20

The format of data provided pursuant to the right of access is very important for the effective use of the right by the data subject. It should be considered that data subjects who exercise their rights have different legitimate reasons for doing so and that they have different backgrounds and capabilities. It follows that the data format which is most appropriate to these different situations must vary accordingly. We therefore recommend that the layered approach advocated by the A29WP in the context of privacy statements/notices, [19] should equally apply to information provided through Article 15 access requests. Following this insight, we analyse first (in the remainder of 3.1) the limits of relying on PDFs to provide access, the need to provide access to all data, and the benefits of doing so in a machine readable format; and second (in 3.2) why the complexity of data processing should not be accepted as an argument to limit the access to all data, but rather to put an obligation on the data controller to provide the conditions necessary to render the complex data intelligible.

21

In older data systems, where the number of data points on any given individual was considerably smaller than it often is today, a simple print-out or summary would suffice to give the data subject oversight as to the content of the data undergoing processing. [20] Today, however, many data systems collect such a large number of data points, that only a format that allows the data subject to analyse data themselves will allow them to have sufficient oversight over the data processing being undertaken.

22

Firstly, it can and should be understood as part of the principle of fairness that a data controller should not transform data from the machine-readable format they hold it in [21] into a format that makes it more difficult for the data subject to navigate. Information society services can only analyse the data they hold about individuals by virtue of its machine-readable nature. To refuse individuals the same ability exacerbates the informational and power asymmetries that the right of access, and the fundamental right of data protection in general, seeks to rebalance.

23

In particular, data controllers should not transform data from common machine-readable formats (eg JSON, CSV) into PDF formats. Portable document format, or ‘PDF’, is a file designed for printing, not for analysis. The A29WP recognised this in their guidance on the right to portability, stating that

As an example, providing an individual with .pdf versions of an email inbox would not be sufficiently structured. E-mail data must be provided in a format which preserves all the meta-data, to allow the effective re-use of the data. As such, when selecting a data format in which to provide the personal data, the data controller should consider how this format would impact or hinder the individual’s right to re-use the data. [22]

24

Because PDFs are designed for printing, they are notoriously difficult to extract data from — so much so, that table extraction from PDFs is an academic area of study, which researchers even deploy neural networks and deep learning for in an attempt to solve. [23] Transforming data into PDFs unwantedly only disadvantages the data subject and forecloses analysis opportunities. Even formats such as HTML, ODF, ODT, XLSX or DOCX are more reusable and can be parsed by machines.

25

Furthermore, PDFs score extremely poorly for individuals who need accessible information online. Individuals who require or are assisted by accessible information include those with cognitive disabilities, those with vision impairments, those with physical disabilities and those with hearing impairments.  [24] A study of 100 blind screen-reader users found that inaccessible PDFs were one of the main causes of frustration while browsing the Web.  [25] Accessible PDFs in practice are rarely found, are difficult to create and often require consultants and in-depth planning and expert knowledge.  [26] In general PDFs are not tools that lends themselves to accessibility across the population.  [27] In the authors’ experience, many data controllers provide screenshots of databases as visible to their support staff — a format which is both unable to be re-used by the data subject, and totally inaccessible to visually impaired users. The guidance should be very clear that screenshots in general are not an appropriate manner of providing access rights for services which rely heavily on the automatic processing of personal data, such as information society services.

26

The common practice of limiting access to the data that is visible through the interfaces, which is available to support staff has other limiting implications for the right of access. First, not all the personal data processed in a system may be visible through the interface used for day-to-day operations. Second, support staff may only have access to a subset of all the systems in which personal data is processed. Just because personal data is not used in a day-to-day business practice by frontline workers, it is not an appropriate reason to exclude it from access. If data is held, it falls within the scope of the right to access.

27

A specific area of concern in this regard is ‘deleted’ data. In many common implementations of database software, the processing operation that is commonly referred to as ‘deleting’ merely changes a label attached to a data-point. For example, an individual may have pressed a ‘delete’ button on a social media post, or an old address may seem ‘deleted’ when overwritten with a new address, but that does not necessarily mean associated data is deleted from the controller’s servers. While this practice may, depending on the circumstances, be appropriate, it is important to stress that such data still exists in the system, and therefore falls under the reach of the right of access to personal data. On websites and apps today, this data may have even been typed and then deleted (without ever having pressed ‘submit’ or ‘send’), or only partially uploaded (from the user’s point of view), yet still retained by the data controller.  [28]

28

Often, data is necessarily complex. Datasets include, for example, those which record varied data subject activity over time, such as their interaction with information society services. Such interactions may not be classed within a single variable (eg clicked, played, watched) but may consist of multiple bundled and nested variables, some with multiple values.

29

Complexity of data should not be a reason not to provide the ‘raw’, maximally complex, data upon request. However, it may be a reason to develop a layered approach for individuals who may not be able to parse the dataset.

30

In many cases, raw data will likely be represented within the data controller in a flexible format such as JSON. A JSON file is simply a way of arranging a text file in a human-readable, yet machine-parseable, way as to describe a flexible data object. For example, the below is an entry from John Smith, which contains some biographical information about John.

31

Observe that, for example, in a JSON a nested structure is present: more than one telephone number is provided, and if John Smith had children, these children could be a similar data record to John’s own, nested in the ‘children’ key. This format is not tabular, and to convert it to tabular data would generally lose information. This is because each record might have different ‘keys’ (think columns in a table), and a different number of values for each key (think cells).

32

To illustrate the policy challenges, and guidance requirements, of datasets such as those in JSON format, we will provide a truncated extract from an access request to a popular music service and data controller, Spotify. Spotify provided telemetry data to one of the authors in mid-2018 on the basis of a data access right. The telemetry data Spotify held from the previous six months alone amounted to 845 megabytes of plain text files (TXT files in JSON structure). The following entry appears to relate to the adding of a single song (‘No Man is Big Enough for My Arms’ by Ibeyi) to a playlist. The actual entry for this single action was 171 lines long, only 66 illustrative lines are reproduced here.

