or the exercise of official authority. In those cases, the controller must show “compelling legitimate grounds” for the processing, which either must be for the prosecution or defense of a legal claim or must override the rights of the data subject.

When the reason for processing is “direct marketing purposes,” the data subject can object at any time without exception. Upon request the controller must stop processing the data. In any case, the controller must notify data subjects of their right to object to processing the first time they communicate with them, and provide the means for objection in a similar manner in which they provided consent, such as through “automated . . . technical specifications.”[3]

CNIL defines limitations of the right to object, saying that the right is not absolute: “[F]or example, only a breach of contract allows the deletion of an account at your mobile operator or an e-commerce site.” If the data subject’s request to stop processing does not relate to direct marketing, the controller can justify its refusal to stop processing where

  • the data subject consented, whereby data subjects must revoke consent rather than object to the processing;
  • a contract ties the data subject to the controller;
  • the controller is subject to a legal obligation to process the data; or
  • The processing is necessary to safeguard vital interests of the person at issue or of another natural person.

The right of the data subject to object to processing is not available in many situations outside of direct marketing purposes. When faced with a request to stop processing data under Article 21, it is important to understand the relationship between the controller and the subject when assessing whether compliance with the request is necessary.

Conclusion

The GDPR affords many rights and remedies to data subjects with respect to their personal data. The extent and nuances of these rights are still largely undefined as courts and local data protection authorities continue to interpret the regulations. In the meantime, data controllers are advised to understand these enumerated rights, and to put systems and processes in place to comply with the various request requirements found in Chapter 3.

Contacts

If you have any questions or would like more information on the issues discussed in this installment of The eData Guide to GDPR, please contact any of the following Morgan Lewis lawyers:

Philadelphia
Tess Blair
Vincent M. Catanzaro
Thoth V. Weeda



[1] GDPR Recital 67.

[2] As defined in GDPR Art. 6(1)(e) and (f).

[3] GDPR Art. 21(5).