A recent case brought before a court in Amsterdam has given us the opportunity to call into question the right of access to personal data regulated by art. 15 of the General Data Protection Regulation (GDPR) and in particular certain aspects related to the difficulties that may be caused to a data controller, in certain situations, by the data subjects’ exercising this right.
Thus, on 11 March 2021, the court in question settled a dispute (link here) between the company owning the rights to operate the UBER application (‘UBER’) and several collaborating drivers of UBER in the jurisdiction in question who had previously requested access to their personal data processed by UBER and, dissatisfied with the response received from UBER, applied to the court.
The case is interesting in that it calls into question (and concludes, though not necessarily in a manner consistent with previous cases) a number of issues related, inter alia, to the scope of the right of access to personal data that needs to be considered by a controller and equally so by an employer in its relationship with its employees, when managing the response to such requests so as to avoid an additional exposure / liability.
A. Several issues raised into question in the UBER case mentioned above
1. According to the facts presented in this case, the data subjects exercised their right of access not only to consult their personal data processed by UBER, but also to use such information to negotiate their collaboration agreement with UBER. Invoking point 63 under the GDPR Recital, the court held that, as long as the right of access was exercised for the data subject “to be aware of, and verify, the lawfulness of the processing”, the request for access was not abusive and was within the limits of the law, even if it had been submitted for other, additional purposes. We should note that in a ruling rendered by an English court (link here), a data subject who had a collateral purpose, i.e., to use new information and documents in a dispute with the controller, was considered to have exercised the right of access beyond the legal limits. However, it is important to note that the circumstances of this latter decision also presupposed that the data subject had repeatedly and excessively filed requests for access.
2. The above-mentioned UBER case also confirmed that a data controller is entitled to ask the data subject to clearly indicate the personal data to which the request for access refers to, in order to limit the response if the request so filed by the data subject allows it.
3. However, the essence of the case in question appears to be the extent to which the opinions of and about employees (of other employees, such as for instance evaluators, examiners) can be considered as personal data and therefore whether or not they may be subject to requests for access to data as per art. 15 of the GDPR. The court in question held that opinions do not represent personal data as they cannot be verified and, consequently, a data subject may not exercise his/her rights to verify their accuracy, rectify, or delete them. By contrast, facts (which opinions are based on) represent personal data.
4. Thus, the court dismissed the complaint filed by the collaborating drivers regarding the opinions recorded by UBER employees in certain notes about such complaining drivers. This ruling is in line with another one, also rendered by a court in Amsterdam (link here), in which the court ruled that the internal notes of some employees, which would include thoughts / opinions intended for internal use and deliberation, do not constitute/represent personal data[i].
5. However, quite contradictorily, in the UBER case the court ruled that the evaluations / feedback expressed by users represent personal data. Moreover, the solution in the UBER case also appears to contradict the conclusions of the Court of Justice of the European Union (CJEU) in case C‑434/16 (“NOWAK case”) (link here), where the court ruled that “the written answers submitted at a professional examination and any comments of the examiner with respect to those answers constitute a candidate’s personal data to which he has, in principle, a right of access”.
6. In arguing this position, the CJUE states 43 The content of those comments reflects the opinion or the assessment of the examiner of the individual performance of the candidate in the examination, particularly of his or her knowledge and competences in the field concerned. The purpose of those comments is, moreover, precisely to record the evaluation by the examiner of the candidate’s performance, and those comments are liable to have effects for the candidate, as stated in paragraph 39 of this judgment.
44 The finding that the comments of the examiner with respect to the answers submitted by the candidate at the examination constitute information which, by reason of its content, purpose or effect, is linked to that candidate is not called into question by the fact that those comments also constitute information relating to the examiner.”
Moreover, in the NOWAK case, the CJUE holds (our emphasis) 34 The use of the expression ‘any information’ in the definition of the concept of ‘personal data’, within Article 2(a) of Directive 95/46, reflects the aim of the EU legislature to assign a wide scope to that concept, which is not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject.
35 As regards the latter condition, it is satisfied where the information, by reason of its content, purpose or effect, is linked to a particular person”.
7. In fact, in line with the NOWAK case, a German court (link here) held that an individual who sat for an examination has the right to receive a copy of the examination taken, and also a copy of the examiner’s report on the performance of the individual in question. Another court in the Netherlands (link here) held that the data subject has the right to access the personal data contained in internal notes and communications between the employees of two public authorities. The internal notes in question referred to assessments made by civil servants about the process of social reintegration (after a conviction) of the data subject, but also more special aspects, such as notes on non-verbal language, tone of voice, personality and mental state of the data subject.
B. Other aspects concerning the right of access to personal data invoked in other cases or in assessments of regulatory authorities
8. In its response to a request for access to data, the Controller must inform the data subjects whether it has transferred their personal data to other entities and to whom, even if at the time of the request for access it no longer has the personal data in question (the data retention period having ended) (link here).
9. The right of access to personal data must be exercised in good faith and the abuse of rights must be sanctioned. Thus, the UK regulatory authority in the matter noted that a request for the exercise of the right of access may be abusive when it is clear that the data subject does not intend to exercise the right for the purpose for which it was granted (for example, the intention to withdraw the request in exchange for a benefit) or when the real purpose of the request is to harass the controller concerned or a person working with the controller.
10. Another limitation on the right of access was also indicated in a case in the United Kingdom, where the court held that it was disproportionate for the controller to check digital back-ups and storage spaces used by the data subject in the past (former employee), as such research poses a significant risk of disclosing the personal data of other data subjects (link here). Along the same line, a Belgian court held that the data subject’s access to the emails he received while working for the controller would infringe the rights of other individuals (for example, other recipients or senders of those e-mails) (link here).
11. With regard to IP addresses, a court in the Hague held that if a person has to make excessive efforts to corroborate IP addresses with other information to identify a data subject, then the IP addresses are not personal data (link here).
The situations above are just a selection of issues that may prove difficult in resolving a request for access to personal data. The careful analysis of requests so as to exclude or minimize both the risk of sanctions for non-compliance with the right of access to personal data and the risk of other exposures generated by the disclosure of excess information is of vital importance. This is proven by the very multitude of situations that have come before the courts, abounding in diversity.
[i] The two decisions of the Dutch courts seem to somewhat come close to the interpretation given by the Court of Justice of the European Union (“CJEU”) in joined cases C ‑ 141/12 and C ‑ 372/12 (“YS Case”) link here, where CJUE held that “data relating to an applicant for a residence permit contained in an administrative document, such as the ‘minute’ at issue in the main proceedings, setting out the grounds that the case officer puts forward in support of the draft decision which he is responsible for drawing up in the context of the procedure prior to the adoption of a decision concerning the application for such a permit and, where relevant, the data in the legal analysis contained in that document, are ‘personal data’ within the meaning of that provision, whereas, by contrast, that analysis cannot in itself be so classified.”
Thus, according to the YS Case, it would appear that information in the form of opinions (value judgments) does not fall into the personal data category (at least not if the opinion in question does not directly concern a person). However, the analogy between the UBER case and the YS case might not be highly relevant, as the YS case takes into consideration opinions in the form of legal analyses, and not necessarily opinions about people. Rather, a legal analysis represents a personal data insofar as it characterizes the person who expressed / performed the legal analysis in question.