But, I never gave you my data? The GDPR's impact on data subject rights
Let us set the scene. You receive an email: sign-up for LinkedIn! Facebook! Instagram! [Fill in your Service of Choice here.] And, once you click to create an account, the information is mostly pre-populated: your name, your email address, your current job, your “friends”, your location/region -- a number of pieces of information that may have you shaking your head asking: how did they compile all of this information without my input and without me even knowing it?
This compilation of information is scary -- especially when you realize that you had no control over the sharing of that data, the access to that data, or the processing of that data. And often, to even trace the data back to its source is a complex web that would give any enigmatologist a challenge. But, the European Union’s General Data Protection Regulation (“GDPR”) is aiming to cut through this confusion, and give the power back to the person behind all of that data.
Throughout numerous provisions of the GDPR, emphasis is placed on the data subject. What does the data subject know? What has she consented to? What is she being told? And, what can she ask to know after providing the data? Article 12 is literally titled, “Transparent information, communication and modalities for the exercise of the rights of the data subject.” Information provided to the data subject is required to be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” Art. 12(1). This language is paralleled in the “informed consent” requirements: information must be provided “in an intelligible and easily accessible form, using clear and plain language.” Art. 7.
Where does this heightened transparency requirement of the GDPR leave us going forward? To answer, we must break it down into two different perspectives: a company, who is likely collecting, using, maintaining -- i.e., “processing” -- the data; and the data subject, you, me, the person sitting next to you -- the people who are “attached” to that data.
For the individual person, the GDPR simplifies rights and empowers the individual to take back control and to make demands on entities to provide information related to any personal data collected on her or him. Data subjects can now request access to the information that a company holds on her (Art. 15), to rectify that data (Art. 16), to erase that data (Art. 17), to restrict the processing of that data (Art. 18), to port that data to another controller or processor (Art. 20), and to object to the processing of that data (Art. 21). This cute video provided by the Data Protection Commissioner of Ireland is a nice summary of the impact of the GDPR on individuals.
While the right to be forgotten was highly publicized following the Google v. Spain case, much of the GDPR is providing rights that have never been given such authority. And, not only can individuals make requests under these rights, but data subjects can bring a private cause of action under Article 82. The potential of facing litigation from individuals across a wide variety of jurisdictions (i.e. Member States) is a daunting proposition for controllers and processors -- but, very powerful for individuals.
For companies, this means, frankly, a headache. Constantine Karbaliotis, a Director at PwC Canada, recently posted “The Nightmare Letter: A Subject Access to Request Under the GDPR.” Karbaliotis provides this letter as an example of what a data subject request under the GDPR could look like, laying out nine questions, and most with subparts. The questions range from “run of the mill” what data do you have on me (i.e., on the data subject) to the more in depth, “information policies and standards that you [the company] follow in relation to the safeguarding of my personal data.”
Karbaliotis’ letter is a good example of the nuanced requirements of the GDPR. It is clear that information that is “transparent” and “intelligible” in “clear and plain language” must be provided. But, how much information? How detailed? There are arguments to be made that security features must, and should, remain confidential. Trade secrets and intellectual property -- if attached to any of that individual personal data -- may also caution against providing access to certain information. But, what is the appropriate -- i.e., compliant -- balance under the GDPR? That question remains to be answered.
And, many companies hope to automate, to the extent possible, responses to these individual data requests. No one knows how many data subject requests will come in during a given day, week, month, or year. Google recently announced that it received 2.4 million requests to delete data over the last three years -- of which it complied with 43% of the requests.
While this statistic is pre-GDPR, it still sheds some light on how extensive data subjects may exercise their rights. First, data subjects are in fact exercising their rights, rights that will only be expanded under the GDPR. Second, Google did not comply with all of the requests which means that it had to have metrics, standards, a framework -- some type of mechanism to process these requests and make a decision. Responding to these requests alone could take an entire new subdivision within a company -- or at least some dedicated time by current employees.
The key to a data subject rights is to understand that this area of the GDPR will continue to evolve, long after the May 25th deadline. Companies need to be prepared to respond -- and to do so quickly. There is a thirty (30) day timeline that will be quickly eaten up if a company does not already know where its data is stored, how it is processed, and how it intends to respond to requests under the GDPR.
The next few months will bring forth some unique and creative solutions -- we will have to wait to see if those solutions bear up against the GDPR and its enforcement. Those companies who have taken the time to assess what is required under the GDPR and how to meet the demands of individual data subjects will be in a better position to comply -- because, luck always favors the prepared!
* * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.