By Jasna Čošabić
One thing is certain for 2018. It will be marked with a milestone change in data protection for persons in the EU. Not only for EU citizens, but for anyone in the EU. And such protection will have effect not only in the EU, but its long-arm effect will bring duties for its compliance world wide. It will affect not just businesses in the EU, but the companies in the USA, China or Australia. Now, it has been clearly recognized, what has been in the air for some time, that when protection of human rights in the cyber sphere is at stake, earth bound borders are being overcome. And so is the classic international law. General Data Protection Regulation (‘GDPR’), which is about to be applicable as from 25 May 2018, will bring major changes in data protection introducing enhanced rights for individuals or data subjects, complex duties of compliance for those processing personal data (controllers and processors), as well as high fines for breaches (up €20 million or 4% of annual turnover).
The need for overall data protection comes parallely with the fast rate growth in information technology tools. Persons and their personal data become overly exposed either willingly, or at least subconciosly willingly. By giving our personal data to social networks we choose to publish them either with limited number of known persons or without limitation. We might give our bank account number when purchasing online, delivery address or submit our phone number when applying to certain job. Our IP address is visible whenever approaching certain web location. But do we accept that another employer calls us, instead the one we gave our phone number to? Did we ask for our inbox to get loaded with offers that we did not ask for? Or more extremely, what if our bank account is approached without our authorization? In the world of digital technologies, the right information means power. The race for economic growth means a race for more customers turning into a search for valid e-mail addresses, phone numbers and other personal information in order that a product or a service is offered and eventually sold. Key to reaching customers becomes a hunt for personal information. But that hunt has limitations. Limitations are made to protect the rights of natural persons, data subjects, such as the right to access data, right to rectification, right to erasure, right to restrict, right to data portability, right to object, etc.
Whose rights are protected?
Or what is ratione personae jurisdiction of the GDPR? The persons protected under GDPR are called data subjects, identified or identifiable natural persons (Article 4, para 1) who are in the Union (A3, para 2). The Regulation opted for a location of a data subject as a criterium for protection under GDPR, instead of a more formal approach such as EU citizen, or legal resident of the EU, thus making an extensive approach towards any person who is in the Union.
What counts as personal data?
Personal data that is subject of protection mechanism of the GDPR is any information relating to data subject. (A 4, para 1). When deciding which information can be considered as personal data, it is important that the information is able to identify the person, or that it is identifier. An identifier or a personally identifiable information (PII) may be obvious such as name, identification number, but also location data, or other factors that may be connected to certain person such as physical, psychological, genetic, mental, economic, cultural or social identity. So, the data which may be come under the domain ‘personal data’ are defined broadly in order to cover all possible identifiers which do not necessarily need to be recognizable at first hand. On the other hand, according to the GDPR principle of ‘data minimization’, no excess data should be processed but only minimum of data necessary for the purpose of processing.
Right to access data
Right to access data is a prerequisite for all other rights. It is an opening gate to an array of data protection rights. In order that a person may request that his data are rectified, erased, restricted, portable, or objected, one first must to get to know if and what data are collected. Data subject has further the right to know the purpose of processing, to whom the data will be disclosed, period of data storage, to be informed about the right to complain, or to request rectification or erasure or restriction of processing (A 15). Recital 63 stresses out the importance of data access concerning health, insight into medical records, treatment. The controllers are advised to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data, but to the extent that rights and freedoms of others are not adversely affected.
Right to rectification
Data subject may request the rectification of inaccurate personal data, completion of uncomplete personal data (A 16). The precondition for exercise of the right to rectification is the right to access to data, which is needed for the data subject get to know the personal data kept about him/her, at first hand. This gives the data subject role of a “controller” of his/her personal data, and should be also favored by controllers for pointing to data flaws.
Right to erasure or the right to be forgotten
The milestone Google v. Spain case, has brought a practical effect to the right to be forgotten, then provided for in Data Protection Directive 95/46 (Article 6(1)(c) to (e)), but it also introduced its long arm territorial reach, which was echoed in other legal systems as well, and upon which, the lead search engine Google, later enabled its users to request the erasure of the personal data across the globe (https://forget.me/ ). The Court of Justice of the EU, has outlined in the said judgment, that ‘even initially lawful processing of accurate data may, in the course of time, become incompatible with the directive where those data are no longer necessary in the light of the purposes for which they were collected or processed. That is so in particular where they appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the light of the time that has elapsed.’ (para 93)
The right to erasure under Article 17 of the GDPR follows the wording and the intention of the said case, providing for the possibility of requesting erasure when the personal data are no longer necessary in relation to the purposes for which they were collected or processed (para 1a). However it adds also a more wide approach, introducing, inter alia, lack of consent, as a grounds for requesting data erasure, or objection by data subject, giving thus more subjective approach to the right of erasure, putting the will of the data subject at the outset when opting for erasure of private data, of course unless public interest requires otherwise (right of freedom of expression and information; official authority; public health; scientific or historical research purposes or statistical purposes; for the establishment, exercise or defense of legal claims (A 17 para 3)) . According to GDPR principle of ‘transparency in processing’ of personal data, controllers are to inform the data subjects on the existence of the right to rectification or erasure and the right to data portability (A 13(b)). They should also strive to inform any other controllers who might have come in touch with such data, to erase any links or copies or replications of personal data in order that the right to be forgotten is strengthened in the online environment.
Right to restrict
Persons or data subjects shall have the right to restrict the processing (A18) if they contest the accuracy of personal data, if the processing is unlawful but they do not want erasure. Restriction, contrary to erasure, leaves the data, but with restricted access. Suggested methods for restriction of data are temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. The restriction of data should be clearly indicated in the system (Rec. 67), and data subjects should be informed in case of lifting the restriction.