33

Some of this data comes with a relatively clear description, such as:

34

Other data are less clear or completely opaque, such as:

35

Some data is technically obfuscated. For example:

36

Both of these variables are among several in the text which are filled with ‘escaped’ Unicode characters with no clear representation (eg ‘\ufffd’). Even when these are removed, we could not understand the meaning of these sequences. If there is a decoding mechanism for these variables, it was not provided to the data subject. The specific song that was added was only accessible through the Spotify identifier, which can be resolved manually through the Spotify App, and requires further interaction with the service (and, of course, further data collection on this interaction by Spotify).

37

Whereas it is important for data controllers to be able to provide all personal data they have on a data subject in raw format, it is equally important that they ensure data subjects can easily access and understand such data (Article 12(1)). This is particularly important with regard to data controllers of complex data-ecosystems as illustrated above. We therefore recommend the EDPB to stress that accommodating the right of access should – where needed – include the tools rendering the entire data-set understandable. Put differently, the layered approach heavily advocated by the A29WP in the context of privacy statements/notices, [29] equally applies to subject specific information provided through Article 15 access requests.

38

In some cases, the risk of processing, and the requirement for the data controller to facilitate rights and design data protection into processing systems, may require a bespoke exploration interface to be designed for such complex datasets. However, particularly if the guidance determines that some data controllers would not be required to create such tools, it is key that they release data in a format which allows such tools to be made by third parties. This requires, for example, that the datasets (such as the Spotify example above) are stable in their format (so that analysis tools made by civil society do not break), well-documented (so that faithful analysis tools can be created), and not contingent on hidden datasets for understanding (such as reference dataset linking song names to identifiers).

39

The fact that opinions and inferences can qualify as personal data has been confirmed by the CJEU, which noted that the term ‘any information’ in the definition of personal data includes information that is ‘not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject’. [30] The test of whether data ‘relates’ to an individual is satisfied where it is linked to a person ‘by reason of its content, purpose or effect’. [31]

40

Access to opinions about individuals can become contentious in cases where those opinions are expressed in a professional context by third parties, such as written or oral evidence provided as part of a human resources dispute, yet recorded on a file about individuals. In those cases, it is an instance of ‘mixed personal data’ and should be navigated as such. This is dealt with later in this document. [32]

41

Opinions or inferences formed of the data subject by the data controller, however, should not merit a similar exemption. In practice, these inferences can range from a quantitative or ‘predictive’ assessment of employment performance using manual or automated surveillance tools [33] to profiling of data subjects by information society services. [34] Access to these opinions and inferences is key to a variety of other rights and obligations in the GDPR, such as rectification, objection, erasure, as well as the broad assessment of fairness and non-discrimination. [35] Access rights are pre-requisites to so many other potentially applicable rights and checks, that providing them is key to effective oversight and the principle of transparency.

42

It is worth noting that two recent relevant CJEU cases, YS and Others  [36] and Nowak, [37] do not clearly map onto issues of access to inferences in the digital economy. Because both concern the Data Protection Directive, they do not distinguish profiling from other forms of opinion-forming. In particular, recital 72 of the GDPR emphasises that:

Profiling is subject to the rules of this Regulation governing the processing of personal data, such as the legal grounds for processing or data protection principles. [38]

Profiling is defined as:

any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements [39]

43

Profiling is seen as an activity which increases the risk of data processing to data subjects rights and freedoms, indicated by, for example, significant decisions based (even in non-solely automated ways) on profiling triggering the requirement for a data protection impact assessment. [40] The A29WP, in guidance endorsed by the EPDB, list ‘[e]valuation or scoring, including profiling and predicting’ as a criterion for the determination of high-risk processing. [41]

44

Neither Nowak or YS and Others can be easily construed as profiling, as both were cases of manual, rather than automated, processing. Legal analysis of the type in YS and Others would not fall under the profiling definition. It also seems doubtful that a traditional examination, such as that in Nowak, would fall under the concept of profiling (unless it was marked automatically). Consequently, we have not seen the Court provide judgements clearly analogous to profiling. Profiling is therefore a distinct activity which distinguishes many inferences and opinions made in the context of the digital economy from existing case-law: it is a situation where risk is heightened and the need to provide strong data protection is also heightened.

45

Furthermore, when executing an access right, where inference is a human understandable score or category, context must be provided as to the alternatives that the individual could have been categorised as. This is important for rights such as rectification where they apply in this context, or assessing whether such categorisations are potentially discriminatory, as without this knowledge, they would not know the alternative options available.

46

The EDPB should, however, be aware that a particular challenge exists in practice as many data controllers do not explicitly infer human-understandable data about the data subject, but infer data which is used to shape and sort them, which only machines can ‘understand’. For example, a common tool in this area is the ‘embedding’, where data records are plotted as ‘points’ in such a way that the distance between them is an indicator of their similarity or dissimilarity to each other. This is a common practice in advertising and recommender systems. [42]

47

An embedding is a simple but important technology. Imagine 10,000 users, and each has 10 characteristics which are known about them, such as their age, location, and so on. This is a 10,000 x 10 table. An embedding turns these users into vectors of geometric points. Many methods, including neural networks, are possible to do this. The end product is a table with 10,000 rows, but with, for example, three columns instead, each of which contains a number between -1 and 1. It would be possible to plot these 10,000 points on a 3D scatter plot, and the idea is that ‘similar’ users are clustered together. In practice, the number of dimensions is much larger — often thousands — but the concept is the same. In 1000D space, rather than 3D space, many more nuanced characteristics can be caught: for example, on some dimensions, users might be clustered in practice by language, while in others, they might be clustered by ethnicity, and in others, by interests. Yet each column is not a clear variable such as this: it is the emergent property of ‘similarity’ which is important, and therefore the columns are not interpretable without the rows to understand what the clusters mean in practice.

