In 2018, the French supervisory authority, the CNIL, registered 11,077 complaints, an increase of more than 30% compared to the previous year; 73% of them concerned the failure to respect the exercise of the data subject rights, such as provided under the General Data Protection Regulation (GDPR).
Following this observation, the CNIL decided to strengthen its controls on this specific matter this year, in order to guarantee the enforcement of these rights and in particular their implementation within the time limit set by the GDPR. Data controllers will therefore have to be particularly careful to avoid any damage to their image in the event of a sanction which is made public or any financial penalty imposed by the supervisory authority.
- The reinforcement of the rights of the data subjects under the GDPR
The GDPR provides for several rights to the benefit of the data subject:
- right of information;
- right of access;
- right to rectification and to erasure (also known as “right to be forgotten”);
- right to data portability;
- right to restriction of processing;
- right to object and to not be subject to a decision based solely on automated processing; and
- right to lodge a complaint with the competent supervisory authority.
Some of these rights already existed prior to the GDPR, under the Loi Informatique & Libertés (French Data Protection Act); some have been newly created, such as the right to data portability.
In addition, the Loi pour une République Numérique dated 7 October 2016 introduced in France the right to define guidelines on the retention, erasure and disclosure of personal data after death; however, this is a French specificity as recital 27 of the GDPR provides that “this Regulation does not apply to the data of deceased persons” and that Member States may provide for their own rules regarding this particular processing.
Article 12 of the GDPR specifies the modalities in which these rights may be exercised and in particular sets out the time limit granted to controllers to respond to requests made by data subjects, which is one month from their receipt with a possible extension of two months “taking into account the complexity and number of the requests“. Thus, no more than three months may elapse between the request of a data subject and its implementation by the controller, unless the latter does not take action, in which case it must provide the data subject with an explanation for its inaction.
The controller may also refuse to act on the request if it is manifestly unfounded or excessive, “in particular because of (its) repetitive character”.
- The implementation of these rights
The increase in complaints lodged with the CNIL on this subject reflects not only a greater awareness and responsiveness of natural persons regarding the processing of their personal data, but also recurring difficulties concerning the exercise of their rights.
In the United Kingdom, the findings are very similar. In its 2017-2018 annual report, the Information Commissioner’s Office (ICO), the British equivalent of the CNIL, reported a 23% increase in the number of complaints received compared to the previous year. Among these, 39% concerned the right of access to data provided for in Article 15 of the GDPR. The difficulties identified in France in this respect seem to echo those encountered in other Member States.
2.1 The usefulness of an internal policy for the exercise of rights
One of the barriers to the effective exercise of rights under the GDPR is the absence of completion of an internal policy in this regard by the controller, which would consist in a written procedure detailing the different steps to be followed starting from the receipt of an individual’s request. In a company with a large number of employees, the implementation of such a request would require the involvement of different human resources and various tools, particularly IT tools. Without a clear and pre-established internal policy, the risk is for the controller to ignore which resources to mobilise in due time and therefore to not act on the request in due time. This would constitute a violation of the provisions of the GDPR, which could then lead the supervisory authority to impose on the controller an administrative fine of 4% of his annual turnover or €20 million.
- The uncertainty regarding the enforcement of certain rights
The contours of certain rights are also difficult to establish:
- As for the right of access, uncertainties remain regarding its scope and how to conciliate it with the rights of defence or the protection of trade secrets. The GDPR does not provide any restriction in the communication of data to the subject who exercises this specific right. Nevertheless, for instance in the case of an employer/employee litigation, is the latter entitled to be granted access to all the data concerning him/her, even those that must be withheld because necessary to the opponent’s judicial strategy? The employer could refuse to take action, but the risk is that the data subject files a complaint with the supervisory authority, which could therefore lead to investigations which scope could be broader than the mere question of the right of access.
This right of access also grants the data subject the right to obtain, in the event of automated decision-making, meaningful information about the logic involved and the envisaged consequences of such processing. The implications of such right are therefore very important with regard to algorithms, whose impacts on our daily lives becomes every day more significant; its implementation may prove complex given the degree of technicality of certain automated data-processing.
- As for the right to erasure, it cannot be dissociated from the implementation of a specific policy regarding the retention and archiving of personal data by the controller. This thorough work must take into account the nature of the data processed, the purposes of the processing and the characteristics of the IT tools used; its enforcement can turn out to be a complex issue, particularly in the case of an ageing IT system, as it would require significant technical and organizational measures.
- As for the right to object, any natural person may invoke it in the context of a processing of data necessary for the performance of a task carried out in the public interest or for the purposes of the legitimate interests pursued by the controller, for reasons relating to his or her individual situation. On 18 March 2019, after several years of litigation concerning the contours of this notion, the Conseil d’État, the highest administrative court in the French legal system, ruled that general considerations were not sufficient to invoke this right, which must be based on grounds specific to the person concerned (or his or her minor children in this case). The implementation of the right to object therefore appears to be a source of difficulties and even litigation before the administrative courts.
Our in-depth analysis of decisions on this topic will help determine more precisely the modalities for implementing the rights of data subjects, and thus dispel the vagueness that still surrounds this major aspect of the GDPR.
We can provide controllers and processors assistance regarding an effective implementation of the rights of data subjects in their structure.
Isabelle GAVANON and Valentin LE MAREC