Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data portability, the right to be forgotten, and certain rights in relation to profiling. In this chapter we look at each of these rights in turn and assess the likely practical impact that the changes brought about by the Regulation will have on organisations.
Consumer groups often complain that information notices are too long and difficult for consumers to understand. This issue has become more significant as personal data is now collected in a variety of different situations (for example through mobile devices and the internet of things), where the nature of data collection and processing is less obvious. The Regulation requires controllers to tell individuals how their information will be used in clear and plain language, adapted to the individual data subject. For example, if information is being collected from a child, the language of the notice must be such that a child can understand it.
The information notice must contain the following:
The identity and contact details of the controller; any representative of the controller; the data protection officer; and any recipients, or categories of recipients of the personal data
The purposes and legal bases of the processing (including, where the processing is based on the legitimate interests of the controller or a third party, a description of those legitimate interests)
Where processing is based upon consent, reference to a right to withdraw such consent without affecting the legitimacy of prior processing
If the processing involves automated decisionmaking, including profiling, information about the logic involved, including the consequences for the individual
The period for which the personal data will be stored, or the criteria used to determine this
The nature of the rights of available under the law, including the contact details of, and the right to complain to, the relevant supervisory authority
Where applicable, if the personal data is to be transferred to a third country, the level of protection afforded by that third country by reference to an adequacy decision, or details of the safeguards adopted by controllers in the absence of an adequacy decision
Where personal data is not collected directly from the individual, the sources and categories of the personal data
Any further information to ensure that the processing of the personal data is fair
In addition, where information is collected directly from a data subject the controller must also tell the data subject whether the provision of personal data is obligatory (such as a statutory or contractual requirement) or voluntary, as well as the possible consequences of failing to provide such data.
If a controller intends to carry out processing that is not covered by the original information notice, the controller must provide additional information to a data subject prior to such processing to ensure that the processing is fair.
The right of subject access permits individuals to request the personal data that is being processed by the controller. The Regulation makes some additions to the detailed information to be provided in response to a request, and also makes some procedural changes:
Controllers must put in place a process for dealing with requests
Where a request is made in electronic form, the information must be provided in electronic form, unless the data subject requests otherwise
Controllers may no longer charge a fee unless the request is ‘manifestly unfounded or excessive’, for example where it is repetitive in character. The onus is on the controller to demonstrate the manifestly excessive character of the request
The controller must provide the requested information within one month of receipt of the request. This is less time than allowed by some Member States at present. There is potential for an extension period, but it only applies in very limited circumstances.
The Regulation retains the right to obtain from the controller rectification of personal data which are inaccurate and to obtain completion of incomplete personal data, including by way of supplementing a corrective statement with very little change.
The Regulation broadens the current right to object to data processing. In particular, a data subject is always entitled to object to processing carried out on the basis of a legitimate interest of the controller or for the purposes of direct marketing without the need of indicating specific justifications.
The Regulation introduces the right to obtain restriction of the processing that can be exercised, for example, while complaints (for example, about accuracy) are pending, or if the processing is unlawful, but the data subject objects to erasure of the data.
The Regulation gives data subjects the right to have their personal data erased, provided that certain conditions are met. In particular, the data must be erased when:
it is no longer needed for its original purpose
the data subject withdraws consent and there is no other legitimate basis for the processing
the data subject objects to the processing
the data must be erased in order to comply with a legal obligation to which the controller is subject
the data has been collected in relation to the offering of information society services to children
the processing is unlawful
This right to be forgotten was one of the most controversial aspects of the Regulation when it was first published, not least because the practical limits on a controller’s obligation to delete data were unclear. Following the decision in Google v Costeja, the right to have data erased no longer represents such a dramatic change, but it remains to be seen what the extent of the obligation will be in practice, as the Regulation proposes a number of limits, such as, for instance, when the processing is necessary for exercising the right of freedom of expression and information.
The Regulation gives individuals the right to have a copy of their personal data in a commonly used electronic and structured format that allows for further use, including by other data controllers.
This right raises both practical and commercial issues for most controllers, and the Regulation proposes the right shall apply only to data that was provided by the data subject to the data controller. The Article 29 Working Party has indicated that issuing guidance on this new right is a priority for them.
Profiling is discussed in more detail elsewhere in this publication. Briefly, under the Regulation the data subject will have the right not to be subject to a decision entailing the evaluation of personal aspects relating to him based solely on automated processing and having direct legal effects on (or affecting) him, save where the processing is on certain specified grounds.
The accountability approach built into the Regulation means that organisations must be able to demonstrate that they have procedures in place for dealing with their obligations to data subjects. In addition to creating such processes, organisations will need to review their existing information notices to assess whether they contain all necessary information, and whether this information is easily understood. Some organisations may already be operating to a higher standard in some countries because of provisions under their local law. An advantage of the Regulation, therefore, is that controllers will be able to have identical notices across Member States.
The new rights to erasure and data portability will almost certainly require IT system changes. The detail of these changes is not settled yet, but given project lead times organisations may need to start alerting their IT teams to the forthcoming need for these changes.
Review current information notices to ensure that they are accurate, comprehensive, and up to date. Consider whether any additional information will be required under the Regulation, and whether the language is sufficiently clear for the target audience.
Consider whether you need to create procedures for handling requests from data subjects to exercise their rights.
Identify your current profiling activities and assess whether they meet the requirements or the Regulation.
Consider how to implement appropriate consent request mechanisms for profiling.
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
Authored by the HL Chronicle of Data Protection Team