48

In embedding systems, how individuals are being profiled, and the opinions formed about them, are not in some human-readable inference, but are instead based on their proximity and similarity to others. [43] The Guidance must address how individuals can access the way they are being profiled in such systems. In particular, it must be emphasised that this is a dataset of personal data, not an automated decision system as per GDPR Article 22. Each individual is attached to a record of hundreds or thousands of data points that place them in relation to other individuals, and which has been calculated in advance, ready for use at a later stage. The automated system is simply looking at the distance between the co-ordinates of one individual and another, and that would be the ‘logic’ of the processing. The data points are not the logic of processing, and therefore the data points fall wholly within the right of access.

49

In particular, it is concerning that data controllers are seeking to use complex processing, such as embeddings, in order to practically render access rights unhelpful in understanding the ways individuals are being profiled, and opinions formed against them.

50

Much personal data relate to more than one person. This includes, for example, data such as:

51

This data often causes challenges when the right of access is invoked. It is important to note that significant case-law in this area exists from the European Court of Human Rights, which has, in general, favoured the individual seeking access to data over third parties seeking to limit its release. In Gaskin, the ECtHR ruled that just because no consent had been obtained from all third parties in the data, it did not mean that it could not be released, and that there was a need for an independent authority to exist to make the final call; otherwise there would have been a breach of Article 8 of the Convention. [44] In Társaság a Szabadságjogokért v Hungary, the claim by a member of parliament that a complaint submitted to the Constitutional Court could not be subject to a document release request by an NGO because it included personal data was in violation of Article 10 of the Convention, on the grounds that individuals in public life should not be able to stop the genuine disclosure of documents on the basis that their opinions on public matters constituted private data which could not be disclosed without consent. [45]

52

In the UK, the Court of Appeal has ruled that even where a third party has refused to consent to data released on the basis of an access request, that does not mean there is a rebuttable presumption against release, but that the case should be balanced on importance and merits. [46] The Information Commissioner also counsels in this direction, stating that:

depending on the significance of the information to the requester, it may be appropriate to disclose it even where the third party has withheld consent. [47]

53

Furthermore, the focus on the above is that the data controller should seek consent from third parties in an access request. A data controller should not have a blanket policy to refuse to seek such consent. For an information society service, where such a process can be easily automated, that is especially true.

54

While discussion of the right of access mostly focuses on the right to access the data itself, it is important to stress that the right, on the basis of Article 15(1)(a–f) also encompasses the obligation on data controllers to provide additional information regarding the processing of data. Of particular importance in relation to the data subject’s ability to monitor the controller’s compliance with data protection legislation, as well as her ability to effectively exercise her other data subject rights are the right to know the recipients, as well as the sources of the data undergoing processing. In line with these goals and building on the earlier position taken by A29WP, [48] the provided information should include the actual named sources and actual named recipients of the data subject’s personal data in particular. Without such information, data subjects are not able to know where and how their personal data has been disseminated. Currently only a very small proportion of data controllers provides such data when requested. [49]

55

Controllers very frequently accommodate (at least part of) access requests by reciting generic information already available in the privacy policy/notice/statement. This clearly appears from the combined empirical work of the authors, as well as the many personal experiences from other data subjects. Article 15(1) lists eight categories of information that can be requested, on top of the actual personal data being processed. When asked for some of this information in an individual access request, controllers will often answer in a very generic way. This is highly problematic in light of the different functions of the right of access (eg enabling the exercise of other rights, evaluating compliance), and its relation to the information obligations under Articles 13-14.

56

Whereas Articles 13-14 can be considered ex ante obligations on controllers’ shoulders, Article 15 is an ex post right of data subjects. In other words, Articles 13-14 contain transparency requirements that need to be complied with by controllers upfront, and necessarily need to relate to all potential data subjects. The added value of Article 15 is that it provides the possibility for individual data subjects to learn more about their particular situation upon request. This also follows from the Court’s case law in Nowak  [50] and Rijkeboer  [51].

57

The issue is illustrated by the way in which Facebook responds to access requests: With respect to information about the data categories that Facebook holds about Mr. XYZ: this depends on how he uses the Facebook Products. The data categories and their sources are clearly set out in our Data Policy (accessible via https://www.facebook.com/policy.php )

58

Even when specifically asked not to simply recite their privacy policy, Facebook still does. When explicitly requested to provide ‘a complete and detailed overview of all the different ways personal data have been and will be processed (not your general privacy policy, but a list of which of my data were used for which concrete purpose) as well as the exact lawful ground (art.6 (1) GDPR) for each processing purpose’, Facebook responds:

59

We understand that Mr XYZ would like a complete and detailed overview of all the different ways in which his personal data have been processed and will be processed, including the legal basis relied on by Facebook. Whilst Mr XYZ indicates he does not seek our “general privacy policy”, we’d like to clarify that the information requested by him is detailed in this document and our legal bases fly out.

60

Facebook’s response is problematic because:

(a) it refers to its privacy policy, which manifestly does not link exactly what personal data is used for exactly what purpose and under what lawful ground each individual purpose falls.

(b) it fails to provide a tailored answer to the data subject in particular, who wishes to know what exact information was collected for what purposes and under what lawful ground, for his particular situation.

61

In light of the above, we strongly recommend the EDPB to make it very clear in their guidelines that the right of access in Article 15 requires controllers to tailor the information to the specific situation of the data subject making the request. This means that each data subject can ask, for example: (a) what exact purposes their specific personal data has been processed for; (c) the exact (categories of) recipients their personal data has been disclosed to; and (g) what source their specific personal data were obtained from.

