right of access to personal data
{{Short description|Fundamental data protection right enabling an individual to access their personal data}}
The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in data protection laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures."{{Cite journal |url=https://lirias.kuleuven.be/bitstream/123456789/618327/1/Ausloos_Dewitte_Shattering%20one-way%20mirrors%20%e2%80%93%20data%20subject%20access%20rights%20in%20practice.pdf |title=Shattering One-Way Mirrors. Data Subject Access Rights in Practice |date= 20 January 2018|first1= Jef|last1= Ausloos | first2=Pierre | last2= Dewitte| accessdate= | journal= International Data Privacy Law |volume=8 |pages=4–28 |doi=10.1093/idpl/ipy001 }} This right is often implemented as a Subject Access Request (SAR) or Data Subject Access Request (DSAR).{{cite web | last=Siddique | first=Haroon | title=Farage joins explosion in people using subject access requests | website=the Guardian | date=19 July 2023 | url=https://www.theguardian.com/law/2023/jul/19/sars-subject-access-requests-nigel-farage}}
United Nations
The aspirational Sustainable Development Goal 16, target 9, calls for the provision of legal identity for all human beings. "In the digital economy, this becomes the right to a digital identity."{{cite web |url=https://uncitral.un.org/en/working_groups/4/electronic_commerce |title=A/CN.9/WG.IV/WP.158 - Explanatory Remarks on the Draft Provisions on the Cross-border Recognition of Identity Management and Trust Services, Section II, paragraph 6 |website=United Nations Commission on International Trade Law, Working Group IV: Electronic Commerce, 58th session, 8–12 April 2019, New York |date= |author= |accessdate=27 April 2019 }} Such an identity could help in filing subject access requests.
Brazil
Brazil's General Data Protection Law (LGPD) is its first comprehensive data protection regulation. According to LGPD, subject access requests need to be fulfilled within 15 days.{{Cite web|last=|first=|date=|title=Law No. 13,709, of August 14, 2018 - Provides for the protection of personal data and changes Law No. 12,965, of April 23, 2014 (the 'Brazilian Internet Law')|url=https://iapp.org/media/pdf/resource_center/Brazilian_General_Data_Protection_Law.pdf|website=International Association of Privacy Professionals}}
European Union
The right of access is enshrined as part of the fundamental right to data protection in the Charter of Fundamental Rights of the European Union. It is in fact the only one of the practical rights relating to personal data that is listed there.
In the GDPR, this right is defined in various sections of Article 15. There is also a right to access in the GDPR's partner legislation, the Data Protection Law Enforcement Directive.{{Cite web|url=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=LEGISSUM:310401_3&from=EN|title=Protecting personal data when being used by police and criminal justice authorities (from 2018)|website=eur-lex.europa.eu|access-date=2019-10-25}} The European Data Protection Board (EDPB) has considered it "necessary to provide more precise guidance on how the right of access has to be implemented in different situations".{{Cite web|url=https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf |title=Guidelines 01/2022 on data subject rights - Right of access. Version 1.0. Adopted on 18 January 2022 |website=European Data Protection Board|access-date=2022-01-25}} When the EU Directive is transposed into Member State national law, the right of access may be suspended or restricted, as in the case of Germany in Article 34 of its Bundesdatenschutzgesetz.{{Cite web|url=https://www.bvdnet.de/wp-content/uploads/2017/08/BMI_%C3%9Cbersetzung_DSAnpUG-EU_mit_BDSG-neu.pdf|title=Act to Adapt Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680|id=DSAnpUG-EU|publisher=Bundestag|date=30 June 2017}} Moreover, on the European level, Europol offers a right of access.{{Cite web|url=https://www.europol.europa.eu/right-of-access|title=Right of access|website=Europol|language=en|access-date=2019-10-25}}
Singapore
Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA). The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. Access to personal data is laid out as part of Part IV, chapter 21 which states that on request of an individual, an organization shall, as soon as reasonably possible, provide the individual with:{{Cite web|url=https://sso.agc.gov.sg/Act/PDPA2012|title=Personal Data Protection Act 2012 - Singapore Statutes Online|website=sso.agc.gov.sg|language=en|access-date=2019-10-25}}
{{ordered list|type=lower-alpha
|personal data about the individual that is in the possession or under the control of the organization; and
|information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the organization within a year before the date of the request
}}
United Kingdom
In the United Kingdom, the website of the Information Commissioner's Office states regarding Subject Access Requests (SARs):{{cite web |url=https://ico.org.uk/your-data-matters/your-right-of-access/ |title=Your right of access |website=Information Commissioner's Office |accessdate=25 May 2018 |archive-url=https://web.archive.org/web/20180526040954/https://ico.org.uk/your-data-matters/your-right-of-access/ |archive-date=26 May 2018 |url-status=live |df=dmy-all }}
{{quote|You have the right to find out if an organization is using or storing your personal data. This is called the right of access. You exercise this right by asking for a copy of the data, which is commonly known as making a ‘subject access request.
