The right of access to personal data is a newly established right that is slowly being extended to more and more individuals throughout the world as the Internet and mobile/digital services and platforms become increasingly common and important to everyday life. The right of access is now a fundamental right shared by citizens of many countries throughout the world that has only become more firmly established in recent years as part of a growing global trend towards giving individuals and users of different digital platforms and services the ability to control exactly how their personal data and information is used by digital companies, platforms and service providers. That right, however, is defined differently in different jurisdictions throughout the world. The three largest and primary jurisdictions that have established data protection regimes are the United States, China and the European Union. Each of the three jurisdictions provides different scopes of protections for and individuals for their personal data. This article will focus on the right of access to personal data and information under the respective laws and regulations in the three largest jurisdictions in the world: the United States, the European Union and China.
What Is The Right of Access to Personal Data Generally?
The right of access is a newly established right that has been enshrined in the large number of data protection laws around the globe that have been passed and/or enacted by countries across the world in recent years. It means that data subjects have the right to know and access to the information about them and ask how such information is held and how it is used by the controller. It is based on the concept that even though a particular company, website or digital service provider may have collected certain information or data as someone viewed its website or used its services, that company ultimately does not own that data. It posits that individuals should have full control over not only the collection and use of their own personal data, but also the ability to access that information in order to be informed about what exactly is being collected when they visit a website, use a social media service or other digital product or service.
Why Is The Right Of Access Important?
Many digital companies, including websites, internet service providers, social media, e-commerce and other types of Internet and digital companies are increasingly relying more and more on the collection, packaging, and many times then selling the personal data of their users, website visitors and consumers as a part of their business model. The problem with this for consumers is that the protection of the use, storage, collection, and right to access of personal data is not uniform across the largest Internet markets in the world.
As an example of the tremendous amount of personal data that can be generated by a single user, some Facebook users have requested the personal data the social media company was keeping on them and then selling to advertisers. 1200 pages of data were provided by Facebook to one user who made a request for the personal information that the company was storing on him.
This example is simply indicative of why it is so important there be reasonable safeguards on the generation, storage, collection and retention of user data by social media and digital services and companies of all kind. Otherwise, users will find that 1200 pages worth of their often sensitive personal data has been created, shared, and then sold without their knowledge. Without reasonable safeguards, or at least the ability to know what information a service or website is collecting on its users or visitors, a user simply cannot make an educated guess as to whether they wish to continue using the service if it is going to collect and then sell sensitive information regarding its users without them even knowing it.
What Is The Regulatory Framework and Legal Framework Governing The Use of Personal Access to Personal Data in the Largest Global Internet/Digital Markets?
The largest global Internet/digital markets have vastly different protections for users for their personal data. An individual in the European Union, China or the United States thus may have not only completely different rights as it relates to the personal data collected by a particular website or digital service provider.
In Europe, the data privacy and protection regime is known as the General Data Protection Regime, or GDPR for short. Enacted in the past several years, the GDPR is the most wide-ranging and ambitious of the data protection and privacy regimes that exists at present. It provides European Union citizens with the right to provide their personal information or data from any individual or entity that holds such information directly. Once a request is made, the person or entity that has collected and/or stored that data must provide a free copy of any and all personal data of the requesting individual it has collected, stored, or processed. Requests for personal information or data must be processed within a month of receipt and the information and data ultimately provided must be clear, explicit and accessible.
The United States
The United States, despite being home to many of the largest, most innovative and most well-established Internet, e-commerce and other digital companies in the world, has one of the world’s least advanced regulatory schemes as it relates to the protection of personal data. There is no uniform federal scheme that applies across the entire United States for the storage, collection, and reselling of user data or information by digital services, providers or platforms. For the country that claims to be the birth of the Internet, it is truly baffling that the United States does not have a single unified data protection regime. Nevertheless, as is the case in many areas, California has taken the lead in data protection among the U.S. states. Its regulatory scheme, which was recently passed and will go into effect in 2020, is known as the California Consumer Privacy Act and provides similar protections to the GDPR. For example, it will allow consumers to access their personal information in a “readily useable format,” such as a consumer’s personal identifiers, geolocation, biometric data, internet browsing history, psychometric data, and inferences a company might make about the consumer. Consumers will have the right not only to request this information but the reasons as to why it was collected.