62

Anonymisation is often considered a valid way to evade the applicability of the GDPR. Indeed, as recognised in Recital 26, data protection rules should not apply to ‘anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable’. In its 2014 Opinion on anonymisation techniques, the A29WP also stressed that ‘anonymisation results from processing personal data in order to irreversibly prevent identification’. [52]

63

The GDPR incorporated the A29WP’s Opinion as well as CJEU jurisprudence [53] when stating that anonymisation of personal data entails making it irreversibly impossible to identify the data subject, having regard to all the means likely reasonably to be used. [54] This test does not only depend on the relevant context and circumstances of each individual case, [55] its outcome can also change over time. [56] In order to assess whether or not a dataset is truly anonymous, one will reasonably have to take into account the risk of re-identification over time. [57] When the data controller has no a priori means of distinguishing between anonymous and personal data in a mixed dataset, it will need to treat the entire set as personal data. [58]

64

We believe data controllers often confuse anonymisation with erasure, and this creates a range of challenges.

65

Firstly, many data formats in the modern digital economy simply cannot be anonymised. This is substantiated by an overwhelmingly rich and growing body of literature. [59] Indeed, in an online environment, with ever-increasing data processing capabilities, no guarantees can be given that any data-point might be (re-)connected to an identifiable natural person in the future. We therefore agree with the A29WP’s 2014 Opinion stating that anonymised datasets can still present residual risks to data subjects, [60] and believe it is much more useful to look at anonymisation as a sliding scale rather than a binary. [61] Erasure, on the other hand and when executed properly, is a binary and data controllers should in principle be required to irretrievably remove all personal data from their system rather than merely anonymising it.

66

Secondly, it is important to remember that, since data protection is an intent-agnostic regime (see further section 8.4, this document) there are many motivations for erasure. Some of these concern confidentiality, which (proper) anonymisation may help to meet. Yet these are not all the concerns a data subject might have. Since its origins, data protection law has also — arguably primarily — been seen as a regime for regulating the imbalances that emerge from informational power. [62]

67

Informational power is tied up with notions of ‘group’ or ‘categorical’ privacy. [63] An individual, for example, may not wish for information to be known and processed around a community, neighbourhood or demographic she is part of. [64] She may wish to erase data not to obscure herself, but to obscure the groups she constitutes from a data controller she does not favour or trust. Anonymisation instead of erasure disempowers her. It states that her data can still be utilised, valorised, for example ‘anonymised’ into machine learning models, [65] while she has specifically stated she no longer wants that data to be accessible to the data controller in any form.

Anonymisation can thus be used to disempower data subjects. Anonymisation may prevent individuals ‘from understanding, scrutinising, and questioning the ways in which data sets are used to organise and affect their access to resources and connections to a networked world.’ [66] Indeed, as the authors have demonstrated elsewhere, some data controllers argue that they cannot accommodate data subject rights because they allegedly have no way of reidentifying the data subject, effectively disempowering individuals. [67]

68

Furthermore, the proportionality of anonymisation rather than erasure should be read in the context of the many hurdles to successful erasure in Article 17. If such hurdles are overcome (which in many cases are difficult and raise uncertainties about how to proceed, see section 3.2, this document), then a data subject should be entitled to erasure, and not less than that. Erasure is possible when no valid processing purposes remain: these purposes include purposes where anonymisation and aggregation, which themselves are processing operations, are utilised.

69

Thirdly, the right to erasure does not explicitly mention anonymisation as constituting an equivalent measure. This becomes clear when comparing the language of Article 17 – clearly dictating erasure per se – with other provisions that use the language of recital 26 on anonymisation – i.e. data no longer permitting identification – such as the storage limitation principle (Article 5(1)(e)) and its different mutations in Article 11 and 89.

70

The right to erasure tackles the underlying data involved in a processing operation. Because the same data can and is often processed in many different ways, often with a different lawful ground, erasure may fail if the data controller can retain a valid lawful ground for data processing. Even if one of the grounds in Article 17(1) applies, this might not lead to effective erasure. It is therefore important that the guidance clarifies how to resolve situations in which erasure is requested, but the controller claims it can further process the respective personal data for different purposes.

71

Even where data controllers offer data subjects a right to erasure, it is often unclear what personal data it applies to exactly and under what circumstances the right can be invoked. As illustrated in Table 1 below, the applicability of the right to erasure inherently depends on what lawful ground is relied on for which processing purpose(s) relating to what specific personal data in particular. The vast majority of privacy notices/statements of information society services fails to clearly link these components (simply listing what personal data is processed separately from what purposes they process personal data for and/or the lawful grounds relied on), rendering it very hard to effectively exercise the right to erasure. This is made even more challenging by the practice of data controllers to ‘switch’ between, for example, consent and legitimate interests. [68] It is exacerbated by the ‘list’ approach to Article 13/14, whereby data controllers provide a list of lawful bases (often copied straight from the GDPR), a list of data categories, and a list of data processing operations, without cross-referencing them in any way.

72

In order for the right to erasure to have any meaningful role, data controllers should make it very clear upfront (eg in their privacy notice/statement) what personal data it applies to and under what circumstances. This obligation also follows from the transparency principle (Article 5(1)(a)), purpose limitation principle (Article 5(1)(b)) and transparency requirements in Articles 13–14.

Table 1 describes the complexity of the ‘erasure triggers’. These illustrate the importance of making the functioning of the right to erasure clear to data subjects. It is also not clear that data controllers understand these distinctions.

73

Making it clear which data a data subject can, and cannot, erase is important because without this, the data subject cannot easily make an informed choice as to whether they should use a particular service, or engage with a particular data controller.

