RESTRICTING THE RIGHT OF ACCESS TO PERSONAL DATA

2.3 Subject Access Requests

The Government are proposing to make it easier for organisations to deny subject access request based on the motives of the individuals who submit these requests. Furthermore, they are proposing to introduce a fee regime that individuals would need to pay to exercise their right to access to their personal data.

This choice would mark a fundamental departure from the principle that the exercise of the rights to data protections should be in principle free of charge. This will dissuade individuals from exercising their rights and lead to absurd consequences such as irresponsible and malicious organisations making profits out of their victims’ fees.

Although these proposals will target everyone, it will disproportionately affect:

Our draft response to Section 2.3: Subject Access Requests

In our answer to Q2.3.1, we explain how:

  • There is no reliable evidence that organisations are being negatively impacted by subject access requests. Rather, there is overwhelming evidence that removing barriers to the right to access empowered individuals.
  • Whether an organisation can efficiently handle subject access requests or not depends on their own internal organisation. Shifting the impact of these decisions to individuals would be fundamentally unfair and prevaricating.

In our answer to Q2.3.2, we explain how:

  • The threshold to refuse a subject access request must be high, as it is meant to protect individuals from unfair or arbitrary rejections.
  • There is no reliable evidence that the threshold is exposing responsible organisations to vexatious requests.

In our answer to Q2.3.3, we explain how:

  • Introducing a cost limit for subject access requests would incentivise inefficiency and reward irresponsible or malicious data uses with the right to remain opaque and avoid scrutiny.

In our answer to Q2.3.4, we explain how:

  • Nominal fees for subject access requests have already proven to constitute a barrier to the exercise of data rights.
  • Nominal fees for subject access requests would allow irresponsible and malicious organisations to collect fees against the victims of their own abuses.

The government is considering whether to introduce a fee regime (similar to that in the Freedom of Information Act 2000, which provides for access to information held by public bodies) for access to personal data held by all data controllers (not just public bodies).

Q2.3.1. Please share your views on the extent to which organisations find subject access requests time-consuming or costly to process.

Subject access requests are, to no extent, a time consuming a costly process. Internal business decisions determine the costs involved in answering subject access requests. Shifting the impact of these decisions and the inefficiencies resulting from unfair or opaque business practices upon individuals’ and their data rights would be abusive and fundamentally unfair.

Q2.3.1a. Please provide supporting evidence where possible, including: What characteristics of the subject access requests might generate or elevate costs; Whether vexatious subject access requests and/or repeat subject access requests from the same requester play a role; Whether it is clear what kind of information does and does not fall within scope when responding to a subject access request

Firstly, the right to access enshrined in the UK GDPR was introduced by the EU GDPR in 27 other EU Member States. The European Commission ran a review of the EU data protection framework’s impact and found no evidence of the right of access being too burdensome or costly for organisations. On the contrary, evidence shows that removing barriers to the right of access empowered individuals to control their data (see Q2.3.2).1

Secondly, organisations should collect the minimum amount of data necessary to accomplish their tasks, according to the principles of data minimisation and privacy by design and by default. Collecting too much data, which turns out to be a burden, reveals their negligence rather than the “burdensome” nature of subject access requests.

Thirdly, whether answering a subject access request is time-consuming and costly ultimately depends on internal management. Organisations may put efficient internal structures and processes into place; they may rely on technologies that allow individuals to exercise their rights autonomously (such as web interfaces where to access, rectify and delete personal data); they may employ reliable contractors (Processors) which use data fairly and transparently. Organisations may also choose otherwise, either because they are irresponsible or because they are negligent. Shifting the impact of these decisions to individuals and their data rights would be fundamentally unfair and prevaricating.

Q2.3.2. To what extent do you agree with the following statement: ‘The ‘manifestly unfounded’ threshold to refuse a subject access request is too high’?

We strongly disagree with the statement that “The ‘manifestly unfounded’ threshold to refuse a subject access request is too high” (Q2.3.2). The threshold to refuse a subject access request must be high, as it is meant to protect individuals from unfair or arbitrary interpretations that would undermine their data rights. Furthermore, there is no reliable evidence that the threshold is exposing responsible organisations to vexatious requests.

Q2.3.2a. Please explain your answer, providing supporting evidence where possible, including on what, if any, measures would make it easier to assess an appropriate threshold.

