Data subject rights
EDRi broadly welcomes the provisions in the Regulation, which strengthen and clarify the rights of the data subject through measures aiming for greater accountability and responsibility of the controller (eg – to inform data subjects of breaches, to ensure greater transparency of data processing and greater access to remedies), as well as rights such as data portability. Additionally, EDRi supports the clarification and better implementation of current rights including the right to erasure (through the right to be forgotten).
There are however some provisions that could be clarified and strengthened to avoid any potential restrictions on the right of the user to exercise their right to data protection.
Processing of Data of Minors (Article 8)
EDRi sees the need to clarify specific rules for the processing of data of children, and agrees that processing of data for data subjects under the age of 13 the data subject should require parental consent. Considering that data can be processed in other situations outside of the scope of “the offering of information society services”, as Article 8(1) indicates, we suggest broadening the scope to include all services.
Transparency and Modality, Information and Access to Data (Articles 11-14)
EDRi considers the addition of greater transparency and accountability mechanisms to be a significant improvement compared with those outlined in Article 10 and 11 of the 95/46/EC Directive. Particularly given the nebulous nature of many Terms of Service and Privacy Policies, we welcome the requirement in Article 11(2) to ensure processing of personal data is communicated to the data subject in intelligible form, using clear and plain language. However, in communicating the rectification or erasure of data, Article 13 requires clarification as to what “a disproportionate effort” may entail for the controller as a reason for not being able to do so.
Article 14, which provides a list of mandatory information to be provided to the data subject is also a welcome addition. However Article 14(1)(h) should further specify that “additional information” should include any processing operations that would have particular impacts on, or consequences for, the data subject, for example for measures based on profiling (Article 20) or in cases where the privacy impact assessment (Article 33) reveals significant risk.
Rectification and Erasure, Right to Object and Profiling (Articles 15-19)
Right to be forgotten (Article 17)
Article 17 builds primarily on rights that currently exist under the 95/46/EC Directive. However, as the article stands, it is unclear how this could be implemented in practice, particularly in an online environment.
To ensure greater clarity, we suggest refining the text in order to ensure that controllers are responsible for “the right to be forgotten” in relation to data over which they have control. Where controllers have lost control of data in ways which contravene this Regulation, this should be subject to appropriate sanctions. However, attempting to make online services, in particular, liable for the availability of content over which they have no control will lead to measures (blocking, filtering, de-indexing, etc) that contravene the freedom of communication and could even lead to the introduction of technologies which would undermine their privacy (measures such as those prohibited by the Scarlet/Sabam ruling of the European Court of Justice (Case C70/10) , for example).
For these same reasons, we suggest broadening the scope of article 80 to include “all media” to ensure the protection of the right to free expression. Finally, the data subject should not have to invoke the right to deletion in Article 17.1(c) and (d), as this right is already articulated in Article 5(e).
Right to Data Portability (Article 18)
EDRi welcomes the inclusion of this new right, but the scope must be broadened to include not only data collected on the basis of consent or a contract to data collected through other means. Where Article 18(1) refers to an “electronic and structured format which is commonly used”, we suggest refining the term “commonly used” by specifying that this includes interoperable and open source formats.
Right to Object (Article 19)
EDRi supports the strengthening of the right to object, particularly as the burden of proof to demonstrate “legitimate interest” falls on the processor and not the data subject.
Article 19(2) should expand “intelligible manner” using the language in Article 11(2) (where any communication relating to the processing of personal data should be communicated in “an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child”).
Remedies, Liabilities and Sanctions (Articles 73-77)
EDRi views the establishment of comprehensive and streamlined remedies for data subjects as an essential element of the Regulation. However there are several aspects in Chapter VIII which require further specification, particularly in regard to the application of sanctions.
Collective & Individual Actions
Article 73 states that a data subject or any appropriate body (organisation or association) can launch a complaint to a supervisory authority. What is lacking however is the inclusion of collective action, as this type of redress mechanism could empower data subjects and increase the effectiveness of compliance with data protection law. By enabling such collective action, individuals would be more likely to report smaller scale but widespread violations, as they would be much less deterred by administrative burdens, potential costs and other such risks.
Competence of Courts and DPAs
EDRi welcomes the attempt to create a flexible system of redress for data subjects, enabling them to file actions in the country they reside. However, this approach could result in an unintentional complication of redress, where supervisory authorities, the court and the controller could be in different Member States. While Article 76(3) and (4) attempt to address this potential situation, EDRi suggests further clarification, particularly with a view to ensuring greater information sharing on the level of national courts.
Similarly with regard to data protection authorities, Article 76 should include clear articulation the role of the Board in a case of conflict between two authorities, as EDRi can envision cases where individual DPAs may take opposing views in a single court case (Article 76(2)), which would likely not result in the strengthening of rights for the data subject, in addition to potentially deterring cooperation and trust between DPAs.
On the exception of bringing proceedings to court of the data subject’s place of residence not applying if the controller is a public authority (75(2)), EDRi strongly suggests ensuring that this exception does not apply to public authorities of third countries, as this would effectively deprive data subjects of adequate redress mechanisms.