74

In this context, it is also important to recall the Court’s view that rights must be protected in an ‘efficient and timely’ manner. [70] An efficient manner is one which does not require the data subject to expend unnecessary energy in order to secure protection of their rights. An efficient, timely approach here would be to require data controllers to interpret ‘failed’ erasure attempts, due to residual legal bases, as a clear signal to object. The controller would then be required to re-substantiate its claim to have a continued lawful ground for further processing said personal data.

75

In principle, the right to erasure is only a last resort solution, empowering data subjects to request erasure in situations where their personal data ought to have been erased already in the first place. This clearly appears from the six situations listed in Article 17(1), which all im-/explicitly refer to other provisions in/outside the GDPR that already imply erasure.

76

In the authors’ experience, data controllers often appear to use the availability of data subject rights as a red herring. Yet, offering data subjects a right to erasure does not absolve data controllers from having to comply with key data protection principles such as purpose limitation (Article 5(1)(b)), data minimisation (Article 5(1)(d)), or storage limitation (Article 5(1)(e)). Indeed, many privacy notices/statements appear to offer data subjects a right to erasure mainly pro forma only, while at the same time acknowledging a vast data processing apparatus.

77

Indeed, important research in behavioural sciences has demonstrated that the perceived control data subjects have over their personal data through tools such as the right to erasure, may paradoxically lead to lower concerns over data processing practices and a false sense of security, which in turn may lead to revealing even more (sensitive) information. [71]

79

The right to object is available to data subjects with regard to processing operations that rely on legitimate interests as a lawful ground (Article 6(1)(f)). As emphasised by the A29WP, legitimate interests are not an ‘easy’ alternative to consent, but require substantive and public justification. [75] The Information Commissioner’s Office has expressed concern that particularly online, data controllers seeing legitimate interests as the ‘easy option’ lack a ‘full understanding of what legitimate interests requires’. [76]

80

Because individuals are asked to formulate and provide ‘grounds’ specific to their situation, which will be weighed against any compelling legitimate grounds of the data controller, it should be the case that the legitimate interest of the data controller are laid out in advance in accordance with Article 13 and 14. Article 13(1)(d) states that data controllers must provide the data subject with ‘the legitimate interests pursued by the controller or by a third party’.

81

This is an important component for the individual in determining whether and how to make the case for their right to object. It should be considered contrary to the fairness principle for a data controller, in balancing the right to object against potential compelling legitimate grounds, to rely on a legitimate interest which has not been clearly declared to the data subject in advance. This could put the data subject in a position where they chose a particular service provider and enabled them to process data about themselves under Article 6(1)(f), unaware of the interests of the controller and unable to foresee their own capacity to object in the face of these undeclared legitimate interests. This is particularly key because legitimate interests operate in the context of ‘necessity’, which is a concept that must be scrutinised in relation to determining whether or not processing is lawful. [77]

82

The right to object only has a limited scope of application, as it only applies to situations where processing is based on either one of the last two lawful grounds in Article 6(1). It is therefore unsurprising that since the entry into force of the GDPR, many controllers whose business model relies heavily on personalisation (and advertisement) have shifted from relying on either consent [78] or legitimate interests, [79] to necessity for the performance of a contract. [80] Reliance on this ground effectively strips data subjects from the ability to withdraw their consent [81] or object [82] to said processing. In light of the recent EDPB guidance on the lawful basis of necessity for contract, [83] many controllers may be illegitimately relying on this ground.

83

With that in mind, it would be valuable if the guidance could specify that data subjects also have the right – more broadly – to challenge controllers’ compliance with any of the GDPR’s requirements (even if it does not qualify as a specific right in Chapter III). This is already reflected in the implied right in Article 18(1)(b) to object to ‘unlawful’ processing, [84] and Article 17(1)(d) to erase personal data processed without an adequate lawful ground. [85] As DPAs, such as the Information Commissioner’s Office in the UK, are requesting that individuals ‘raise a concern’ with an organisation before they will take action, clarification on the modalities for data subjects to challenge data controllers’ compliance with key provisions (such as the data protection principles in Article 5 and the lawfulness requirement in Article 6) is particularly important. [86] In particular, the guidance should specify what the obligation of a controller to respond to such claims of unlawful processing should be.

85

Information society services encompass any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. [89] In many cases, data subjects will already be verified to use the service through having logged in.

86

The right to restrict processing is an interim measure. Particularly given the automated way information society services function, it is important to give effect to this interim measure. In Fashion ID, the Court was clear that provisions of data protection law must be interpreted as to give effect to the ‘efficient and timely’ protection of the data subject’s rights. [90] As a consequence, the right to restrict processing must always be interpreted and enforced as to give effect to its nature as an interim measure. The right to restrict must therefore be prioritised in time, and subject to a considerably tighter timeframe than, for example, the right to object it is linked to. Where it is feasible to automate restriction in this interim period, it may be incumbent on a data controller, on the basis of data protection by design and the risk-based approach throughout data protection, to do so.

87

The right to restrict processing is likely to impose different technological and organisational requirements on different data controllers. For example, for an organisation operating a customer relations management (CRM) system, a flagged, restricted profile can quite easily be separated from normal processing activities.

88

Many firms in the modern digital economy operate under conditions of continual processing, and do so under grounds including legitimate interests. This is the situation where the right to restrict is the most important, yet we are concerned that data controllers are disregarding the right to restriction of processing. The GDPR states:

In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. [91]

89

For example, where an individual has objected to tracking or profiling, and has in the meantime restricted processing, this should mean that the continual processing stops in the meantime, and that no more profiles are built, updated or applied. In practice, this does not occur.

