D11.3: Economic aspects of mobility and identity

Title: RIGHTS OF THE DATA SUBJECT

Rights of the data subject

Although a casual look at the text and chapters of the data protection directive would suggest that the data subject is granted only two rights (right of access and right to object), a closer look reveals that it implicitly grants more rights to the data subjects. This approach is indeed needed to ensure that the data subject remains the ultimate controller of his personal data, a purpose whose fulfilment fortifies the fundamental right to privacy – as it is stipulated in Article 8 of the European Convention on Human Rights (ECHR). The safeguarding of these rights is obligatory according to the European data protection legislation, although it might entail high economic consequences.  

In brief, the data protection directive sets forth several specific rights to the data subjects, each one covering a different phase within data processing: 

First, the data protection directive considers that the data subject has the right to know whether his personal data are being collected and processed. This right is closely related with the consent of the data subject, since the latter is considered as one of the criteria of legitimate processing (after all, the consent of the data subject presupposes a general knowledge of the facts that he is consenting to). However, even in cases where the user has not given his consent (for example, processing is necessary for compliance with a legal obligation to which the controller is subject), the right to know remains in full effect. It follows, that the data controller must still inform the data subject that his personal data are being processed, in accordance with the Articles 10 and 11 of the data protection directive. Moreover, this specific right is mentioned in recital 25 of the data protection directive as a reflection of a good interpretation of the data protection principles.

The data protection directive perceives the information to be provided more as an obligation from the part of the data controller, and less as a specific right of the data subject. When the data are collected form the data subject, the minimum information that has to be provided is the following:    

1. the identity of the controller or his representative 

2. the purposes of the processing for which the data are intended 

3. any further information if this is necessary to guarantee fair processing in respect of the data subject, such as: 

- the recipients or categories of recipients of the data, 

- whether replies to the questions are obligatory or voluntary, as well as the possible consequences of the failure to reply, 

- the existence of the right of access to and the right to rectify the data concerning him. 

This information has to be provided to the data subject at the time or before the data is collected. If disclosure to a third party is envisaged, article 11 provides that the information must be provided at the latest when the personal data will be disclosed. For example, in cases where the mobile network provider, acting as the data controller, decides to further communicate the traffic data of his network to third parties to be used for the provision of value added services, he must first acquire the unambiguous consent of the subscribers.

Second, the data subject has the right to object to the collection and processing of his personal data. However, this right is overridden by the various exceptions (deemed ‘necessary’) which are found in article 7 of the data protection directive:    

1. when the process is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, 

2. when the processing is necessary for compliance with a legal obligation to which the [data] controller is subject, 

3. when the processing is necessary in order to protect the vital interests of the data subject, 

4. when the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the [data] controller or in a third party to whom the data are disclosed and 

5. when the processing is necessary for the purposes of legitimate interests pursued by the [data] controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden  by the interests for fundamental rights for fundamental rights and freedoms of the data subject.

However, article 14 data protection directive stipulates the cases where the right to object can be exerted:  

1. At least for the last two aforementioned cases, Member States are obliged to grant the data subject a right to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. When there is a justified objection, then the processing instigated by the [data] controller may no longer involve those data. 

2. The data subject can object, on request and free of charge, to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing, or to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses. 

The ePrivacy directive perceives the right to object as withdrawal of consent. Therefore, the specific right is implicitly mentioned in Art. 5(3) (cookies), 6(3) (traffic data processed for the purpose of marketing electronic communications services or for the provision of value added services), 9 (processing of location data other than traffic data), 12 (directories of subscribers) and 13 (unsolicited communications). In all the aforementioned cases, the data subject is given the right to refuse the provision of services or in cases where he has already accepted them, to withdraw his consent. As regards the processing of location data in particular, even when the consent of the user or subscriber has already been obtained, the user or subscriber must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication.

Third, article 12 of the data protection directive grants the data subject the right of access to his collected personal data, meaning that every individual whose personal rights are been collected and processed has the right to obtain from the data controller:

1. confirmation as to whether or not his personal data are being processed and information at least as to the purposes of the processing, the categories of the data concerned, and the recipients or categories of recipients to whom the data are disclosed, 

2. communication to him in an intelligent form of the data undergoing processing and of any available information to the resources and of any available information as to their source.  

Where any automated decisions (as defined in Article 15 data protection directive, see infra) are involved, the data subject has the additional right to be informed about the logic involved in any automatic processing of data concerning him.

All the aforementioned information must be available to the data subject ‘without constraint at reasonable intervals and without excessive delay or expense’. In addition and as regards how the right of access is exercised, an ideal situation would include both online and physical access - the latter realised at the physical address of the data controller. However, in cases where physical access would entail disproportionate efforts and costs on behalf of the data controller (or if the data collected is disproportionately little), it is arguably accepted that the right of access can be exercised only through online means. Considering the various security risks, we would suggest that the data controllers should not provide information unless they can verify the identity of the applicant (e.g. through the use of an electronic signature). This is specifically important in cases where the accidental disclosure to an individual who is impersonating the data subject would be likely to cause damage or distress to the real data subject.

