Data Subject Rights Under the GDPR [Explained]

With the passage of GDPR, it has become an unstoppable force which is reshaping the ways that companies do business and how they interact with their customers. Yet in spite of its landmark importance, there is still confusion as to what exactly the consequences are for ordinary people. So, let’s examine what your individual data rights are under GDPR. You can summarize them with these words:

  • The right of consent
  • The right to access the data
  • The right to change data
  • The right to complain
  • The right to erasure
  • The right to portability

I’ll pick them off one by one, but remember that it is not a fine-detail description of the legal niceties — if you want that, follow the links. This article just explains each.

The Right of Consent (link)
Under GDPR, organizations cannot store an EU citizen’s data unless they give their unambiguous consent. There are some exclusions (see the Right to Erasure, later in this article) The precise words used in the regulations are: “freely given, specific, informed and unambiguous.” Consent is not given if the organization requesting the data does not ask for it, or displays pre-ticked boxes that indicate consent. Those who haven’t explicitly opted in opt-in, have opted out. No matter what data they provided, the organization has no right to store it.

To make matters more awkward, consent must be given for each process applied to the data. So perhaps XZY Company stored my data so it could process my orders. That’s fine, but it cannot aggregate that data with other people’s data and start analyzing it unless I also agree to that. So it behooves companies to get all the permissions all at once.

GDPR also restricts the automated processing of personal data to analyze or predict an individual’s behavior. Specifically, the regulations restrict this activity if it will have a significant impact on an individual, such as in a hiring or credit decision. Many companies will have to adjust their business models around such restrictions.

And if you are hoping there’s a loophole for data already stored, there isn’t. If you never got permission, you now have to get it, both for storing the data and processing it.

The Right to Access the Data (link)
This is more complex and far-reaching than the word “access” implies. First of all, the EU citizen has the right to ask whether an organization is holding and processing his or her data, whether they have had any interaction with them or not. Having discovered that this is the case, they have the same rights as if they had volunteered the information. They then have the following rights, as well as all the other rights described in this article:

  • Ability to access the data.
  • To know what data is held, and where it came from.
  • To know the purposes of the processing done on it.
  • To whom the data has been disclosed, including recipients in other countries or international organizations. If that is done, all the data rights have to be enforceable at the destination. (see this)
  • The time period the data will be stored, or if impossible to state precisely, the criteria used to determine that period.

Beyond that, individuals have the right to know of the existence of automated decision-making on their data, including profiling, and “meaningful information about the logic involved,” as well as the significance and the consequences of such processing for the data subject. Or, to put it simply, if you are analyzing their data, you have to tell them exactly how and what the consequences will be for them.

The Right to Change Data (link)
The right to change data enables the individual to request that data, if incorrect, be corrected. Additionally, companies will have to notify them of everyone to whom their data has been disclosed so they can get that copy of the data updated. Failure to comply with their request requires a company to explain the reason for not doing so, and it has an obligation to inform the user of their right to complain.

This could, of course, become complicated. The problem is dirty data. Nowadays, there is a considerable amount of dirty data, for a variety of reasons, including data entry errors by the data owner. The problem is that incorrect data may have negative consequences for the data owner, for example, if it is part of a credit report.

The Right to Complain (link)
So, to whom will they complain? Individuals have the right to complain to a supervisory authority; there is at least one such authority in every EU country. The situation will thus be a little difficult if your company hasn’t yet registered with an authority. For more information on that see this previous article. The authority will provide guidance on what needs to happen. Their word will probably be final.

The Right to Portability (link)
Individuals have the right to request all personal data about them from an organization company holding their data. This must be transferred to them in a “machine-readable” format — so a CSV file will do. For the EU citizen, this could be very useful if they wish to build a database of personal information. Just get all of it from every company or government department you gave it to. Nice!