90

Data controllers must be able to stop processing of data that is subject to the right to restriction in an interim period. This must be technically and organisationally feasible within their systems, in light of the requirements in Articles 24-25 GDPR.

91

In this context, we note the recent 14m EUR fine levied by the DPA of Berlin in relation to a failure of data protection by design. In this case, a data controller operated an archiving system that was unable to erase data. Such a system was held to be in breach of Article 25. [92] Similarly, a processing system which is unable to implement an interim period of restricted data processing would quite clearly also fall foul of Article 25 in a similar manner.

92

We believe that the clearest way to deal with this issue is to state that all data that has the potential to be restricted must be technically possible to restrict, with the exception of data which the data controller can reliably continue to process for the reasons laid out in Article 18(2) without the authorisation of the data subject, namely (i) for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person; and (ii) for reasons of important public interest of the Union or of a Member State.

94

Inferences and opinions are considered to be personal data by the CJEU. [93] As with all data rights, the right to rectification should generally apply to inferences and opinions unless justified exceptions grounded in law exist.

95

In some cases, the data controller may disagree with the attempt to rectify data by the data subject. This may be the case, for example, where a third party has provided an opinion to an employer about an individual’s inappropriate behaviour in the workplace. In this case, balancing is clearly justified, as Charter rights could be implicated, such as Articles 11, 12, 15 and 21.

96

The EDPB should avoid permitting either the data subject or the data controllers can act as the ‘arbiter of truth’ in contentious cases. Where the data controller has good reasons to disagree with the data subject concerning a proposed rectification, the best solution is to oblige both opinions to co-exist in the data processing system, and to oblige the data controller in line with the accuracy and fairness principles to consider both the rectified and the original data in downstream data processing. In this sense, rectification is an addendum rather than a replacement.

97

It should not, however, be considered a ‘good reason’ simply because the inference would be convenient to retain in its current form from a business perspective. This is particularly the case for profiling in the digital economy, for example in the area of advertising ‘interests’. In these cases, the right to data protection will be likely to prevail, particularly given the highly subjective nature of profiling and predictive inference techniques. [94] For example, in the context of the digital economy, an individual may be classified as ‘male’ by a predictive system: this should be open for an individual to rectify.

98

It should be recalled that the data subject retains the right to erase the ‘original’, pre-rectified data that is retained by the data controller, or to object to its use, and the procedures for each of these rights act as balances for the interests at stake in that situation.

100

Both the data controller and processor have an explicit obligation to facilitate the exercise of data subject rights (Articles 12(1) and 28(3)(e)). In light of this obligation, it is certainly to be encouraged that tools be developed in order to make data subject rights more accessible to data subjects (eg privacy dashboards, forms, ‘download my data’ functions, etc). However, data controllers or processors cannot force data subjects to exercise their rights in one way or another as long as the requirements under the GDPR are complied with. Moreover, practice shows that when data subjects request access to additional information not included in ‘download my data’ functionalities (but mentioned in Article 15), they are often ignored. [95]

101

Following on from the previous point, it is important that data subjects cannot be expected to use the exact wording of the GDPR in order for their rights to be effectively accommodated. Indeed, the Commission’s first objective when officially announcing its plans for a data protection reform concerns the strengthening of data subject rights. [96] In light of the Court’s emphasis on ensuring an ‘effective and complete protection’, it is therefore necessary that data controllers act on the apparent intent of data subject requests, and cannot require them to use the exact phrasing (or article references) of the GDPR. The guidance should be clear about what a data controller should do upon receiving a request which is vague, but could be interpreted as a right to restrict, object, erase, port or access.

102

Article 26 of the GDPR clarifies the concept of joint controllers: ‘[w]here two or more controllers jointly determine the purposes and means of the processing of personal data, they are joint controllers [...]’. [97] The article further requires such joint controllers to delineate, in a transparent manner, their respective responsibilities in light of complying with the GDPR. Importantly, data subjects can exercise their rights (to erasure) vis-à-vis any of the joint controllers, regardless of the arrangement (of respective roles and responsibilities) between these controllers (Article 26(2)). In other words, even though ‘joint controllership’ might have considerable ramifications as to GDPR compliance and allocation of responsibilities, [98] from the perspective of a data subject exercising his/her rights it is less relevant.

103

Article 28(3)(e) dictates that processors need to assist the controller in accommodating data subject rights, notably by adopting ‘appropriate technical and organisational measures, insofar as this is possible’. This should be interpreted as allowing a data subject to invoke his/her right to erasure vis-à-vis processors as well. Whereas they are not the ones responsible to effectively accommodate the data subject’s rights, processors are liable to assist controllers in doing so.

104

In sum, the plurality of actors processing personal data should not hinder the effective exercise of data subject rights. Data subjects can approach processors and/or (joint) controller(s) with their rights, even though that entity might not be the one who is ultimately responsible to accommodate such claims in casu. Even when the complexity of a processing chain causes the data subject to invoke their right vis-à-vis the ‘wrong’ controller, the latter should still be required to forward the request (Article 19). This process can be made easier with a single point for request to be made by data subjects, or forwarded to by joint controllers. Notwithstanding the possibility for data subjects to direct their requests to each joint controller, the EDPS recommends to establish a single contact point to which data subjects may forward their requests in exercising their rights.’ [99] The burden of enabling effective use of data subject rights, especially in complex networks of processing, should be on the various controllers and processors. [100]

106

The right to access a copy of personal data and the right to portability are both limited by paragraphs stating that the stated aspects of these rights ‘shall not adversely affect the rights and freedoms of others.’ [101] This requires some considerations of, among other issues, the privacy and data protection interests of third parties (see further, section 2.4 this paper).

107

However, it should be clarified in the guidance that this consideration is not present for other rights, such as the right to object or restrict processing. A different and more specific balancing arrangement is in place for the right to erasure. As a consequence, the guidance should indicate that the right to object or restrict processing should not be unduly hindered by the privacy interests of others.