In China, the right of access is not regulated by law but by the national standard, named Personal Information Security Specification (PISS), which recommend that personal information controllers shall provide measures for the data subject to get a copy of data subject’s personal information from a data controller. Only four types of personal information are available to be disclosed to a person in accordance with this standard. They are basic personal information, personal identity information, personal health and biometric information, personal education and work information. According to China’s policy, even if such standards may not have a binding value and not subject to enforcement, it is highly recommended to comply with such standards.
What Types of Data Can Be Requested?
Under the GDPR, citizens of European Union member states can request access to their personal information including:
- The purposes of processing that information;
- The categories of personal data processed by the particular purpose or entity;
- The recipients, or categories of recipients of that individual’s personal information;
- The period over which the individual’s information was collected, or, if determining this is not possible or feasible, how the length of this period would be determined;
- Any third-party sources from which the person or entity collecting the data gathers that data or information from; and
- The automated decision-making policy that has been applied to that data or personal information, including profiling.
Under the CCPA, upon a request for personal information, businesses are required to provide the following consumer’s data
- Personal information it collects such as name, phone number, date of birth
- The specific pieces of personal information it has collected about the consumer
- The commercial purpose for collecting or selling personal information
- The categories of third parties with whom the business shares personal information
Furthermore, a consumer can also request to have access to any personal information or data that has been sold by or disclosed for a commercial purpose by the company from which the information or data is being requested.
As we said before, in accordance with China’s national standard, only four types of personal information are available to be disclosed to a person requesting his or her personal information from a person or entity:
- The basic personal information
- Personal identity information
- Personal health and biometric information
- Personal education and work information
Are There Limits to the Right to Request or Obtain Personal Data?
Each of the three jurisdictions whose data protection regimes are discussed herein have limits that are placed upon the ability of those whose data is being collected to request that data. In most instances, restrictions exist where there would be some sort of interference between a request and some other, more pressing interest like matters of national security or defense or pending judicial proceedings. Therefore, the protections and rights provided by the various regulations and laws in
Article 23 of the GDPR explicitly provides that there are some restrictions to the right of access under that law. This right can be limited by member states to the European Union as long as member states respect the GDPR and the fundamental rights and freedoms provided thereunder. France has issued a law that sets limits to some degree to the rights more broadly provided under the GDPR is France’s brand new Informatique et Libertes law. This law, which was recently enacted in June 2019, sets out limitations on the rights of French citizens to request information that would otherwise be subject to the GDPR, including where complying with a request for personal data or information otherwise allowed by the GDPR would obstruct an investigation or otherwise interfere with administrative or judicial proceedings. The law also prevents requests that would interfere in matters of national security or defense.
The United States
The CCPA has certain exceptions, including where complying the law would violate certain enumerated federal laws. It also does not restrict a business’s ability to collect, use, retain or sell consumer data that has had consumer identities stripped out or is an aggregate of a large collection of data from numerous consumers.
Under Chinese standard (PISS), a request for personal data can be refused by a person or entity subject to that country’s data protection laws and regulations in the following circumstances:
1) Where there is a direct relation between the request and some issue of national security or national defense;
2) Where there is a direct relation between the request and public safety, public health, or major public interests;
3) Where there is a direct relation between the request criminal investigations, prosecutions, trials, or legal enforcement;
4) Where the entity of person to whom the request has been made has strong evidence which shows that the person requesting his or her personal data is acting with malevolence or abusing his/her rights in making the request;
5) Providing the requested information would cause serious harm to the rights and interests of other individuals or organizations;
6) When the requested information involves commercial secrets.