The right to rectification and the right of access were (and still are) guaranteed under the Charter of Fundamental of the European Union. Art. 8(2), “Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. “ The Charter has applied to the EU since the entry into force of the Lisbon Treaty on 1 December 2009 and so it predates the GDPR. It was Art.16 of The Treaty on the Functioning of the European Union (TFEU) which imposed the specific obligation on the EU legislature to actually make data protection rules, and it was this that eventually led to the GDPR.
Art.16 GDPR sets out in stronger and clearer language the right to rectification. It is a right that is wisely read in conjunction with the principle of accuracy under Art. 5(1) (d) of the GDPR. As an individual data protection principle, the principle of accuracy stands alone only in the text itself. It is intertwined with all the other principles to form a greater whole. Article 5(1)(d) states that personal data shall be, “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are process, are erased or rectified without delay ( ‘accuracy’)”. Let us remember that Art. 15, the right of access, is often the starting point for other requests. For example, it is this same article that facilitates other rights, because it gives the data subject the right to obtain confirmation on whether his or her data are being processed in the first place. If in fact personal data are being processed, then the data subject can have inaccurate data rectified or have incomplete data made complete. Sometimes this is best achieved, and facilitated, by means of a short supplementary statement. Therefore, Art.15 can work in two ways: 1) by completing incomplete data; 2) by rectifying inaccurate data. In the case of Max Schrems, ( Case C-362/14) ( 16 Oct.2015), one of the defects identified by the CJEU was that there “was no means of enabling the data concerning the data subject to be accessed and, as the case may be, rectified or erased”( At para.90). The starting point is again, the knowledge that personal data are being processed in the first place.
Under the old Data Protection Acts (‘the acts) many complaints were received and processed concerning the right to rectification and the right to erasure of inaccurate data. Not many cases have come up for scrutiny since the introduction of GDPR, but future case types will likely mirror some from the pre-GDPR days. Sometimes looking back can act as an accurate guide to what may occur in the future. Below are some interesting cases that contain scenarios and circumstances that could resurface. They will give a taste of the substance of the right.
EMI Records v The Data Protection Commissioner [2012] IEHC 264
This case was a leading case on the processing of inaccurate personal data and went to court under the old acts.
Brief Facts: Eircom a telecommunications provider had been operating a scheme whereby recording companies were detecting on the internet those who were uploading their copyrighted music and video. The recording company passed on the information consisting of copyright title, time and temporary IPM address to Eircom. Eircom then wrote to their subscribers reminding them that downloading copyrighted material was in breach of their subscriber contract. Those who continued illegally downloading would have to find a new telecommunications provider as Eircom would no longer provide internet service.
In October 2010 Eircom forgot to change the clocks to reflect new wintertime. As a result, it wrongfully identified some people as illegally downloading, when they were not. The DPC issued an enforcement notice at the time directing that it cease its activities. The case gives a sense of what might be viewed as inaccurate processing of personal data. In this instance , the practice ceased. This was despite the fact the judge in the High Court found the enforcement notice from the DPC contained ‘no reasons whatsoever’, and ruled it invalid.
Smeaton v Equifax plc [2013] EWCA Civ 108 (20 Feb. 2013)
This case throws up some interesting issues and perspectives on the concept of accuracy. The defendant was a UK credit registry whose database indicated the plaintiff was subject to a bankruptcy order. In fact, the order had been made originally at first instance, but stayed upon appeal, and then rescinded. The plaintiff claimed for losses and damages resulting from the inaccuracy. Initially, the claim was successful but overturned on appeal.
What makes the case unusual is that the plaintiff had acted as a lay litigant in challenging the bankruptcy order. Generally, in cases such as this a solicitor would represent the litigant and inform the credit registry the client had been discharged. Smeaton’s argument was that Equifax should have been aware of the discharge, notwithstanding his self-representation. Again, it has to be stressed that this was an unusual case and decided on its own particular facts. The Court recognised that the old English Data Protection Act 1988 did, “not impose an absolute and unqualified obligation on Credit Reporting Agencies to ensure the entire accuracy of the data they maintain. Questions of reasonableness arise”.
An important consideration when questioning certain rights, if not all rights, under the GDPR is to realise that the extent of a right, and the degree to which it may be vindicated, may in the more contentious case go all the way to the final arbiter, the CJEU. Proportionality and the balancing of rights are paramount under EU law. It is only when it reaches this forum that jurisprudential reasoning truly asserts itself. The CJEU will define the parameters and specific meanings of words in the legislative text. Even though Smeaton v Equifax goes back to 2013, it is still good authority for the proposition that controllers are not under an absolute duty to ensure the accuracy of their data.
