One of the GDPR’s main objectives is to increase transparency in Big Data. Subsequently, controllers are required to reveal more details of their data processing operations.
Information rights as individual rights
Information rights as stipulated in articles 12 to 14 of the GDPR are part of the chapter on the rights of data subjects. They also come first in the GDPR’s order, before rights such as the right to be forgotten and the right to data portability. In emphasising these rights, the policymaker is focusing on individuals: they must be empowered to decide freely on the fate of their data. For individuals to make an informed decision on whether to enforce their rights, information on the processing operations must primarily be made transparent. It is therefore justified that the information rights represent the first pillar of the individuals’ rights.
Information rights’ wide scope
Information rights apply to different data processing scenarios, be it in Big Data or Small Data: privacy policies on websites, data protection information for online-competitions, and information for employees on data processing at their workplace. All of this information must comply with the stipulations of the GDPR.
There is a distinction, however, in the material scope regarding the source of the data: if the controller receives data directly from an individual, Article 13 of the GDPR applies. If the data is sourced from a third person, the controller must abide by the stipulations of Article 14 of the GDPR. These provisions are more or less similar. However, the controller must indicate the source of the data if he has acquired it from a third person.
Contents of information rights
The stipulations on information rights contain detailed catalogues on the information that must be made available. This information includes the identity and the contact details of the controller, the contact details of the data protection officer, as well as the purposes of the processing operations. Moreover, the controller must indicate the recipients of the data, and the period of time for which the data will be stored. Other information concerns a potential cross-border data transfer, and how the data is safeguarded during the transfer.
A novelty is that information must be made available on individuals’ rights, such as the right of access, the right to correction and deletion, and the right of withdrawal. In addition, the controller must indicate that individuals are entitled to lodge a complaint with a supervisory authority. In another deviation from the current legal framework, controllers will also have to indicate the legal basis for their processing operations. If a controller wants to base processing activities on a “legitimate interest”, he must explain this interest. Furthermore, if the personal data of an individual is to be processed for a purpose other than the reason for its original collection, the controller must give details of that other purpose. Finally, controllers must indicate if automated decision-making or profiling is taking place.
Enforcement of information rights
The GDPR applies from 25 May 2018. The sharp sword of the GDPR’s fining system has become one of its most famous (and infamous) parts. There are also severe consequences in case of breaches of the information rights: potential fines can reach as high as EUR 20,000,000 or 4% of the total worldwide annual turnover. Thus, the GDPR is reinvigorating the importance of the information rights.
Transparency or “information overload“
Transparency is crucial in data protection law. Nevertheless, information rights are being criticised for their complexity. According to critics, individuals might get lost in a flood of information. In the worst-case scenario, they may not be able to recognise and enforce their rights because of the deluge of information.
The GDPR offers a counter measure for potential information overload: it is the controller’s obligation to provide concise information in clear and plain language. In practice, drafting of condensed information will be of pivotal importance.
