GDPR – practical experiences: data subject rights – part 2
Dr W Kuan Hon
Of Counsel, Dentons; Member, DIFC Regulation 10 Advisory Committee; Editor, Encyclopedia of Data Protection & Privacy. All views personal only.
Source: Report, Commission’s GDPR Multistakeholder Expert Group, 13 June 2019
Part 1 highlighted selected points from this report, with some observations and a bit more on data processing agreements, software vendors, model clauses for international transfers and children’s data.
This part 2 summarises issues on data subject rights, with some views.
Increased requests
Increases in requests for access, erasure, rectification depending on sector, also right to object, and withdrawal of consent. But no noticeable increase in requests regarding automated decision-making or data portability (despite development of portability tools). Insufficient information given in some requests - but better tools/guidance (see below) could help address this? Individuals have difficulty exercising rights when it's unclear who's processing (e.g. data brokers, adtech).
“Manifestly unfounded” / “excessive”
Guidance is sorely needed here. Many felt meeting access requests, although excessive, is easier than trying to prove “excessive”. Examples given of possible “unfounded” or “excessive” requests include searching in unstructured electronic information systems or back-up tapes, or “requests via a template for the sole purpose of causing harm to the controller by making it undertake a lot of work responding.” (That last one’s unlikely to be “excessive” at least in the UK, as having collateral purposes isn’t enough to invalidate data subject requests).
Misguided attempts to exercise data subject rights when no rights exist
Some data subject misunderstand their rights, assuming it’s always necessary to obtain consent for every processing, or that the right to erasure is absolute. Dealing with these misconceptions can be time consuming.
Much of the blame for this lies with the media’s promulgation/perpetuation of myths about the GDPR (despite my sad attempts at writing corrective letters that they never publish!). The consent myth probably stems from US concepts of “notice and choice” – yet another example of US linguistic imperialism, as when Europeans, often techies, go on about “PII”. Even reputable publications that should know better recite these myths, e.g. the FT & WIRED. Maybe the Commission or SAs could issue an educational piece or even campaign on this? – the media may listen to them perhaps, if not to mere data protection lawyers!
Further on excessive requests, I believe some also comply with excessive (unfounded) deletion requests, as again it’s easier/quicker than arguing/educating data subjects on erasure conditions.
Unjustifiable barriers to data subjects, vs. reasonable identification/authentication
Some controllers make exercise of data subject rights “highly difficult”: not providing enough useful information/guidance, not having procedures “that could be regarded data-subject-friendly” or at least “not placing an excessive, insurmountable burden on data subjects wishing to exercise their rights”.
While not stated in the report, certainly some controllers require a (sometimes very long) form to be completed first before they’ll deign to respond.
Some reject requests as unfounded where individuals failed to provide information for their identification. Several want SA guidance on how to verify, proportionately, that the data subject seeking to exercise rights is the person to whom the personal data relate. Some recognised there could be better ways to facilitate data subject rights’ exercise, e.g. providing user-friendly tools for identification, or “in handling fully automated requests”.
On “proportionate verification”, some controllers, perhaps the same ones, insist on “ID” in insecure ways (e.g. “Email us a scanned copy of your passport, unencrypted”). This seems disproportionate and creates unnecessary security risks, exposing controllers to compensation claims/fines if bad guys get that ID by hacking the controller or data subject’s email account.
Sure, controllers do need to check they’re giving personal data to the right individual. But they could email the account’s address for confirmation, post hard copies of requested personal data to the account’s postal address, etc. One option: let logged-in data subjects request access, deletion etc., with room for them to add details (with guidance to clarify the request’s scope). [Yes, I know accounts can be hacked and used to send requests – but here I’m focusing on unnecessary barriers, and there’s also the postal option.]
A data subject could complain if the controller knows who they are (e.g. the request came from an email address registered for that individual’s account - I previously discussed similar issues in Computing), and could comply without demanding further ID info, but still demands it. Yet, from what I’ve heard, to date the UK ICO at least hasn’t acted on complaints about this practice. (Does anyone know about SAs in other countries? There have certainly been complaints about requests for ID - see part 1.)
In either case, the data subject may give up. That may of course be the motivation behind introducing those barriers. But to me, this kind of practice just benefits those types of controllers at the expense of organisations (like my clients) who try to do the right thing and spend time and money seeking to respond properly to data subjects’ requests. Even oral requests must now be met if the conditions for the right’s exercise are satisfied. So, in my view, making data subjects fill in forms etc first, or demanding further ID info in insecure ways when there aren’t any “reasonable doubts” about the requester’s identity (Art.12(6)), isn’t good practice and may even trigger complaints/enforcement.
Data subject rights and security problems for controllers
Reportedly there have been “massive campaigns” of requests for access to data sent to email addresses of DPOs from unknown organisations or bots, or requests via “rights access apps” to organisations without any relationship with those supposedly filing the requests.
You know what I think of controllers asking data subjects to confirm ID (often unnecessarily) in insecure ways! But that’s for cases where requests come directly from data subjects.
Where requests are blasted out by third parties/bots, the report didn’t say if members treat them as manifestly excessive/unfounded. However, handling requests from third party services/bots can involve security risks for controllers. I’ve heard of bad guys sending fake “data subject requests” to get controllers to click on malicious links etc. i.e. attempted phishing/malware. In such cases, there may well also be “reasonable doubts” about the identity of the data subject concerned.
Another concern is that some of these free services are just grabbing the accessed personal data for their own use, without adequately informing individuals about this - at least based on some terms that I've seen ("free" isn't necessarily free!).
Customer care issues?
Data subjects are taking advantage of GDPR to advance complaints “that should be dealt with as part of the customer care process”.
I don’t think this is “malicious”. As mentioned above, collateral purposes shouldn’t invalidate exercise of GDPR rights. Frankly, for bad service, if normal customer care processes have failed it’s understandable that some data subjects try to use GDPR rights to advance legitimate complaints as a last resort.
And finally…
The EDPB’s 2019-20 work programme, in its list of planned guidelines, includes “Guidelines on data subjects rights with main focus at a first stage on the rights of access, erasure, objection, restriction and limitations to these rights”.
Let’s hope the list isn’t in priority order, as that item is at the bottom! And to that description should also be added unjustifiable barriers, authentication/identification, the approach to automated third party/bot requests, and what’s “manifestly excessive” / unfounded.