The European Data Protection Board has issued draft guidelines on subject access requests. Most of the guidance is sensible but there are some unpleasant surprises, including the assertion there is no proportionality limit on the effort needed to respond to a request.

Subject access requests

Subject access requests (DSARs) are an important part of the wider data protection framework and are recognised in Article 8 of the EU Charter of Fundamental Rights: “Everyone has the right of access to data which has been collected concerning him or her”. The right helps data subjects to verify the accuracy of any personal data held about them and the lawfulness of the processing of that data.

The substance of the right is set out in Articles 12 and 15 of the GDPR. Data subjects do not need a reason or justification to make a request and requests are free (unless manifestly unfounded or excessive). They are entitled to specific information about the processing of their personal data, such as details of the purposes of the processing and any retention period. Most importantly, data subjects are also entitled to a copy of the personal data being processed.

Key points in the guidance

The 60-page guidance covers a broad range of issues spanning the lifecycle of a subject access request. The key points are:

Receiving DSARs

• The request does not need to be in any particular form and can be sent via any communication channel normally used by the controller. In contrast, requests sent to “random” addressees are not valid – the guidance gives the example of DSAR sent to the cleaners at a gym as not being valid.
• Controllers should verify the identity of the requestor but should not ask for additional personal data for this purpose unless necessary. In many cases, the existing processes to authenticate the individual can be used to verify the requestor’s identity. Copies of ID cards should only rarely be requested.
• Requests can be made using third party portals but controllers should verify the portal has authority to act on behalf of the individual and might choose to disclose the relevant personal data directly to the individual.
• Controllers should not ask “why” the request is being made. This not relevant to their validity. For example, employees are entitled to make DSARs if dismissed by their employer.

Search process

• The guidance confirms that unstructured electronic information, such as emails, CCTV and telephone recordings fall within the scope of the DSAR.
• It also suggests there is no proportionality constraint of the effort needed to search for personal data. We consider this further below.
• The one month period to respond runs from the date the request is received, not the date the controller takes notice of it. That period can be extended to three months in case of complex requests, but extensions should be the exception and the mere fact the request will take “great effort” is not necessarily sufficient.

Identifying personal data

• The guidance largely relies on existing guidance to identify what constitutes personal data but envisages a broad approach. For example, the request could extend to CCTV or telephone recordings.
• The request extends not only to data provided by the data subject and observed about the data subject. It will also include data that is derived from that personal data and data inferred from other data. However, this does not mean one can obtain complete access to records. The guidance gives the example of a data subject requesting information about an IT incident – he/she might be entitled to the incident report to the extent it refers to that person but not the company’s wider knowledge database of IT problems.
• The rights extend to personal data “concerning” the data subject. For example, where a data subject is subject to identity theft, they are entitled to details of the actions the fraudster carried out in their name.
• The guidance confirms that the right is for access to personal data, not copies of documents, although in practice not providing copy documents may require careful extraction of personal data on a document-per-document basis.

Privacy notices

• As part of the request, data subjects are entitled to a range of information about the processing, such as the purpose or retention period.
• The guidance suggests that it may be possible to use a general privacy policy to provide this information, but in some cases more specific information might be needed – for example, naming individual recipients of the personal data. This appears akin to creating a tailored privacy notice for each DSAR and is not necessarily easy where significant quantities of personal data fall within the scope of the DSAR and have multiple different purposes, recipients, retention periods etc.

Scope of search and disproportionate effort

Often, the most difficult part of any subject access is deciding on a reasonable scope for the search. For many large organisations, searching “everywhere” is impossible, particularly for unstructured electronic information (see below).

Specific exemptions

The guidance considers the specific exemptions or limits on the scope of any request and defines them all narrowly.

• Location of personal data: The guidance recognises that where a controller processes large amounts of personal data, they can ask the data subject to specify the personal data they seek. However, if the data subject responds by saying they want “all” personal data the controller must provide that personal data “in full”.
• Manifestly unfounded: This will apply where the request is clearly not for a proper purpose. This exception has “very limited scope” and would not apply to, for example, requests made using “improper language”.
• Excessive: The fact a request requires “a vast amount of time and effort” to satisfy does not make it excessive. However, requests made with the “intent of causing damage or harm to the controller” might be excessive. Similarly, a request might be excessive if the individual offers to withdraw it in return for a benefit or if the request is repetitive. Controllers must be able to demonstrate that the request truly is excessive so should document that decision properly.
• Rights and freedoms of others: The guidance recognises that personal data might not have to be provided where it could adversely affect the controller’s intellectual property rights or the privacy of other individuals. In these cases, the controller should redact the offending information rather than reject the request altogether. However, the guidance also suggests that not all rights and freedoms count and that the other “economical interests” of a company cannot be taken into account. It is not clear why other fundamental rights, for example the freedom to run a business under Article 16 of the EU Charter, should not be applied more broadly to require a fair balance between the DSAR right and the costs imposed on a controller.
• National law: The guidance recognises that additional restrictions might apply under national law.

