Exercising the right to access personal data in an interconnected online world – Are we really closer to finding out who the recipients of our data are?
On 12th of January, the European Court of Justice (ECJ) ruled that individuals have the right to be provided with the identities of those who receive and process their personal data.
The right to data protection outlined in Article 8 of the EU Charter of Fundamental Rights aims to protect individuals whenever their personal data are processed. As such, the General Data Protection Regulation (GDPR) provides enforceable rights to individuals, as data subjects whose personal data are processed, to help counter violations thereof and ensure that data protection rules are effective. At first sight, this judgement appears to be a clear win for individuals: controllers need to reveal the identities of those with whom they share personal data, which should help individuals better assess if their data are lawfully processed, exercise their rights as data subjects, and seek remedies. This should also help ensure that data processing is more transparent. However, to find out the identities of recipients, individuals have to make the effort to exercise their rights and process the information, if received. Additionally, the Court outlined two exceptions to the obligation, whereby it is sufficient to inform individuals of the categories of recipients where a) it is impossible to disclose the identities of recipients; or b) the controller can prove that the request is unfounded or excessive within the meaning of Article 12(5)(b) GDPR. In the online environment in particular, where personal data provided to one company might be shared with a host of others without our knowledge, controllers might be eager to argue that one of the exceptions applies. As a result, the question remains: are we really closer to finding out who the recipients of our personal data are?
Request for preliminary ruling
The case reached the ECJ following a dispute in the Austrian courts, where a data subject, RW, exercised the right to access the personal data concerning him provided for by Article 15 GDPR vis-à-vis Österreichische Post, a publisher of telephone directories. Article 15 GDPR entitles individual data subjects to obtain from controllers
‘confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: a) the purposes of processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;’ etc.
Therefore, RW wanted to know what personal data concerning him were being stored or had previously been stored by the publisher, and if the data had been disclosed to third parties, information as to their identities. The publisher revealed it shares personal data with third parties for marketing purposes, and that such third parties include ‘advertisers, IT companies, mailing list providers and associations […], non-governmental organisations […] or political parties’ (para. 20). As Österreichische Post did not provide the identities of recipients but only the categories, RW brought an appeal. This was dismissed by the court of first instance, on the ground that Article 15(1)(c) does not oblige controllers to ‘identify by name the specific recipients to whom personal data are transferred’ (para. 21). On appeal to the Oberster Gerichtshof (the Supreme Court of Austria), the following question was referred to the Court of Justice: is Article 15(1)(c) GDPR to be interpreted as meaning that it is enough for controllers to provide information about categories of recipients, both when specific recipients have not yet been determined and where data have already been disclosed? In other words, the referring court asked if Article 15(1)(c) gives data subjects the right to obtain information about the specific identities of recipients, not just of the categories of recipients.
The Court’s ruling
The ECJ interpreted Article 15(1)(c) in light of its wording, context, and the objectives pursued by the GDPR. It agreed with the Advocate General opinion that recital 63 of the GDPR does not seem to restrict the right to accessing only categories of recipients. It then placed Article 15 within the context of the principles of lawfulness, fairness and transparency contained in Article 5 GDPR, and highlighted its close relationship to the principle of transparency in particular, which requires that data subjects understand how their personal data are processed. Here, as did the Advocate General, the Court made a differentiation between the information set out in Articles 13 and 14 GDPR that data subjects must be provided with prior to the processing, and the right to access contained in Article 15. It maintained that whereas the former Articles give data subjects the right to be informed about categories of recipients, Article 15 goes further and gives the data subjects the option to obtain more precise information about the specific recipients with whom the data have been or will be shared. According to the Court, Article 15 functions to ‘enable the data subject to verify not only that the data concerning him or her are correct, but also that they are processed in a lawful manner, […] and in particular that they have been disclosed to authorised recipients’ (para. 37). It also functions to ‘ensure the effectiveness of all the rights’ (para. 39) provided for by the GDPR, by enabling data subjects to exercise all other relevant rights following an access request. Moreover, it reasoned that a limited interpretation of Article 15(1)(c), whereby data subjects are entitled to obtain only the categories of recipients, would be contrary to the GDPR’s objective of providing a high level of protection of individuals within the Union.
However, the Court also emphasised that ‘in specific circumstances, it is not possible to provide information about specific recipients. Therefore, the right to access may be restricted to information about categories of recipients’ (paras. 48-49) in two circumstances: where ‘it is impossible to disclose the identity of specific recipients, in particular where they are not yet known’ (para. 48), and where the controller can prove that the request is unfounded or excessive within the meaning of Article 12(5)(b) GDPR. Therefore, the Court’s answer to the question referred for preliminary ruling is that Article 15(1)(c) GDPR must be interpreted as meaning that where their personal data have been or will be disclosed to recipients, data subjects must be provided with the actual identity of recipients, unless one of the two exceptions applies.
