Strengthened rights for individuals against companies

Excerpt from Bruno DUMAY's book: GDPR DECRYPTION – For Managers, Strategic Departments and employees of companies and organizations – Preface by Gaëlle MONTEILLER

The norms of democratic societies are supposed to guarantee a balance between interests that may be contradictory. Most major texts, however, contain an orientation—I spoke above of philosophy—that favors one party to the detriment of another, either because the authority imposing these texts wishes to give a new direction, or because the need for a rebalancing has been felt after some drifts in one direction, which have led to an asymmetrical relationship between the parties. The GDPR is undoubtedly a tool to restore rights to individuals in the face of all-powerful companies that no longer bothered much about respecting privacy.  

Chapter III of the regulation is entirely devoted to the "Rights of the data subject." It is the "data controller" who is responsible for facilitating the exercise of these rights. He must respond "as soon as possible and in any event within one month of receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests" (art. 12-3). One could therefore deduce that one has three months to respond to a request and that this period alone can dissuade many applicants. In fact, no; on the one hand, because this extension must be justified by a "need" or "complexity," on the other hand, because the person making the request must be informed, within one month, of the reasons for this extension (art. 12-3 again). And if the data controller considers that the request is unfounded, it is up to him to demonstrate this unfounded nature (art. 12-5).

Article 13 lists all the information that must be provided when collecting data about an individual. This is a revolutionary development: we cannot accept without first providing assurances of integrity regarding the provisions of the regulation. No one will be able to rely on their size, reputation, or seniority to persuade Internet users to reveal themselves.

The following must therefore be provided in advance by the company:

– the identity and contact details of the data controller;

– the contact details of the data protection officer (in structures where it is mandatory, we will come to this);

– the purposes of the processing for which the data is intended, as well as the legal basis for this processing;

– the recipients of the data, including when a transfer is planned to a third country.

Upon receipt of the data (the text indicates “at the time of…”), the following must still be notified:

– the shelf life;

– the right to rectification, erasure, limitation of processing, opposition to processing, data portability (we will come back to each of these rights);

– the right to lodge a complaint with the supervisory authorities;

– the consequences of failure to provide data;

– the consequences of providing data, in terms of automated decision-making or profiling in particular.

When the data has not been collected from the data subject, the obligations are the same, to which is added "the source from which the personal data originates". This information is not required when the data is processed for archiving, research or statistical purposes of public interest.  

Once the data has been transmitted by the data subject, it does not escape them (what a change from current practices, again). Indeed, the GDPR first (re)creates a right of access (art. 15). This right of access already exists in France, but it is little known and complicated to implement. Here, it covers all the information mentioned in article 13. Access is materialized by transmission upon simple request: "The data controller provides a copy of the personal data being processed" (art. 15-3). This copy is free of charge (reasonable fees may be charged for an additional copy). When the request is submitted electronically, the response is provided in the same form, unless the request is different.

Second right expressly enshrined: the right of rectification (art. 16). This right concerns data that is inaccurate and incomplete with regard to the purpose of the processing.

The importance of the third right has gradually become apparent over the past ten years, since the emergence of Web 2.0 and social networks. It is indeed since this date that we have become aware of the importance of data, and that collections have been organized and multiplied. Since information about us is in the possession of unknown hands, the demand for a right to erasure (or right to be forgotten) has become formalized. France made an attempt in 2010 with the adoption of Charters on the Right to be Forgotten, but Facebook and Google refused to sign them. It was the Court of Justice of the European Union that gave rise to this right to be forgotten in June 2014, following which the main digital players, including Google, had to establish procedures, including the posting of a "form" online, allowing an Internet user to assert this right. Thanks to the form, hundreds of thousands of people were able to have their results removed from their database.

The GDPR enshrines this right at the European level and sets it out in a simple manner (Article 17). At the request of the data subject, the data controller is obliged to erase, "as soon as possible", the personal data:

– if the data are no longer necessary for the purposes for which they were collected;

– if consent is withdrawn;

– if there is opposition to the processing.

The data subject does not have to justify his request. The only restrictions to this right of erasure are:

– compliance with a legal obligation arising from Union law or that of a Member State;

– the exercise of legal rights;

– reasons of public archiving, scientific research or statistics, as well as public health;

– finally, “the exercise of the right to freedom of expression and information” (art. 17-3a). One wonders what freedom of expression and information has to do with this. Did lobbies relaying the interests of the media have any influence? Or was it simply the omnipotence of the media – as strong as that of data – that imposed itself on the drafters of the text?

A "right to restriction of processing" is also provided, in particular while the accuracy of the data is being verified, or when the processing is unlawful but the data subject objects to erasure (art. 18). The restriction, like the processing, must be notified to the data subject (art. 19).        

With the "right to portability," the GDPR allows an individual to retrieve the data they have provided to an organization, "in a structured, commonly used, and machine-readable format" (art. 20-1). They can do this either for their own personal use or to transfer it to another organization. They can even request that their data be transferred directly from one data controller to another. The CNIL specifies that data that is "derived, calculated, or inferred," i.e., created by the organization, cannot be required (this is distinct from the right of access). However, the data retrieved may contain, "secondarily," information relating to third parties.

The WP29, a European working group established under Article 29 of the 1995 European directive, which is working to clarify the GDPR before being transformed into the European Data Protection Board, recommends the upload mechanism for data transmission within the framework of the right to portability. In all cases, the provision must be easily accessible and secure. No specific format is indicated for the moment, but "the WP29 encourages industry players and professional associations to work on a set of interoperable standards and formats to respect these prerequisites of the right to portability."

The data controller is encouraged to communicate clearly about the right to portability, to implement an authentication procedure before transferring the requested data, and to provide this service free of charge, unless the request is manifestly unfounded or excessive, "in particular due to its repetitive nature." It should be noted that data transferred under the right to portability does not have to be deleted from the original file.

Everyone has the right to object at any time (art. 21). This objection may concern any processing, or more specifically prospecting (art. 21-2) and even scientific or historical research, "unless the processing is necessary for the performance of a task carried out in the public interest" (art. 21-6). It is conceivable that this right will be used primarily to oppose commercial purposes.

Finally, the GDPR regulates profiling. “The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her” (Art. 22). It is permitted within the framework of a contract or if it is based on an explicit agreement. In these cases, the controller ensures “the safeguarding of the rights and freedoms and legitimate interests of the data subject.”