Exercising access rights, portability: what are the powers of a representative?

Legal Watch No. 35 – May 2021

Exercising access rights, portability: what are the powers of a representative? Some data controllers were able to legitimately express their perplexity upon receiving a request from a company mandated to obtain data from their customer file, especially when the request contains particularly broad requirements, for example concerning the transfer of personal data without time limitation, or requiring automatic access to the data.

The manager may legitimately question the risks of reusing his customer data, and the possible distortions of competition that would result from this.

In principle, however, the practice is legal.

It is provided for by the GDPR and Article 77 of the implementing decree of the Data Protection Act, and aims to facilitate the exercise of rights of access, opposition or even data portability by allowing the persons concerned to call upon a representative to exercise their rights.

How can we preserve individuals' control over their data by allowing a third party to exercise these rights, while avoiding the abuses that could result from abusive mandates?

It is up to the agent to clearly define the scope of his mandate, and to the manager who receives such a request to verify the validity of this mandate.

The CNIL recently launched a public consultation on a draft recommendation aimed at clarifying the framework of this new practice.

It has also published a standard mandate which can serve as a reference for agents and data controllers.

Certain aspects deserve particular attention, and could justify a data controller requesting additional details before transmitting the data concerned.

• Data allowing the clear identification, in the mandate, of the person for whose benefit the rights are exercised (for example, identifier, date of birth, date of last connection)

• The identification of the recipient to whom the data is transmitted (which may be the agent or the person concerned)

• The authenticity of the mandate (existence of an electronic signature), its scope and duration. The data or categories of data must be specified. The CNIL considers that a mandate established for an indefinite period does not meet the requirements of the law.

• If the transfer is carried out electronically, in particular via an application programming interface (API), this must be stable, have a high level of availability, and integrate security measures adapted to the risks. The CNIL has reservations about scraping techniques which allow the username and password to be retrieved from the person concerned in order to extract the data automatically.

If the data controller has doubts about the validity of a mandate, it must justify its refusal to grant the access request in accordance with Article 12.6 of the GDPR.

This could be the case, for example, if there are reasonable doubts about the identity of the person concerned, which will require collecting additional information from that person or the agent.

In the case of a mandate, as for a classic access request, the response time from the data controller is one month.

What about the possible reuse of this data by the agent for its own purposes?

This is a separate processing operation that must comply with the legality requirements of the GDPR.

The person concerned should in any event have the choice of accepting or not, on a case-by-case basis, each reuse which would be envisaged by the agent.

Note that the CNIL, like the European Data Protection Committee, considers that "agents should not reuse data relating to third parties for their own purposes", which would be considered an infringement of the rights and freedoms of third parties.

And also

France:

In its 2020 activity report, the CNIL takes stock of the highlights of the year, and in particular the impact of the pandemic crisis on fundamental rights.

Three years after the entry into force of the GDPR, she notes a constant increase in the number of complaints – more than 62% this year, and issued 14 sanctions including 11 fines totaling 138 million euros.

THE Commission priorities include

• The new rules concerning cookies (around twenty organizations were recently checked),
• Cybersecurity and
• Digital sovereignty.

The CNIL also announces prospective work devoted to the link between data protection and environmental issues linked to climate change.

The CNIL also announced checks at pharmacies in order to verify the conditions of collection of their customers' data by the company Iqvia for the purposes of analyzing pathologies.

These checks follow the broadcast in mid-May of a report on the exploitation of personal data which provoked numerous reactions.

The Commission finally indicated that it was in favor of the creation of a health pass provided that guarantees are provided for the processing of data and that the pass is only used for the duration of the health crisis.

On June 3, it published its third opinion on measures to combat the pandemic.

The Constitutional Council ruled on May 20 on the “Global Security” law.

It censors Article 24 relating to the criminalization of the “malicious” dissemination of the image of law enforcement forces, as well as a large part of Articles 47 and 48 which organized surveillance by drones, particularly during demonstrations, and the use of cameras on board law enforcement vehicles and aircraft.

Europe:

Several civil society actors initiated on May 26 complaints against facial recognition company Clearview, notably in France, Austria, Italy, Greece and the United Kingdom.

There European Court of Human Rights On May 25, the UK Supreme Court ruled unanimously that the UK's widespread surveillance regime, made public by Edward Snowden in 2013, violates Article 8 of the European Convention on Human Rights regarding the protection of privacy.

The European Data Protection Board adopted two codes of conduct on May 20 following the development of decisions by the French and Belgian authorities on the cloud: for Belgium, this is a decision concerning the EU Cloud code of conduct, and for France, the CISPE, concerning European providers of cloud infrastructure services.

The Committee also published its 2020 activity report on June 2.

The European Data Protection Supervisor launches two investigations into the use of Amazon and Microsoft cloud services by European institutions.

These investigations aim to verify the processing conditions and in particular the transfers of data by these companies to the United States in light of the Schrems II ruling of the European Court of Justice.

The European Union publicly announced at the beginning of June that, in order to reach an agreement on data transfers to the United States, the latter would have to adopt binding laws allowing European citizens to defend themselves in court against the massive collection of their data by the American government.

International :

A recent study published by Privacy Laws and Business (G. Greenleaf) makes the global privacy updateIt says the number of countries that have adopted data protection laws has increased from 132 to 145, while another 23 countries have draft laws in the pipeline.

Brazil: Like several of its European counterparts, the Brazilian supervisory authority is requesting that WhatsApp suspend its new privacy policy until the investigation into its consequences in terms of data protection and competition has been completed.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.