Loughlin O’Nolan is a Director with Article Eight Advocacy.
Mandating not for profit organisations to take data protection complaints and legal actions is an alternative to the administrative complaints process. This is provided for in legislation.
Background
The EU Charter of Fundamental Rights sets out the right to protection of personal data and the right to respect for private and family life (privacy) as distinct fundamental rights. Article 8 covers the former and Article 7 the latter.
Article 8 states "Everyone has the right to the protection of personal data concerning him or her".
This fundamental right to data protection underpins European data protection law.
The Snowden disclosures of 2013 followed by the Cambridge Analytica scandal of early 2018 revealed to many people the unexpected and unwanted uses their personal data was being put to, and illustrated the lack of control individuals had over their personal data in many situations.
Returning control to individuals over their personal data and the uses to which it is being put was one of the key promises of the General Data Protection Regulation (GDPR), which came into force in May 2018.
The GDPR imposes significant obligations on data controllers and grants extensive data protection rights to individuals.
Obligations on controllers
Processing of personal data cannot be carried out without a lawful basis. Data controllers must respect the data protection rights of individuals. Data controllers must process personal data in line with the principles set out in the GDPR.
The overarching principle of accountability in the GDPR means that not only must data controllers meet their obligations, they have to be able to demonstrate how they are doing so.
Rights of data subjects and lawful processing
Despite much awareness-raising around the time of the introduction of the GDPR a knowledge gap still exists around what the data protection rights of individuals are, when they apply and how to exercise them.
The majority of data protection rights must be invoked by individuals in order to give them effect. This includes the crucial right of access, which is available to any individual whose personal data is being processed.
The European data protection supervisory regime requires individuals to carry out their own research and due diligence in order to confirm their personal data is being processed lawfully and fairly. If an individual feels this isn't the case then their first port of call is not the supervisory authority but rather the entity which is processing their data.
The power imbalance between individuals and data controllers in this situation can allow data controllers to frustrate or delay access to personal data. The largest amount of complaints handled by the Data Protection Commission (DPC) relate to the right of access.
The importance of data subject rights
The right of access and the right to information are pivotal to proper functioning of the European data protection supervisory regime. Without these most other data protection rights such as rectification, objection, erasure and remedy are effectively unavailable to data subjects, thwarting the intent of the GDPR.
The DPC's 2019 Annual Report reiterates the importance of the right of access: “Upon receipt of an access request, it is important for controllers to remember that the right of access is a fundamental right, so there is a presumption in favour of disclosure on the part of controllers.”
Guidance from the European Commission stresses that exercising the right of access should be easy.
Individuals wishing to exercise this most basic of their data protection rights shouldn't require legal literacy and legal assistance for straightforward interactions with data controllers. All data controllers have an obligation to provide information about what, how and why personal data is being processed, and access to a copy of that data when requested.
However in many cases it appears that bureaucratic roadblocks are erected which, whether by design or not, create delays and discourage individuals from pursuing their inquiries and availing of their data protection rights. In cases where requests for personal data are being made in order to secure records for another purpose, these obstacles and delays can neutralise the usefulness of the data protection right entirely.
Action
If individuals feel their personal data is not being processed in compliance with the GDPR they have a range of options.
They can pursue a complaint with the DPC. The DPC can apply any of its wide range of corrective powers, or choose not to.
Individuals can also, entirely separate to the DPC complaints process, seek remedy for material and non-material damages via the courts.
Individuals can mandate not for profit organisations such as Article Eight Advocacy to lodge complaints with the DPC on their behalf. Mandated organisations can also take legal action on behalf of individuals.
About Article Eight Advocacy
Article Eight Advocacy is a new, independent, not for profit organisation which advocates for data subject rights in Ireland. We support data subjects by using all the tools available to us to ensure their fundamental right to protection of their personal data is respected.
We do this by providing easy to understand information on what data protection means for people on our datasubject.ie website, submitting complaints to the Data Protection Commission on behalf of individuals if they mandate us to do so and managing the progress of these, and litigation where necessary.
More information about Article Eight Advocacy is available at www.article8.ie