Fourth, the right of access includes a right to rectify, erase or block the data that relate to him, in cases where their processing does not comply with the requirements of the data protection directive (for example, the data controller’s collection of personal data is disproportionate to his purposes), and in particular when the data at issue are incomplete or inaccurate. That would be the case, for example, when the name of the subscriber to a mobile network is registered wrongly.

Fifth, article 15 of the data protection directive confers to the data subject a right not to be subject to an automated decision which produces legal results concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.  A statutory exception to this right is provided in 12(2) of the aforementioned directive, in cases where the decision is either:

1. Taken in the course of the entering into or performance of a contract, provided that the request (for the entering or the performance of the contract) has been lodged by the data subject and there are suitable measures to safeguard the data subjects legitimate interests; or 

2. authorised by a law that also lays down measures to safeguard the data subject’s legitimate interests.  

There is no further guidance in relation to the phrase ‘significantly affects’. A logical interpretation would associate the verb ‘affect’ with emotional distress. Therefore, in order for the specific right to be activated, the data subject should suffer significant emotional distress. It does not necessarily have to result in physical damage or financial loss. On the other hand, it would seem unlikely that a data subject will object to receipt of an unsolicited benefit, even if it has occurred because of automated processing (e.g. as a result of automated processing, the data subject is promoted). In the field of mobile communications for example, it is doubtful that this article would be evoked by an employee in a courier enterprise, when, due to the erroneous processing of his location data, he appears to be more productive and therefore he gets a financial bonus.

Sixth, the data protection directive makes it clear that the processing of personal data must be done in a maximum security environment. It therefore calls the Member States to impose a security obligation to the data controller, who must implement ‘[…] appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing’. In addition, ‘[h]aving regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected’. This obligation of the data controller can arguably lead to a derivative right of the data subject to know the extent to which his data is secured, which serves as a supplemental right to the general information right of the data subject (discussed supra).  In brief, the obligations of the data controller regarding the processing of personal data are:

1. establishment of the appropriate standards and procedures,  

2. selection of personnel based on their skills and ethics and which has received appropriate training in security issues, 

3. management of outsourcing contracts and the selection of a data processor according to the technical and organisational security measures governing the processing.

In relation to the last security obligation, the directive provides that when the carrying out of data processing is performed by a data processor, it must be governed by a contract or legal act which binds the processor to the controller and that specifically stipulates that: 

1. the processor shall act only on instructions from the controller, 

2. all the security obligations addressing the data controller should also be incumbent to the data processor.

In the specific field of electronic communications, the ePrivacy directive places similar obligations on the provider of electronic communications services: he must take ‘appropriate technical and organisational measures’ to safeguard the security of his services, if necessary in conjunction with the provider of the public communications network with respect to network security. Again, having regard to the state of the art and the cost of their implementation, these measures should ensure a level of security appropriate to the risk presented. In addition, the second paragraph of article 4 of the ePrivacy directive obliges the providers of an electronic communications service to inform the subscribers in the event of a particular risk of a breach of the security of the network (a virus or a network malfunction which could lead to data leak). The information should cover not only the nature of the risk but also any possible remedies, including an indication of the likely costs involved, in case the risk lies out of the scope of the measures to be taken by the service provider.

Finally, the data protection directive ensures that the data subject is granted with a right to seek legal relief to protect his privacy rights. For this purpose article 22 of the data protection directive reads: ‘Without prejudice to any administrative remedy for which provisions may be made, inter alia before the [national Data Protection] supervisory authority, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed to him by the national law applicable to the processing in question.’ In addition, the aforementioned directive also regulates the liability of the data controller, in cases where the data subject (or indeed, ‘any person’) has suffered damage as a result of an unlawful processing operation or an act incompatible with the national provisions adopted pursuant to it. In such a case, the plaintiff is entitled to receive compensation from the controller for the damage suffered, unless the latter can prove that he is not responsible for the event giving rise to the damage.

A common element in many legislative texts that grant specific rights to individuals is the fact that these laws acknowledge situations in which the interests of society taken as a whole require that an individual’s rights are subjugated to broader requirements. The data protection directive includes such a restraining legislative imperative in article 13, where it provides that: 

“Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in articles 6 (1) [data protection principles], 10 [right of information], 11 (1) [right of information in secondary acquisition of data], 12 [right of access] and 21 [publicizing of processing operations] when such a restriction constitutes a necessary measures to safeguard:

1. national security 

2. defence  

3. public security  

4. the prevention investigation detection and prosecution of criminal offences, or of breaches of ethics for regulated professions  

5. an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters 

6. a monitoring, inspection or regulatory function connected, even occasionally with the exercise of official authority in cases referred to in (c), (d) and (e)  

7. the protection of the data subject or of the rights and freedoms of others.”

This approach mirrors the approach of ECHR which provides in respect of most of its articles that derogations are permitted where these are ‘in accordance with the law’ and are considered ‘necessary in a democratic society’.