The right of access to personal data looks set to be a key focus area for data protection regulators for 2024 in both the EU and the UK. The European Data Protection Board (EDPB) announced that its 2024 co-ordinated enforcement action will look at how controllers implement the right of access to personal data (https://edpb.europa.eu/ news/news/2023/edpb-picks-topic-2024- coordinated-action_en). In the UK, data subject access requests (DSARs) remain a priority for the Information Commissioner's Office (https://ico.org.uk/about-the-ico/ media-centre/news-and-blogs/2023/10/ john-edwards-delivers-uk-finance-keynote-speech/).

Historically, there have been differences in how controllers in different European countries handle DSARs. However, alongside the enhanced regulatory focus in this area, recent European Court of Justice (ECJ) case law has indicated that the right of access should not always be interpreted as restrictively as it has been previously.

Historic differences in interpretation

Article 15 of the General Data Protection Regulation (679/2016/EU) (GDPR) (Article 15) provides data subjects with the right to obtain confirmation from the data controller on whether their personal data is being processed. If it is, the data subject is entitled to information about the processing, including the purpose of the processing and categories of personal data that are being processed. The controller must also provide a copy of the personal data that is being processed.

Taking a restrictive view, the right to obtain a copy of personal data does not necessarily give data subjects the right to copies of documents that contain their personal data. In some EU jurisdictions, until recently, practices had reflected this more restrictive view. In response to a DSAR, data subjects would sometimes just be provided with a summary of their personal data, rather than copies of any documents.

However, the EDPB's guidelines on the right of access emphasise the need to provide access to personal data and not just a general description or description of the categories (https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022- data-subject-rights-right-access_en).

Some jurisdictions, including the UK, have followed this more extensive view for some time. Indeed, in the UK, data subjects are often provided with copies of documents (including emails), the nature and volume of which goes far beyond what controllers in other European jurisdictions have historically provided.

Challenge to the restrictive view

Two cases handed down in 2023 looked at the rights of data subject to obtain copies of documents.

In one, the ECJ found that a controller's obligation to provide a copy of the personal data undergoing processing means that the data subject must be given a "faithful and intelligible reproduction of all those data" (FF v Österreichische Datenschutzbehörde and CRIF GmbH C-487/21). Copies of extracts, entire documents and extracts from databases should be provided if the provision of that copy is essential to enable the data subject to effectively exercise their rights under Article 15(3). CRIF has the potential to expand the scope of the right of access, but much will depend on regulators' and courts' interpretation on when the provision of copies is essential.

In the second, FT v DW, the ECJ clarified that, in the context of a doctor-patient relationship, a patient had a right to obtain a complete copy of the documents in their file (C-307/22).

National legislation could not require the data subject to pay the costs of obtaining a copy to protect the controller's interest. The ECJ also considered the extent to which the right of access applied even where the request was made for reasons other than those listed in recital 63 to the GDPR (recital 63): that is, becoming aware of, and verifying, the lawfulness of a controller's data processing. In FT, the data subject sought access to their data in order to bring a claim against the controller. The ECJ found that the controller's obligation to provide the data subject with a copy of the data, free of charge, applied even where the request was not made for the reasons listed in recital 63.

Two additional ECJ judgments in 2023 looked at the right of access. In RW v Österreichische Post AG, the ECJ found that where personal data has been, or will be, disclosed to third parties, the identity of the recipients must be disclosed to the data subject on request (C-154/21). Indicating the categories of recipient will be sufficient only where the actual recipients are impossible to identify or the controller can demonstrate that the DSAR is manifestly unfounded or excessive. In JM v Pankki S, the ECJ held that data subjects are entitled to obtain information about the dates and purposes of the consultation of their personal data by third parties (C-579/21). They are not entitled to information relating to the identity of the employees who carried out the consultation under the controller's authority, unless that information is essential to effectively exercise their rights when balanced with the employees' rights and freedoms.

Likely impact of ECJ rulings

In Germany, the impact of these ECJ decisions on regulatory practice is likely to be significant. Certain German data protection authorities have often adopted a more restrictive position when responding to DSARs and considered the structured compilation of personal data to be sufficient. However, the content and scope of the right to a copy continues to be contested in the courts. There has also been some support among the German courts, in particular the Higher Regional Courts and the German Federal Courts, for a more expansive interpretation on how to respond to DSARs. CRIF and FT may lead to this more extensive view being applied more frequently.

