The right to access personal data is fundamental to data protection, and it was present in data protection laws as early as the Council of Europe’s Convention 108 (1981) and the UK’s Data Protection Act 1984.
But providing access to personal data continues to challenge many organisations—particularly those handling high volumes of information or dealing with disgruntled ex-employees. Courts still regularly hear cases on the subject, and many regulators will focus on the right of access throughout 2024.
Access is the theme of the European Data Protection Board’s (EDPB) coordinated enforcement action throughout 2024. Earlier this month, the French regulator chose access as a priority topic for investigations and the UK’s Information Commissioner’s Office (ICO) recently reprimanded several organisations for lengthy data subject access request (DSAR) backlogs.
Recent ‘right of access’ lessons from the EU’s Court of Justice
Despite the long history of the right of access, the Court of Justice of the European Union (CJEU) dealt with several cases last year resolving ambiguities in its interpretation.
In the January 2023 Case C-154/21 RW v Österreichische Post, the CJEU considered Article 15(1)(c) GDPR, which states that a DSAR can be used to request information about the “recipients or categories of recipient” of a data subject’s personal data. So, which is it — the recipients, or the categories of recipient?
The court held that a controller must always disclose the actual recipients of personal data— the names of the specific companies or people with whom the controller has shared personal data — unless such a disclosure would be “impossible”. The CJEU clarifies here that the right of access may be restricted to information about categories of recipients if it is impossible to disclose the identity of specific recipients, in particular where they are not yet known.
In the May 2023 Case C-487/21 Österreichische Datenschutzbehörde and CRIF, the CJEU was asked to decide whether controllers could provide a comprehensive summary of a data subject’s personal data in response to a DSAR, or whether a full copy of the data (including database extracts or scans of documents) was always required.
The court found that data subjects are entitled to a “faithful reproduction” of all the personal data they request. This doesn’t necessarily mean providing full documents, but the data subject must be able to “fully understand the information” and exercise their other rights.
In the October 2023 Case C‑307/22 FT v RW, the court found that a person’s motivation for making a DSAR is irrelevant — a valid request must be met, whether the information is for a legal “fishing expedition” or to check that the controller is processing the personal data lawfully.
Possible legal changes in the UK
The UK’s Data Protection and Digital Information Bill (DPDIB) proposes several changes to the UK GDPR’s rules on the right of access. However, controllers struggling with large DSAR backlogs might find that the reforms don’t go as far as they had hoped.
In its Data: A New Direction consultation paper, the government suggested reintroducing a nominal fee for data subjects submitting a DSAR. This proposal was scrapped in the tabled version of the DPDIB, but several other reforms were included in the Bill.
The Bill would change the threshold at which controllers may deny a request or charge a fee. While the current law excludes “manifestly unfounded or excessive” DSARs, the DPDIB’s new Article 15A would refer to “vexatious or excessive” requests.
The law would also provide a set of factors to consider when determining whether a DSAR is vexatious or excessive, such as the relationship between the data subject and the controller, whether the request has been made in bad faith, or whether the request is an “abuse of process.”
The DPDIB would also clarify when the 30-day timescale for fulfilling a request begins. An amendment tabled in November 2023 would specify that controllers only need to conduct a “reasonable and proportionate” search for requested personal data.
Streamlining subject access requests
The right of access is a stated enforcement priority across the European Economic Area (EEA) and the UK. Poorly handled DSARs can cause data controllers to suffer reputational damage and deliver dissatisfactory experiences for employees, customers, and other stakeholders.
However, the right of access doesn’t exist in isolation. An efficient DSAR process flows from good data protection practices elsewhere in an organisation, including record-keeping, data minimisation, and vendor management.
HewardMills can assist your company with all aspects of data protection and data governance, helping you achieve a timely, efficient DSAR response process.