General proportionality

The guidance makes the bold assertion that beyond the above specific limitations there is no proportionality limitation on the search. In other words, if asked, a controller must search “throughout all IT systems and non-IT filing systems”. The guidance expressly acknowledges that the amount of data such a search may return is “very vast” (and where this is the case data subjects could be provided with that data in a layered format).

This is an ambitious position. The concept of proportionality has long been recognised by the CJEU as one of the general principles of EU law and is one of the few principles of EU law explicitly established in an EU act (see Art 5(4), TEU). The EDPB appears to defend its approach on the basis that the exceptions and limitations above are intended to be an exclusive list of exceptions to the DSAR rights. However, they are equally consistent with a recognition of the potentially broad and burdensome nature of DSARs and the need to comply with the general obligation to apply the law proportionally.

In practice – Unstructured electronic information

Whilst the subject access right sounds straightforward, it can be difficult to comply with in practice; especially where personal data is stored as unstructured electronic information, such as emails or word documents. Responding to broad requests from individuals for “all” personal data held about them in an unstructured electronic format can be very difficult, if not impossible. There are a number of reasons for this:

• Volume. Some unstructured data sets are huge. Large organisations are likely to have hundreds of millions, if not billions, of emails. These are often not the product of lax data retention but rather the size of the organisation and the impact of regulatory record keeping obligations. Searching across such large data sets presents significant logistical challenges.
• Back-up and archive. Data is likely to be stored in a number of different formats (for example, “live” data, back-ups and archived data). The guidance suggests that not only is archived data within the scope of any search, but that where “technically feasible” controllers would need to look at their back-ups for any data held on the back-up but not on the live system. Restoring back-ups is typically time consuming and expensive, and would rarely be a proportionate response to a search.
• Lack of indexation. Another common problem with unstructured data is the difficulty of quickly and accurately identifying information about a particular individual. In a traditionally structured relational database each individual will normally have a unique identifier allowing rapid location and extraction of information about them. In contrast, individuals in unstructured data can be referred to in a number of ambiguous and duplicative ways. For example, emails about “Jean Pierre” might refer to him as “Jean”, “JP”, “Monsieur Pierre”, etc. Moreover, not every reference to “Monsieur Pierre” will be to the Jean Pierre who made the request.
• Mixture of information. Finally, unstructured data normally contains a mixture of different types of information. Emails might contain information on a number of different topics or about a number of different individuals. This again adds to the difficulty of responding to subject access requests given the need to manually redact irrelevant or exempt information from any response (not least to protect the privacy of other individuals identified in that data).

This exercise can also only be completed through manual review. Keyword searches and deduplication technology can help reduce the burden of the review but it is not possible to automate the assessment of whether the reference to “Monsieur Pierre” in an email is the Jean Pierre who made the request, or the personal data of others wrapped into the email should be redacted.

Even where search criteria are applied (e.g. limiting the search to particular custodians or data ranges) this can still be a hugely expensive and burdensome exercise. We are aware of subject access requests generating material requiring in excess of 1,000 hours of manual review. In one documented case in the UK, the Nursing and Midwifery Council spent £240,000 responding to a subject access request. It is not clear if that was money well spent.

Enter the Court of Justice

The EDPB does not make the law; guidance is just guidance. It will therefore be interesting to see if the guidance is supported in the courts. There have been an increasing number of national court decisions and a number of cases are filtering up to the CJEU. These include:

• Österreichische Datenschutzbehörde and CRIF (C-487/21) which will consider if the DSAR right applies to copies of documents or just an extract of the data within it;
• Österreichische Post AG (C-154/21) which will address the obligation to disclose the recipients of personal data; and
• Pankki (C-579/21) which will consider if log data is personal data that is responsive to a DSAR.

The UK

It is not clear that the EDPB’s draft guidelines will have much impact in the UK. While DSARs made in the UK have historically required broader and more burdensome searches than those made within the EU, the English courts acknowledge the law only requires a “reasonable and proportionate” search and does not impose “an obligation to leave no stone unturned” (Ittihadieh v 5-11 Cheyne Gardens [2017] EWCA Civ 121).

The general drift of UK law is also to a more business-friendly framework. The UK Government’s proposals to amend data protection laws (Data: a new direction) suggest that organisations could benefit from a costs ceiling when dealing with a DSAR (of perhaps £450 or £600) or that they would have a greater ability to treat requests as vexatious.

The UK Information Commissioner’s guidance that controllers “are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information” seems unlikely to need revision any time soon.

Conclusions

DSARs are a vital part of the data protection framework and are grounded in Article 8 of the EU Charter. However, to apply these rights without reference to either the general concept of proportionality or other fundamental rights, such as the right to run a business under Article 16 of the EU Charter, is difficult to justify and could impose very significant burdens on controllers. It will be interesting to see how this aspect of the guidance evolves through the consultation process.

The draft Guidelines 01/2022 on data subject rights - Right of access are available here. The consultation is open until 11 March 2022.