Conclusions: Striving for Data Subject Control within and beyond Data Subject Rights

Chapter 9 is a concluding section of the book. It takes a look at the rights from the perspective of effectiveness and analyses them in a more structured manner by utilising a framework of data protection principles from Article 5 of the GDPR. The analysis shows that data subjects’ control rights are sometimes ineffective. However, this part of data protection law must be, nonetheless, maintained, because it not only serves the objective of control but has other objectives too. To mitigate the ineffectiveness, some alterative measures are considered, for example technological solutions and legal mechanisms outside of data protection law. The chapter refers to these alternatives as ‘a holistic approach to control’.

The Right of Access under EU Data Protection Law

Chapter 5 focuses on Article 15 of the GDPR and explains the scope of the information that can be accessed under the right. The chapter then discusses the importance of the interface to submit data subject access requests. The core part of Chapter 5 is the analysis of the regulatory boundaries of the right of access and various avenues to limit the right, for instance, a conflict with the rights of another individual. Finally, the chapter illustrates how the right of access is applied in the data-driven economy by applying it to three different contexts: shared data, anonymised/pseudonymised data, and automated decision-making.

Data Portability as a Data Subject Right

Chapter 7 analyses the right to data portability set out in Article 20 of the GDPR. It first provides an overview of several commercial and regulatory initiatives that preceded the GDPR version of the right to personal data portability. Next, it explores the language of Article 20 to demonstrate the effects of the narrow scope of the right. The chapter then shows how data portability interacts with other data subject rights, particularly with the right to access and the right to be forgotten, before it describes manifestations of data portability in legal areas outside of the data protection law. Finally, the chapter explores the specific objective of the right to data portability under the GDPR as an enabler of data subjects’ control.

The Right to Be Forgotten

Chapter 6 explores the theoretical, normative, and practical aspects of the right to be forgotten (erasure) as set out in Article 17 of the GDPR along with some related mechanisms that also facilitate online ‘forgetting’. It is argued that control is the underlying notion of the right, closely related to both data subjects’ privacy and their autonomy. After providing a summary of the relevant case law which preceded the GDPR, the chapter thoroughly analyses Article 17 which lays out the current version of the right to erasure along with implementation details and exceptions. The chapter also lists a few technical and other measures that can be used as alternatives for the right to erasure in new (AI) environments.

Control as a Central Notion in the Discussion on Data Subject Rights

Chapter 3 establishes a bridge between (a) the general overview of the data-driven economy and the pertaining legal framework, and (b) the specific analysis of data subject control rights. Individual control represents a central notion in philosophical discussions related to people’s autonomy and freedom. In a similar manner, individual control over data plays an important role in the provisions of primary and secondary EU (data protection) law, and has two facets: the normative, meaning that control links back to the values that underpin the entire legal field; and the instrumental, which materialises through the provisions on data subject rights. Despite being a central notion in data protection law, individual control faces many challenges which are rooted in the specific characteristics of the data-driven economy.

The Right to Information

Chapter 4 addresses the right to information, the cornerstone of the system of control rights under the GDPR and the ePrivacy Directive. The types of information that are likely to provide data subjects the most relevant information about data processing in the context of the data-driven economy are analysed more thoroughly, e.g., the information about the legal basis for data processing, the information about the sources of data, and the details on automated decision-making. The chapter investigates the right to explanation and icons which seem to offer a new, promising option to exercise more control over modern data flows. In the ePrivacy area, the right to information plays an increasingly important role in regulating the use of cookies and similar tracking technologies. The chapter acknowledges that, despite some novel steps in the GDPR, entitlements that the law affords are undermined due to three groups of factors: psychological, technological, and economic.

Introduction

Chapter 1 begins with an introductory section on the data-driven economy and the risks this new type of economy imposes on individuals to provide readers with some necessary background information. It further explains how the regulator responded to the changes in the developing data economy, emphasising the importance of data subject rights within the updated regulatory framework. Subsequently, the chapter clarifies that the aim of this book is to provide a thorough analysis of data subject rights, with a particular concern for their application in the data-driven environments. The chapter also introduces three key concepts that will be used throughout the book: data subjects, data subject (control) rights, and the data-driven economy, as well as delineating the scope of the book and outlining its structure.

Safeguarding Individuals in the Data-driven Economy—EU Data Protection Framework in a Nutshell

Chapter 2 shows that EU law protects individuals and their data through several provisions of primary and secondary law, which, in many aspects, complement each other. EU primary law refers to the body of treaties which represent the agreement of the EU Member States and form the foundation of the EU. EU secondary law is a specific manifestation of more general fundamental principles of EU law. It comprises unilateral acts such as regulations and directives that enable the EU to exercise its powers. Recognising that the body of law that adds to individual protection in the big-data age has been evolving, the chapter provides an analysis of the most relevant parts of the primary and secondary legislation.

Data Subject Rights in Relation to Profiling

Chapter 8 focuses on the provisions of Articles 21 and 22 of the GDPR in relation to profiling. The chapter first provides the reader with the essential context on profiling as a building block of the data economy. It then discusses how the GDPR tackles the risks of profiling, providing a legal analysis of the right to object and the right not to be subject to automated decision-making. These two rights, together with the right to information and access to the extent that they refer to automated decision-making, form a cluster of rights that can be referred to as a ‘choice architecture for data subjects’ and can be particularly useful to control profiling.