The “manifestly unfounded” threshold to refuse a subject access request must be high. Individuals must be enabled to freely enquire about what data an organisation is storing about them and for what reasons.

We stress that Government concerns that an organisation “cannot consider the purpose of a subject access request unless it seems apparent that the request is manifestly unfounded” are inappropriate. Subject access requests are not meant to put individuals and their motives under scrutiny, but to promote transparency and accountability for organisations and their data practices. Allowing organisations to investigate one’s motives would strip subject access requests of their function, violate the privacy of the individuals, and expose them to arbitrary refusals or other threatening behaviours.

Furthermore, the same “manifestly unfounded” threshold for rejecting subject access requests was introduced in 27 EU Member States. Three years after the GDPR came into force, there is absolutely no evidence about vexatious requests being enabled by this provision this threshold. On the contrary, a review run by the European Commission in 2020 found that removing barriers to the right to access has proven to empower individuals to control their data.2

It follows that responsible businesses will obviously find this threshold to be appropriate. On the other hand, irresponsible and malicious organisations will naturally try to discredit a legal tool that is holding them to account.

For further reference, we explain how subject access requests have been a fundamental tool to uncover malpractices and hold organisations to account when answering to Q2.3.4.

Q2.3.3. To what extent do you agree that introducing a cost limit and amending the threshold for response, akin to the Freedom of Information regime (detailed in the section on subject access requests), would help to alleviate potential costs (time and resource) in responding to these requests?

We strongly disagree “that introducing a cost limit and amending the threshold for response, would help to alleviate potential costs in responding to these requests” (Q2.3.3). Introducing a cost limit to subject access quests would incentivise inefficiency and reward irresponsible data uses with the right to remain opaque and avoid scrutiny.

Q2.3.3a. Please explain your answer, and provide supporting evidence where possible, including on: Which safeguards should apply (such as mirroring Section 16 of the Freedom of Information Act (for public bodies) to help data subjects by providing advice and assistance to avoid discrimination); What a reasonable cost limit would look like, and whether a different (ie. sliding scale) threshold depending on the size (based on number of employees and/or turnover, for example) would be advantageous

The same considerations we made for Q2.3.1 are valid:

  • Evidence shows otherwise: there is no need to alleviate costs for answering subject access requests, but there is overwhelming evidence about the empowering effect of the right of access on individuals’ data rights.
  • It is very easy for responsible organisations to empower individuals to access their data efficiently or even autonomously.
  • Organisations are free to choose other, less effective ways of enabling access to the data they store. However, they must not be allowed to shift the impact of their decisions on the rights and freedom of individuals.

Furthermore, allowing organisations to reject subject access requests, wholly or partially, based on their own efficiency would incentivise organisations to artificially inflate the costs of answering subject access requests to evade their responsibilities toward individuals. Instead of promoting the responsible use of data, this regime would be an open invitation to abuse personal data on a large scale to inflate costs, reach the cost limit, and refuse the request.

Q2.3.4. To what extent do you agree with the following statement: ‘There is a case for re-introducing a small nominal fee for processing subject access requests (akin to the approach in the Data Protection Act 1998)’?

We strongly disagree that “There is a case for re-introducing a small nominal fee for processing subject access requests” (Q2.3.4). The imposition of nominal fees for processing subject access requests provided under the Data Protection Act 1998 has proven to be a failed approach to protecting individuals’ rights. Imposing subject access fees is a measure that would only protect crooks and irresponsible businesses from the individuals seeking to exercise their rights or obtain remedies.

Q2.3.4a. Please explain your answer, and provide supporting evidence where possible, including what a reasonable level of the fee would be, and which safeguards should apply.

Fees for processing personal data have already proven to be a failure. The impact assessment that accompanied the proposal for a General Data Protection regulation found that “In some Member States, data controllers are allowed to demand a fee to access their data”. It continues by stressing that “individuals that asked data controllers for access to the data stored about them […] received no or unsatisfactory responses”. Together with other shortcomings, nominal fees were contributing “to individuals’ perception that their rights are not effectively guaranteed.3Thus, the provision that “actions in response to the data subject’s requests should be in principle free of charge” was enshrined in the GDPR in response to the hindrance that the imposition of nominal fees (among other issues) constituted to the effective exercise of data rights by individuals.