The Court’s interpretation of Article 15(1)(c) GDPR is certainly in line with various data protection provisions and principles, in particular the principle of transparency, as well as the GDPR’s main objective of providing a high level of protection. However, the question that remains is whether this ruling will, in practice, bring individuals any closer to finding out who the recipients of their personal data are. In that regard, two points may be considered. The first has to do with the system set up by the GDPR, whereby to receive the most precise information about processing, data subjects must first go through the trouble of exercising their right to access. The second has to do with the likely consequences of this judgement in light of controllers’ data processing practices in the digital environment, where it might be easy to argue that on one of the two exceptions highlighted by the Court applies.
First, as discussed by the Court, data subjects have the right to be informed about data processing, including about the categories of recipients, as outlined in Articles 13 and 14 GDPR. To obtain the most specific information about processing, including recipients, data subjects must go beyond reading the information provided by controllers and exercise their right to access laid out in Article 15 GDPR. At this point, it is clear that the judgement brings a clear improvement for data subjects. Whereas before, controllers were not obliged to provide information about the identities of recipients, and research has shown that they often do not, there is now a clear obligation to do so. This system of information provision, as outlined above, seems to place data subjects in a better position than prior to the judgement, because armed with knowledge about the identity of recipients, they can better assess the lawfulness of processing, exercise other rights, or seek remedies.
However, that might not prove to be the case since in practice, Article 15 GDPR requires an effort on the part of the data subject to submit an access request with a controller, await their response, and process the information, if received. Understandably, not many data subjects have the will or resources to submit access requests. Even when they do, some evidence suggests that controllers can take a long time to respond or do not respond at all, and that when they do, the information provided is too generic or there are other shortcomings. Much more empirical research is needed to understand the barriers data subjects face to meaningfully exercising their access rights. Until practical barriers are removed, we risk bolstering protections on paper while ignoring how practicalities can undermine the fundamental right to data protection. Therefore, to answer the question introduced at the beginning of this section, it seems that only those data subjects who will go through the trouble of making access requests, and to whom controllers will respond with the required information, will get to find out the identities of the recipients of their personal data. This is not to say that the Court’s interpretation of Article 15 is not a step in the right direction towards greater transparency, but that its Achilles’ heel might be the practical challenges surrounding the exercise of this right.
Second, when considering the data processing practices in the digital environment, the judgement yet again seems to lose some of its bite. It is by now well known that online platforms and websites process vast amounts of internet users’ personal data. Online websites and platforms are able to collect personal data from users, but also from non-users through cookies they place on other websites. They also receive personal data from third parties, and likewise share personal data with third parties. Finally, they are able to combine data from all these sources to use for various purposes, such as targeted advertising. As a result, today’s online environment is highly interconnected: website/platforms constantly share personal data with each other in a complex web of data flows that can be very hard to unravel by data subjects, despite the transparency requirements set out in Articles 13 and 14 GDPR. This is because by virtue of Article 13 controllers can limit themselves to giving information solely on the categories of recipients, and because few, if any, controllers inform data subjects when the data were obtained from third parties, as per Article 14. The question then is: can Article 15 help in this situation? Controllers faced with access requests, and in particular big tech companies, might seek to argue that one of the exceptions highlighted by the court applies. For instance, they can (and have argued) that it is impossible to disclose the identity of specific recipients because they are not yet known, since sharing is dependent on what the user does on the website/platform.
The extent to which the judgement brings data subjects any closer to finding out who the recipients of their personal data are in the online context depends on whether any given controller can rely on one of the two exceptions. If they can, data subjects are back to square one, armed only with information about categories of recipients. In light of the power imbalances between controllers and data subjects in the online environment, perhaps more is required to ensure that Article 15 can help tip the balance more in the data subject’s favour.
The ECJ’s ruling that individuals have the right to be provided with the identities of those who receive and process their personal data appears as a big win for data subjects. However, to obtain such information, data subjects have to go through the trouble of making access requests, waiting for responses, and processing the information, if it is received from the controller. In the online context this issue is compounded by the sheer number of controllers who process our personal data on a daily basis, the complex web of data flows generated, and ultimately the power imbalance between data subjects and controllers. In this context, controllers might be eager to argue one of the exceptions apply, meaning that in the end, we might not be so close to finding out who the recipients of our personal data are.