Rights of Data Subjects
In addition to imposing various duties upon data controllers the Data Protection Actsprovide subjects with certain rights. The purpose of doing so is to empower and enable subjects to check what data relating to them is being held and what is being done with it. These rights come with responsibilities, it is not granted to subjects so that they may make enquiries out of idle curiosity but rather so that they can check what data is being processed on them and how accurate that data is.
The rights of data subjects are as follows:
- The right to establish the existence of personal data;
- The right of access;
- The right of objection;
- The right of rectification.
These rights are discussed in greater detail below.
The right to establish the existence of personal data
Section 3 of the Data Protection Acts provides that subjects may request in writing to be informed whether a person is keeping data relating to them. That person must respond to the request, and if data is being kept then they must provide a description of the data and the purpose of its processing. This right has several advantages over the broader right of access: its quicker, 21 days versus 40; cheaper, being free versus €6.35 for the section 4 right; and broader, there are no exceptions to this right. However, the right is an anachronism, a holdover from the 1981 Strasbourg Convention and such a right is not required by the Data Protection Directive.
The Right of Access
Section 4 of the Data Protection Acts provides a right of access. Any data subject may request access to their personal data, such a request must be made in writing, be accompanied by a fee of €6.35 and contain such information as the controller “…may reasonably require in order to satisfy himself of the identity of the individual and to locate any relevant personal data or information”. The subject must fulfil all of these criteria before time will begin to run, but once time begins to run the controller has 40 days within which to respond to the request. The 40 days are calendar, not business, days. So a controller has a little less than 6 weeks within which to respond to a request. When responding to a request the controller must:
- Inform the requestor whether or not it processes data relating to the requestor;
- If it does, then provide the requestor with a description of the following:
- The categories of data being processed;
- The purpose of the processing
- The personal data
- Any recipients of the data.
- Have the data communicated to them in an intelligible form
- If the automated processing of this data will form the sole basis upon which a decision will be made relating to the subject, then the subject must be informed of the logic of the processing.
There are a few exceptions to the right of access, but the data will have to be released unless those exceptions apply.
The right of rectification or erasure
If data is being processed in breach of the Data Protection Actsthen subjects have the right to request its rectification or erasure. Such a request must be made in writing. Controllers should comply with such requests as soon as possible and must do so within 40 days. Where data is inaccurate or out-of-date then the subject will be deemed to have complied with such a request if he supplements the data. Where the controller makes such a change in respond to a request, then the controller must inform the subject that the change has been made and also inform anyone to whom the data was disclosed within the previous 12 months.
The Right of objection
Subjects have the right to request the cessation of the processing of their data which is causing or likely to cause substantial damage or distress to him or her or to another person, and the damage or distress is or would be unwarranted. Such a request must be made in writing for the processing either not to begin or else to cease within a reasonable time. Such a request can only be made where the processing is being undertaken:
- in the public interest or in the exercise of official authority or
- in the legitimate interests pursued by the data controller unless those interests are overridden by the interests of the data subject in relation to fundamental rights and freedoms and, in particular, his or her right to privacy with respect to the processing of personal data.
Such a request cannot be made where the subject has given his explicit consent or the processing is necessary:
- for the performance of a contract to which the data subject is a party;
- in order to take steps at the request of the data subject prior to his or her entering into a contract;
- for compliance with any other legal obligation to which the data controller or data subject is subject;
- to protect the vital interests of the data subject;
- for electoral activities;
The ministerial power to regulate for other cases lacks the powers and principles requited by the High Court in — and so is not effective. Where such a request is made it the controller must serve a notice within 20 days indicating that:
- the request will be complied with;
- the request will not be complied with and statin the reasons for such non-compliance.
An operator of a search engine such as Google is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages published by third parties. In 2010 Mr Costeja González, a Spanish national complained that when an internet user entered his name in the search engine they would be directed to links to two pages of a newspaper which stated his name in connection with a real-estate auction linked with attachment proceedings for debt recovery. He requested that the newspaper remove or alter the pages and he requested that Google be required to remove or conceal the personal data relating to him so that they would not appear in search results. The debt recovery proceedings were fully resolved yet an internet user would still be directed to material stating that he was the subject of such proceedings some 16 years later. The Court of Justice of the European Union held in Google v Agencia Española de Protección de Datos (AEPD), Mario Costeja GonzálezCase C‑131/12 .
‘Article 2(b) and (d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d).
2. Article 4(1)(a) of Directive 95/46 is to be interpreted as meaning that processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, within the meaning of that provision, when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State.
3. Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.
4. Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, when appraising the conditions for the application of those provisions, it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject. As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.’
Rights in respect of automated data processing
The Data Protection Actsapparent prejudice against automated data processing now seems somewhat anachronistic. The reality is that automated data processing systems make decisions about people all the time, it is not at all clear that there is any real point in having such decisions looked-over by a living person. It would seem likely that if a controller’s prejudices are reflected in his programming then they will also be reflected in his hiring choices. What section 6B of the Data Protection Acts says is:
“…a decision which produces legal effects concerning a data subject or otherwise significantly affects a data subject may not be based solely on processing by automatic means of personal data in respect of which he or she is the data subject and which is intended to evaluate certain personal matters relating to him or her such as, for example (but without prejudice to the generality of the foregoing), his or her performance at work, creditworthiness, reliability or conduct”
Many of the decisions that produce “…legal effects concerning a data subject…” will occur in the public sector, where basic standards of fair procedure will apply. Such standards would seem to preclude the taking of such automated decisions in any event, so rendering section 6B partially redundant. In addition section 6B will not apply where:
- The subject has consented;
- The processing is necessary to comply with a statutory obligation of which the subject has been informed;
- The processing is necessary to enter into or fulfil a contract with the subject;
- The processing will grant a request of the subject and adequate steps have been taken to preserve his rights.
Enforcement is possibly the most interesting aspects of Europe’s Data Protection Laws but is an aspect that is frequently overlooked. Data protection is designed to be primarily enforced by users themselves, with supervisory authorities such as the Data Protection Commissioner and the Courts themselves reduced to a supervisory role. This role is conferred on users by giving a number of powers to them, namely: the right of access; the right of rectification; the right to object; and the right to sue.