Further, the fact that introducing fees would severely restrict the right to access to personal data is acknowledge by the Government at §188, where

The government recognises that this proposal may impact persons less able to express themselves due to age or disability by resulting in their requests being erroneously treated as ‘disproportionate’ or ‘vexatious’ but this may be mitigated by the fact that a third party can raise a subject access request on their behalf.

Implying that undue restrictions of essential data rights could be resolved by a good samaritan submitting access requests on behalf of elders and disabled isn’t only unsound and off the point. It is outrageous and profoundly disrespectful.

Re-introducing nominal fees will favour irresponsible and malicious organisations. It would have a noticeable chilling effect on individuals over the exercise of their rights, and lead to absurd and morally bankrupt consequences for the individuals involved. This is even more evident if we compare how subject access requests have been used in practice, and the impact that nominal fees would have on these scenarios.

  • Uber drivers have been using subject access requests to gather evidence of unfair dismissals4 or racist accusations of fraud.5 Imposing a nominal fee would constitute a major barrier to workers whose salary is far from generous. Uber, instead, would be profiting from collecting fees that workers would have to pay to protect themselves from Uber’s own unfair employment practices.
  • Workers at Olà, a gig-economy company, have been using subject access requests to uncover wage thefts.6 Imposing a fee on workers fighting against wage theft is absurd, and it is deplorable. Further, it creates a situation where victims lose either way — by having their wage stolen or by paying a subject access fee to the thief.
  • Gambling companies have been profiling problem gamblers, using this information to fuel their addiction and hook them on gambling apps. Victims have been using subject access requests to unveil these predatory practices.7 Asking problem gamblers to pay a nominal fee to defend themselves from this kind of abuse would allow gambling companies to make profits by collecting fees from their victims.
  • Public interest organisations have been using subject access requests to hold organisations to account and expose malpractices. Imposing nominal fees would significantly increase costs and reduce the effectiveness of these methods. Likewise, it would allow irresponsible and malicious businesses to collect these fees and profit from the attempts to hold them accountable for their malpractices.
  • Journalists have been using subject access requests to conduct investigations. Imposing nominal fees would have severe chilling effects on the freedom of the press.

Finally, organisations had a dismal track record in answering subject access requests before the UK GDPR was introduced.8 The harmful, absurd, and morally bankrupt consequences outlined in the examples above are not a problem of good or bad apples, but revealing of a systemic issue. Organisations will naturally interpret these requirements in a manner that favours their interests. Irresponsible and malicious ones will find this a highly attractive proposal, as it opens the floodgates to abuses of any kind. Responsible businesses, instead, will gain no benefit whatsoever, as:

  • Responsible businesses are already able to answer subject access requests quickly and efficiently;
  • Responsible businesses will pay the price of growing distrust against the digital economy.

1COM(2020) 264 final, Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation. Available at: https://ec.europa.eu/info/sites/default/files/1_en_act_part1_v6_1.pdf

2COM(2020) 264 final, Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation. Available at: https://ec.europa.eu/info/sites/default/files/1_en_act_part1_v6_1.pdf

3SEC(2012) 72 final COMMISSION STAFF WORKING PAPER, Impact Assessment, Accompanying the document. Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) etc. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012SC0072

4ADCU, Dutch & UK courts order Uber to reinstate ‘robo-fired’ drivers and pay compensation. Available at: https://www.adcu.org.uk/news-posts/uber-to-reinstate-robo-fired-drivers-and-pay-compensation

5ADCU, ADCU initiates legal action against Uber’s workplace use of racially discriminatory facial recognition systems. Available at: https://www.adcu.org.uk/news-posts/adcu-initiates-legal-action-against-ubers-workplace-use-of-racially-discriminatory-facial-recognition-systems

6ADCU, Gig economy workers score historic digital rights victory against Uber and Ola Cabs. Available at: https://www.adcu.org.uk/news-posts/gig-economy-workers-score-historic-digital-rights-victory-against-uber-and-ola-cabs

7The New York Times, What a Gambling App Knows About You. Available at: https://www.nytimes.com/2021/03/24/technology/gambling-apps-tracking-sky-bet.html

8SEC(2012) 72 final COMMISSION STAFF WORKING PAPER, Impact Assessment, Accompanying the document. Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) etc. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012SC0072