Privacy & Information Security Law Blog

On July 8, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its White Paper (the “Paper”) as input for the European Data Protection Board’s (the “EDPB”) future guidelines on data subject rights (“DSRs”) (the “Guidelines”). The Paper, titled “Data Subject Rights under the GDPR in a Global Data Driven and Connected World,” was drafted following the EDPB stakeholders’ event on DSR in Brussels on November 4, 2019.

The Paper examines how DSRs relating to access, rectification, erasure, restriction of processing and objection to processing should be applied in today’s global, data-driven and connected world to be effective. The Paper recommends that the Guidelines balance DSRs against other fundamental rights, such as the right to conduct business in the context of today’s data-driven economy and society. In addition, the Paper emphasizes the important educational role that the EDPB has to play, with respect to the public, on the purpose and limitations of DSRs. In this vein, the Paper recommends including a reasonableness test for individuals’ DSR requests in the Guidelines, to avoid disruption to core business practices.

Furthermore, the Paper recommends that data protection officers (“DPOs”) should not have front-line and sole responsibility for dealing with incoming DSR requests but that DSR requests should be distributed to the most appropriate teams across an organization. The Paper adds that organizations should be credited for implementing processes that allow effective DSR response, especially where they have a certification covering their DSR process. It further adds that effective DSR processes should be recognized as a mitigating factor in enforcement contexts. In addition, the Guidelines should allow for flexibility with respect to a response during exceptional circumstances, as some data protection authorities (“DPAs”) have during the COVID-19 crisis.

The Paper also highlights the current lack of harmonization across the EU in how DSRs are applied, stemming from inconsistency in guidelines and standard forms issued by DPAs. The EDPB Guidelines should describe the applicable grounds to exercise DSRs and provide a common assessment matrix for their handling. Further, the Paper emphasizes that the Guidelines should remain principles and risk-based rather than prescriptive, and should not interfere with EU Member States’ abilities to restrict DSRs through legislative measures in certain circumstances.

Specifically, the Paper recommends that in its Guidelines the EDPB:

• clarify the requirements governing verification of the identity of individuals submitting DSR requests;
• clarify how organizations should respond to third-party services exercising DSRs on behalf of individuals, and confirm that controllers will not bear liability for such responses;
• provide that controllers that have implemented a self-service tool for DSR requests are not required to provide bespoke responses to individuals’ DSR requests unless justified by specific circumstances;
• provide that the one-month deadline for responding to a DSR request will run from the point at which the request’s scope is clear and the identity of the requestor has been verified, and that extensions to the deadline may be justified in certain circumstances, such as where the controller receives an unusually high volume of DSR requests;
• place requirements on data subjects to ensure that their requests are clear and limited, as well as limitations on the obligations of controllers to respond to DSR requests that require additional processing or are not directed to the correct organization;
• provide that organizations are only required to provide data that will be meaningful to the requestor, not data that would require the organization to engage in additional processing or exceed the purpose of the DSRs, or which would impose undue burdens on the organization;
• recognize that compelling interests of the organization, third-parties or society may limit DSR requests;
• place limitations on excessive, unfounded or abusive requests, including those weaponized for the purpose of disrupting the organization; and
• provide for a proportionate approach in responding to DSR requests, particularly with regards to the cost to the organization.

The Paper also provides recommendations relating to specific DSRs. For example, the Paper suggests that for DSR requests for access, controllers should be permitted to direct individuals to their privacy notices in the first instance, where the information requested is provided therein, rather than responding in a bespoke manner to the data subject. The Paper also asserts that the right to rectification should not interfere with the right to freedom of expression, or amount to a right to rectify past information that the data subject takes issue with (such as comments from supervisors in a performance review). Further, with regard to deletion requests, the Paper suggests that organizations be permitted to request confirmation of the request before permanent deletion, as data subjects may not always understand the long-term implications of deletion.

View the full White Paper.