108

Article 12(5) allows data controllers to refuse to act upon a right where ‘requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character’. Where they do this, the ‘controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.’

109

The A29WP have noted, in guidance endorsed by the EDPB and in relation to another right (i.e. to data portability), that for the cases of information society services which specialise in automated data processing, ‘there should be very few cases where the data controller would be able to justify a refusal to deliver the requested information, even regarding multiple data portability requests.’ [102]

110

They also note that the cost of building the infrastructure to comply with these requests is irrelevant to the notion of ‘excessive’ requests. In particular, they state that ‘the overall system implementation costs should neither be charged to the data subjects, nor be used to justify a refusal to answer portability requests.’ [103]

111

An argument that a ‘manifestly unfounded or excessive’ request might be construed as one which relates to any sufficiently large or complex processing operation sets a dangerous precedent that some data processing activities are ‘too big to regulate’. This logic would mean to say that some processing activities are at such a global scale, and so complex, and producing and capturing so much data about individuals, that they escape the reach of fundamental rights such as the right to access. This seems perverse: the more impactful and the more sizeable the activity, surely the higher the acceptable cost of compliance on the data controller, and the more urgent and pressing the need to provide data subjects with oversight and control rights.

112

Where such processing implicates a high number of users, this would likely count as ‘large scale’ processing posing a high risk under the GDPR, and thus has little ground to be manifestly ‘unfounded’. According to the GDPR compliance should scale up in relation to high risk processing, not down. [104]

113

In the case of information society services in particular, personal data is constantly being collected, amended, transformed and applied. As a result, any provisions which assume static, long term, unchanging datasets must, in order to preserve the fairness principle and the technology-neutral nature of the GDPR, be read in light of modern data processing practices.

114

As a result of this situation of ‘continuous processing’, the rights of access, rectification and/or erasure may be of permanent relevance as well. The guidance should therefore be mindful to clearly constrain the scope of Article 12(5) GDPR, allowing controllers to refuse to act or charge fees for accommodating data subject rights when they are ‘excessive, in particular because of their repetitive character’. When personal data, and how it is processed, constantly changes, repeatedly exercising data subject rights should not be considered excessive. Instead, it may be upon controllers to ensure an automated and easy manner to facilitate the accommodation of those rights. This is also relevant for the right to data portability (not within the scope of the planned guidance), which may actually require controllers such as social networks to implement protocols for enabling interoperability (essentially allowing for a constant stream of ‘access rights’ in a machine-readable format).

115

Access rights have commonly been used in relation to highly specific pieces of information, often as part of disputes that might be related to issues of criminal, [105] employment, [106] immigration, [107] trust [108] or defamation proceedings. [109] These types of cases can create, in the words of Advocate General Bobek, ‘certain intellectual unease as to the reasonable use and function of data protection rules’. [110]

116

National courts have also held specifically that data rights are purpose-blind. Courts in England and Wales have long supported the ‘purpose-blind’ nature of data rights. [111] The Court of Appeal of England and Wales held that there is no ‘no other purpose’ [than privacy or data protection] rule that requires data subjects to specify a reason for a subject access request or refrain, for example, using it for litigation. [112] Courts ‘should not enquire into or permit investigation of the purpose for which a SAR has been made’. [113] The ICO has further stated that there is nothing in data protection legislation ‘that limits the purposes for which a SAR may be made, or which requires the requester to tell you what they want the information for’. [114]

Arden LJ, in Dawson-Damer, stated an important general reason why access rights should not be subject to an analysis of intent noting that ‘a “no other purpose” rule would have undesirable secondary consequences, such as non-compliance by data controllers with SARs on the grounds that the data subject had an ulterior purpose.’ [115]

The CJEU, in YS and Others, did not comment on the fact that the individual was seeking to use the documents they sought in litigation as a factor which would disqualify the access right from succeeding. [116]

117

Data subject rights may effectively pit data subjects’ rights, freedoms and interests against the economic freedoms of the data controller. The right of access may challenge trade secrecy, and the rights to object and erasure may conflict with various economic and property interests. From a data protection perspective, the ensuing balancing act shifts in favour of the data subject by default upon invoking said right. [117] As emphasised repeatedly by the Court, [118] at least in delisting cases the economic interests of the search engine operator are trumped by the rights, freedoms and interests of data subjects by default. This also appears from the general drafting of the GDPR, which took a rigorous ‘fundamental human rights’ approach, implying that ‘data protection automatically trumped other interests and could not be traded-off for economic benefits.’ [119]

118

The only situations where commercial interests (alone) may effectively block data subject rights, will be when accommodating these rights would affect the essence of a fundamental right in the Charter or at the very least not be proportionate stricto sensu. [120] The two most relevant fundamental rights in the present context are the freedom to conduct a business (Article 16 Charter) and the right to (intellectual) property (Article 17 Charter). Both of these have repeatedly been declared not to be absolute rights, to be considered in relation to their social function. [121] All evidence suggests that, as a general rule, they are not self-sufficient to override individual freedoms in the Charter, [122] such as the rights to privacy (Article 7), data protection (Article 8), or freedom of expression (Article 11). [123] Indeed, pursuant to Article 52(3) – which aligns Charter provisions with those in the ECHR – it would be difficult to claim economic objectives alone can constrain fundamental rights/freedoms representing essential values in a democratic society. [124] Only when, in light of Article 52(1), a specific legal provision ordains processing for commercial purposes and/or raises obstacles to invoke certain data subject rights, does it seem realistic that a controller can legitimately not accommodate data subject rights purely on the basis of commercial interests. [125]

119

In relation to this, attention should be given to a decision by the Supreme Court of the Netherlands, which did not accept exemptions based on a claim by a company that received requests based on alleged harm to their freedoms or rights. In Dexia  [126] it did not accept three instances of this argument. First the high cost associated with responding to a single access is not (in itself) a reason to exempt access. Second, the fact that an organisation may receive a high number of requests is not accepted as a reason to restrict access. Third, the fact that data subjects have been incited to use their rights by a consumer protection programme and have made use of a request template provided by that programme cannot be invoked.