...
A copy of your personal data should be provided free in a commonly used and machine readable format.{{cite web |title = what are the rights of data subjects under GDPR? | url=https://www.truevault.com/resources/compliance/what-are-the-rights-of-data-subjects-under-gdpr |website=TrueVault }} An organization may charge for additional copies. It can only charge a fee if it thinks the request is 'manifestly unfounded or excessive'. If so, it may ask for a reasonable fee for administrative costs associated with the request.}}
Before the General Data Protection Regulation (GDPR) came into force on 25 May 2018,{{Cite web|last=Report|first=PrivSec|date=2017-11-15|title=Dealing with subject access requests under GDPR|url=https://gdpr.report/news/2017/11/15/dealing-subject-access-requests-gdpr/|access-date=2020-12-05|website=PrivSec Report|language=en-US}} organizations could charge a specified fee for responding to a SAR, of up to £10 for most requests.
United States
Five federal laws include a right of access to personal data:
- FCRA Fair Credit Reporting Act,
- FERPA Family Educational Rights and Privacy Act,
- COPPA Children's Online Privacy Protection Act,
- HIPAA Health Insurance Portability and Accountability Act.
- Privacy Act of 1974.
In addition, some state laws like the CCPA California Consumer Privacy Act have started to include this right.
EU–US data flows
Data flows between the EU and the US (or at least those going West, towards the US) are governed by the EU–US Privacy Shield. One of the Privacy Shield principles is the right of access.{{cite web |url=https://www.privacyshield.gov/article?id=8-Access |title=Privacy Shield Framework |website=U.S. government |date= |author= |access-date=11 January 2019}} Indeed, it is most fundamental in enabling accountability mechanisms around personal data processing. This example demonstrates that a European-style conception of privacy does not necessarily have to be perceived by American actors as unduly imposing new restrictions on free speech by data subjects.
This Privacy Shield practice also shows that the case of civilian data protection (as under GDPR) is quite different from the case of criminal investigation, where a right of access is exercised as a "data request" by a government, not an individual, as in the US Supreme Court case Microsoft Corp. v. United States. The individual in criminal cases does maintain a right to know what data is being used about him/her, and of what crime he or she is accused.{{cite web |title=Working paper on Standards for data protection and personal privacy in cross-border data requests for criminal law enforcement purposes 63rd meeting, 9-10 April 2018, Budapest (Hungary) | url=https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/publikationen/working-paper/2018/2018-IWGDPT_Working_Paper_Cross-border_data_requests.pdf |date= |author= |accessdate=11 January 2019}}
See also
References
{{Reflist}}
Further reading
- Norris, Clive, Antonella Galetta, Paul de Hert, and Xavier L'Hoiry. 2016. The Unaccountable State of Surveillance: Exercising Access Rights in Europe (book).
- Ausloos, Jef, René Mahieu, Michael Veale. 2019. Getting Data Subject Rights Right: A submission to the European Data Protection Board from international data rights academics, to inform regulatory guidance, 40 pages | doi=10.31228/osf.io/e2thg |
- Mahieu, René, Jef Ausloos. 2020. Recognising and Enabling the Collective Dimension of the GDPR and the Right of Access. LawArXiv. July 2. doi:10.31228/osf.io/b5dwm
{{Privacy}}