Interestingly, and connected to the possible broadening in approach to responding to DSARs, Germany looks set to expand the list of exemptions that allow controllers to refuse to provide information in response to a DSAR. New proposed wording for the Federal Data Protection Act provides an exception if the fulfilment of a DSAR results in the disclosure of business or trade secrets of the controller or a third party, and if the interest in confidentiality overrides the data subject's interest. The criteria for overriding confidentiality interests are not yet clear, but such an exemption would nevertheless be welcome among controllers.

In the Netherlands, the Dutch Data Protection Authority's (DPA) position allows for situations where the provision of copies might not be required. Its guidance, which has been updated following CRIF, requires controllers to provide copies of all documents containing the data subject's personal data where those documents are indispensable for them to be able to understand properly the context in which the data was processed. However, the guidance adds that, in most cases, entire documents are not necessary for this purpose and a complete overview of the data will suffice instead. The DPA has published an example overview document for organisations to follow, which indicates that information such as the document, date, processing purpose, personal data, origin, recipient(s) and retention period ought to be provided. A similar approach was also confirmed in a recent Court of Amsterdam case (ECLI:NL:RBAMS:2023:5815, Rechtbank Amsterdam, 22/4916 (rechtspraak.nl).

In terms of the purpose of the request, the DPA has also recently confirmed in its guidance that, in its view, organisations are not obliged to provide copies of documents if the data subject is trying to gather information to substantiate a complaint or objection, or to initiate proceedings. Recent Dutch case law has established that controllers can assume that the right of access is being abused where it is used solely for a purpose other than checking whether personal data was processed correctly and lawfully. Organisations seeking to invoke this defence bear the burden of proof and it is high. The impact of FT in this area remains to be seen.

In France, the decision in June 2023 of the Commission Nationale de l'Informatique et des Libertés (CNIL) against online advertising specialist CRITEO stressed the need for the controller to provide not only the personal data that was requested but also explanations as to how to read the data or document in order to make the information provided intelligible. It also highlighted the need for controllers to provide complete information. A stricter position on providing copies is generally an established norm in France, but the burden on controllers has increased in recent years due to requests becoming more frequent.

Direction of travel in the UK

ECJ judgments are not binding in the UK. However, practice in the UK has generally been to provide data subjects with copies of documents.

The Data Protection and Digital Information Bill, currently making its way through Parliament, is set to make some changes in this area (see News brief "New Data Protection and Digital Information Bill: what's changing?", www.practicallaw.com/w-038-9581). With the aim of alleviating organisations' capacity constraints when responding to DSARs, the government is proposing to amend the threshold at which controllers can refuse to respond to a request or charge a reasonable fee. The current threshold of "manifestly unfounded or excessive" is set to be amended to "vexatious or excessive" to align with the Freedom of Information Act 2000. The impact of this change is unclear at this stage.

Key takeaways for controllers

At present, the impact of the CRIF and FT v DW cases remains to be seen. The EDPB's 2024 focus on DSARs and its 2022 guidelines suggest that EU regulators will be focused on ensuring that data subjects are able to exercise their right to access in a meaningful way. This is likely to remain a regulatory concern in the UK too, despite the proposed legislation changes.

Support from the courts and regulators in Germany and the Netherlands on the broader view on responding to DSARs has been mixed, although a stricter position seems to be taken by the CNIL in France. Currently, many EU jurisdictions do not have the sorts of exemptions to the right of access that exist under the UK's Data Protection Act 2018 and it is not yet clear how far the general and limited exemptions in the GDPR will be interpreted to enable the withholding or redaction of information in response to a DSAR. This will no doubt be of some concern if the approach to DSARs in the EU becomes closer to the UK position.

While there may be uncertainty on how far an extensive application of the right will be required in future, controllers can continue to set themselves up for success in responding to requests by focusing on processes. Maintaining processes and systems to identify and escalate requests, searching the appropriate systems, collating information and providing a response within the time limit can be challenging. However, with data subjects becoming increasingly aware of their right to access, the effort expended in this area will be valuable.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.