Right to data portability
A new right recognized by the GDPR is right to data portability (A20). It gives the data subjects right to be sole proprietors of their data and puts obligation on controllers to lay that data in structured, commonly used and machine-readable format, and to enable data subjects to carry them or to transmit them to another controller of processor. GDPR differs two kinds of acquired data which is the subject of portability right. Those are data that are deliberately provided by data subjects, such as data when opening e-mail account, bank account, social network profile, shopping account. Such data are disposed of, pursuant to a consent or a contract. And on the other hand, there are data that have been collected by controllers or processors themselves, i.e. by automated means.
It also includes right to have personal data transmitted directly from one controller to another. For example, if one person decides to change his electricity provider, he may request his provider to transmit his data to another provider. That puts data subject in a position to administer his data and to have a controller act upon his demands. The ability to transmit data from one service provider to another, puts also an important accent to healthy market competition, although that comes as a secondary consequence, while the primary aim is to have data subjects in control of their personal data.
Right to object/Profiling
Data subjects are given right to object on processing personal data, including profiling (Art 21 re A 6 (1) e, f), when such processing is carried out in the public interest or for legitimate interests pursued by the controller or by a third party. When data subject objects, the controller shall no longer process the personal data. However, if controller demonstrates compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject, it may continue to process the personal data.
What refers to profiling? Profiling is described in Recital 71 of the GDPR as automated processing aimed to evaluate the personal aspects of a natural person in order to analyze or predict data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. Profiling may be used for tax purposes in which case it is in a public interest. But profiling may also be used with a purpose of direct marketing.
We are often faced with internet offers recognizing exactly our needs or interests filling our inbox sometimes to our delight, but sometimes not. Pop-ups, ads, and other kinds of direct marketing is displayed to us on the basis of our past searches, and is result of automated profiling. If a person objects to profiling for direct marketing purposes, then processing will be stopped. There may not be a compelling interest of the controller in this regard.
GDPR makes difference between profiling as a result of processing personal data, and issuing a decision based on profiling. Decision making on the grounds of profiling may be done even without the consent (or contract) of the data subject if it is expressly authorized by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes (recital 71 A 22). However, data subject’s rights, freedoms and legitimated interests must be safeguarded. The phrase “authorized by Union or Member State law” goes in line with the permissible restrictions of rights of data subjects, and corresponds to ‘in accordance with law’ concept outlined in the European Convention for the Protection of Human Rights and Fundamental Freedoms and the Human Rights Charter to which Recital 73 of the GDPR refers.
Restrictions or derogations
Rights of data subjects are not absolute ones and may be restricted under certain conditions. GDPR provides the list of possible restrictions in public interest, which follow the spirit of the European Convention on Human Rights and the Charter. The fair balance between the individual rights and public interest demands must be carefully pondered, in order that proportionality of burdens is not infringed, and that democratic society principles are safeguarded.
Procedural recourses available to data subjects
It is important that such an act provides not only for material rights but also for possibility of procedural guarantees attained to those rights. There are three types of procedural recourses under the GDPR: judicial remedy, complaint to supervisory authority and out-of-court proceedings and other dispute resolution procedures.
Right to effective judicial remedy (A78) is envisaged to be exercised in Member States, so national systems are to provide for such recourse.
A complaint to supervisory authority is an administrative remedy that shall be dealt with by supervisory authorities in Member States. (A 77) A judicial remedy is also possible against a decision issued in such proceedings (A78), and in case of administrative proceedings taking excessive time.
But out-of-court dispute resolution (A 40) gives a range of possibilities. From classic alternative dispute resolution modalities, such as ombudsman institution and mediation services, to new online dispute resolution possibilities (ODR). ODR EU web-based platform was created by European Commission in February 2016 in order to provide the citizens with faster and less expensive online resolution of disputes, which originated in online purchases. ‘Out-of-court dispute resolution’ in GDPR is given broadly, so it will be interesting to see how the ODR system will respond to any dispute instituted by a data subject in the light of the GDPR.
There are many steps ahead of us and much has already been done, with a view to provide compliance with GDPR. Rightful interpretation of GDPR provisions is also very important. Article 29 Working party has issued series of guidelines on data portability, consent, data protection officers, data protection impact assessment, etc. In addition to direct effect of GDPR as a regulation, some Member States like Austria, Germany, Belgium, have enacted national laws in that regard. Another important issue is a long-arm effect of GDPR when speaking of EU-USA transfer of data, and its relation to Privacy Shield agreement. Supervisory authorities in Member States must prepare for their crucial position in dealing with complaints, breaches, etc. Companies and businesses must get ready and data protection officers are going to be very much needed workforce.
So, the great stone of GDPR is already rolling, urging all affected players to catch speed, or the sanctions will be sky-high. We are heading towards the start of a great albeit challenging story of thorough and profound data and human rights protection.
Court of Justice of the EU, Case C‑131/12 of 13 May 2014
 Čošabić, J., Quo Vadis Digital Citizen? Can a person be only partially forgotten? http://moderndiplomacy.eu/2014/11/08/quo-vadis-digital-citizen-can-a-person-be-only-partially-forgotten/
 See Čošabić, J., IT law – a challenge of dispute resolution, http://moderndiplomacy.eu/2016/06/08/it-law-a-challenge-of-dispute-resolution/
Jasna Čošabić, PhD is a Professor of EU and IT law, GDPR specialist