120

An important, but underappreciated, aspect of the GDPR is found in the parts of Articles 13–15 which require data controllers to declare the existence of certain GDPR rights. [127] These parts have usually been interpreted as copy-pasting the GDPR into, say, a privacy policy. It is quite clear however, that in some cases, in respect to some data, these rights exist, and in other cases, they do not exist. As a result, this can only be interpreted as a contextual provision which requires consideration of the ability for these rights to be exercised in a data subject’s specific situation.

121

While the data controller should be flagging these rights to facilitate the data subject’s awareness and use of them — a common EU law trope found in areas such as airline and rail delay rights [128] — this is not the only role of this provision. Given that the data subject often (although not always) has a choice as to whether to engage with a data controller, such as putting themselves to actively consent to processing or contract with the controller, or to move within a zone where processing on the basis of, for example, legitimate interests is likely to occur, the purpose of the GDPR’s information rights is to provide information to help the data subject decide whether they wish to enable such data processing. A core piece of that information is whether that specific processing can be objected to, erased, ported or accessed. [129]

122

The data controller should have pre-empted how to deal with rights in relation to all data they process, and the principles of fairness and transparency require that this information be provided ahead, read in line with the specific requirements of Article 13-14 not subsequent to processing. Furthermore, as there will be times where individuals have not been informed of their rights under either Article 13 or 14, [130] the data controller should be prepared to reveal this information upon request under Article 15. [131]

124

Many controllers engage in singling-out of the data subject for the purpose of service delivery or analysis but have not built a system with which to identify data subjects for the purposes of exercising their rights. In some cases, they simply refuse to build a system that can be accessed by the user, despite having access to the specific user and device from their server. [133] Examples of this are documented by two of the authors in a recent academic paper. [134]

125

In other cases, such as in the case of wireless analytics or targeting advertising, data controllers have established a system where their business model can operate with imprecise targeting or singling out of individuals (which nonetheless is highly individualised over time). The impact of this imprecise, but personalised targeting is that the data controller can claim that providing data rights would be imprecise too, but the consequences of doing so would be in breach of the security principle, and therefore not something they are willing to countenance. [135]

126

In cases where, by design or not, verification is imperfect, data controllers must take a realistic risk-based approach to release, which does not disempower data subjects. In many cases, the impact of accidental release of data to someone other than the data subject, particularly where the data subjects are inherently difficult to identify, will be low, and possible to monitor on an aggregate level.

127

Different rights have different levels of consequence for data subjects if they are applied by mistake or fraudulently. For example, the rights of access and portability can lead to sensitive data disclosure, and it is important that verification is an effective and secure process. [136]

128

Other rights, such as erasure, restriction and objection are more contextual in nature. Misapplied erasure might, for certain kinds of data, result in an inability for the genuine data subject to establish or substantiate legal claims, or affect the availability of services, or cause the loss of important personal data. Yet for many kinds of data which already have limited storage retention, erasure will merely hasten deletion which should have occurred anyway. For example, the impact on an individual’s rights and freedoms of the incorrect erasure of web-tracking data, or app telemetry data, is significantly lower than the impact of accidental disclosure of this data.

129

The lack of negative consequences for the data subject is perhaps most stark where the data is being processed on the basis of legitimate interests of the data controller, as the individual did not explicitly request this processing be carried out, and therefore in many cases their interest in the processing will be minimal.

130

Where the right to object is being applied, as the data are still being stored but simply not processed for the objected-to purposes, the process is generally reversible in the case that verification was incorrect. As a result, the right to object or to restrict processing should, in general, require a lower burden of verification than access and erasure. The Guidance should also lay out the circumstances in which the right to erasure should require less of a burden of verification than the right of access. In particular, the controller should need to demonstrate, in accordance with the principles of accountability and fairness, compelling reasons as to why they are requesting detailed verification from a data subject for the right to object.

131

The GDPR’s risk-based approach, and its by-design approach, are not currently widely recognised and followed in relation to verification systems for data rights.

The method used for authentication should be proportionate to avoid abusive identity checks. [137] For example, controllers such as information society services, which due to users explicitly requesting the service often have login credentials or an existing verification system, should not, in general, require a higher level of verification. If controllers request a higher level of verification than required to access the service, they must justify this in relation to the accountability and fairness principles, and minimise both the burden on the user (in line with ‘efficient and timely protection’) and personal data processed (in line with data minimisation) in the process.

132

Furthermore, data controllers often ask for a government issued identification document in situations where it is clearly disproportionate. In many cases, for example when an individual is seeking data connected to an identifier (eg a cookie ID) and the controller has no knowledge of the real identity of the data subject, it is unclear what purpose the government ID serves. Moreover, asking for a government ID entails unnecessary risk as data controllers may not have secure systems set up to receive such data, and often in the authors’ experience request it through email. Furthermore, in many cases, a data subject will be requesting data on the basis that they do not trust the data controller, and wish to consider their options in terms of eg objection, erasure or the withdrawal of consent. In these cases, the need to provide sensitive data to the data controller may be unfairly dissuading data subjects from exercising their rights. Some recommendations of national DPAs recommend controllers to request a government ID. The Guidance should make clear that a government-issued ID should only be required when this is proportionate. This would also provide reassurance to data controllers who may feel obliged to ask for such information.