The Right to Erasure (link)
The “right to erasure” has also been referred to as the “right to be forgotten.” This means that EU citizens can request the complete deletion of their data. The data must be deleted without “undue delay.” So, my advice to EU citizens: If you want the data deleted, first go and collect it and put it into a personal database, then request deletion. However, there are exceptions you need to know about. You will not be able to get data deleted in the following situations:

  • Legal compliance. For example, banks in most jurisdictions are obliged to keep data for seven years, so your personal data will not be erased. Also, if you have a criminal record, don’t expect to get that expunged.
  • If there is a “public interest.” For example in the area of public health, data archiving in respect of scientific, historical research or public interest or data supporting legal claims.
  • GDPR does not apply to paper data and microfiche data, only digital information. Neither does it apply to technically impossible situations, such as when your data is held in a back-up file, but in that circumstance, no processing of your data is allowed. If it is restored, it must be deleted.

If a company makes your data public, and you wish “to be forgotten,” it is obligated to take reasonable steps to get other processors to erase the data. For example, when a website publishes an untrue story about an individual and later is required to erase it, it must request other websites that have republished the story to erase their copy of the story.

Of course, this only applies when it doesn’t conflict with freedom of expression laws. In short, you can’t suppress legitimate press.

But What About US?

US companies that are affected by GDPR are advised to consult with their insurance brokers to determine the impact of the regulations on their insurance programs. They need to discuss the coverage of GDPR violations and the logistics of insurance policies to pay into GDPR-regulated countries.

Yet for all of these data rights, they only apply to citizens of EU countries. So where does this leave the state of data privacy for US citizens?

US Data Privacy GDPR

On April 10th, Mark-have-I-said-I’m-sorry-enough-yet-Zuckerburg was facing a Senate Committee, pretending to sound responsible and issuing the occasional “mea culpa.” The senators, as one would expect, didn’t understand the technology side and spent most of their time trying to say something memorable. Kudos went to Lindsey Graham (R-SC) for mentioning the word “monopoly.” This word strikes fear into the hearts of big company executives, and can make a social network CEO melt like that Nazi villain in Raiders Of The Lost Ark. But it didn’t.

Regulations Imminent!

Nevertheless: Personal data abused, elections interfered with, citizens outraged — no doubt we’ll soon see a convoy of regulations coming down the pike. Politicians are filling the air with sound-bites that suggest imminent action and express noble goals (along party lines of course). One might get the impression that sometime soon, no single piece of personal data will ever be bruised or abused again. Dream on.

For one thing, the Facebook business model depends entirely on exploiting personal data, and no politician wants to be responsible for downing America’s sixth largest company. So expect a poorly formulated “Privacy Bill of Rights” or “Bill of Privacy Rights” to emerge.

Subsequently, lobbyists will circle like vultures over road kill until the traffic dies away, so they can dip their beaks into the impending legislation to “enhance” it. They will prevent any of the companies they represent (Facebook, Google, Twitter, et al) losing a dime of revenue, and with a fair wind, they may actually turn it into a revenue opportunity.

That’s how it might have happened, if the EU hadn’t ruined the game. Unfortunately for our beloved data pirates, the EU has set the bar for privacy legislation and it’s not a low one. American politicians may feel the urge to compete — but sadly they’re unfit.

Can America Beat The EU?

There’s scant possibility that the US legislative system will get even halfway to where Europe is. They don’t have the players. The US legislative team has been performing abysmally of late — they haven’t won a trophy since the LA Dodgers last won the World Series. But perhaps it doesn’t matter. Promising new teams are emerging from the newly formed crypto economy, and they may do the job on America’s behalf. They may even go further.

Crypto businesses that preside over personal data tend to give a damn about privacy. As new businesses that are de-facto-international, they’d be stupid to flout GDPR, so they don’t. Some, like Permission.io (the company I work for) are going further than GDPR. Rather than explain the technology employed (it’s complicated), let me frame it in the terms I’ve used above to describe the EU’s personal data rights program.

We would like to enhance those handsome regulations in the following way:

  • The right to personal cryptographic control. You have the right to personal cryptographic control (by private key) of ALL your personal data and the right to provide permission for its usage at the item level.
  • The right to anonymity. You have the right to have your data anonymized when requested by others so that it does not include any personal data that identifies who you are. (This may seem an impossible to implement, but it isn’t because of the next right).
  • The right to zero knowledge proof. You have the right to employ zero-knowledge proofs to provide credentials to preserve your anonymity.
Solving the “Data Rights” Problem: It’s about Compensation
Read More