There have been 30 cases cited in the first annual report of the DPC since the introduction of GDPR in relation to the right to rectification in the first annual report of the DPC since the introduction of the GDPR, available here.
Case Study 3/2018.
Again this is one of the recent cases from the DPC Annual Report 2018 that highlights the close relationship between the accuracy principle and the Right to Rectification. The DPC received a complaint from a Ryanair customer whose webchat details were erroneously sent to another Ryanair web chat user. Of course, issues of integrity and confidentiality come into play also. On the date in question, the data processor received requests from four Ryanair customers for transcripts of their web-chats, all of which were processed by the same agent. However, the agent did not correctly change the recipient email address when sending each transcript so that they were sent to the wrong recipients. Included among the recommendations was one that recipient e-mails should be changed to ensure accuracy and using the autofill function in their software with extreme caution. Ryanair subsequently informed the DPC that their autofill function in their live web chat system had been disabled by their data processor.
Perhaps it is due to the nature of the business, and a strong desire for expediency, that credit reference agencies have historically been disproportionately involved in breaches, compared to other businesses. We can look at a few of the more interesting ones.
Case Study 2/1997
This complaint was received concerning the combination of data about two different people into the database of a credit reference agency. Human error was at fault, as the two individuals lived in the same area and had the same names. At the time, the credit reference agency had a policy of matching up similar data. A particular financial institution was supplying personal data to the agency, but between the two records became intermingled. The DPC upheld the complaint.
Case Study 6/1999.
A principle seldom becomes obsolete unless legislative action deems it so. At issue here was an issue that remains a problem in the context of personal data processing. The complainant had repaid a loan, but the credit reference agency’s files showed the loan as a default. For clarity, we are still talking here about provisions under the ‘old acts’, but as was found in this case, not keeping records “up to date” is a breach under the GDPR.
Case Study 8/1997
A credit reference agency’s records showed that the complainant had had a loan written off. That was correct. It also stated that litigation was pending for the non-payment of the loan. This part of the record was incorrect. No action was pending. As a result of the investigation, the DPC found the record held, “was inaccurate in stating that litigation was pending”. This case shows that even though the agency had some factually correct personal data, and few would advance monies to the complainant on the basis of the default, there was an inaccuracy in their records.
Case Study 6/1999
Inaccurate credit rating assessments of a complainant gave rise to this case. Three loans had been taken out by the defendant and all three had been fully paid off. However, the agency wrongly recorded one as still outstanding. What was stated by the DPC remains true, and it is that there is a “clear and active obligation on data controllers to ensure that data is kept accurate and up to date”. The concept of ‘reasonableness’, referred to above in Smeaton v Equifax, is an abiding concept.
Case Study 12/2009.
Here the results of a paternity test, a very sensitive issue, were sent to the wrong address. They were read by the complainant’s neighbour who now knew that his neighbour was not the father of child X.
Case Study 18/2009
What happened here was that a court summons was incorrectly served. It was served to the wrong person. As far as I remember, this was another that ended up at a neighbour’s house. Something most of us would naturally prefer not to happen.
Recently, (30th April 2019), The DPC issued an examination of the right to rectification complaints and it is accessible here. At its core is an attempt to clarify aspects of the right to rectification. As we mentioned above, there is a strong relationship between the right to rectification and the principle of accuracy. What the DPC notes is that ” Individuals have a right to rectification of their personal data under data protection legislation. What the right to rectification means in practice will depend on the circumstances of each case and the Data Protection Commission (DPC) examines each case that comes before it on its individual merits.” In practice, this means that all data controllers will be required to take all reasonable steps to ensure the accuracy of the personal data, taking account of the circumstance of the processing, the nature of the personal data and in particular, the purposes for which they are processed.
“In respect of complaints received by the DPC in relation to the recording of a name without diacritical marks, e.g. the síneadh fada in the Irish language, consideration has to be given, in light of Article 5(1)(d) and Article 16 GDPR, to whether the recording of a name without diacritical marks is deemed to be inaccurate, having regard to the purposes for which the data (in this case, a data subject’s name) are processed”. This is a reference to the Ciarán Ó Cofaigh case reported in the Irish Times here. What if a John Coyle ( with excellent credit rating) had credit record details that identified him as a John Boyle with poor credit rating? Is there really a difference between a mistaken letter in a person’s name and a missing fada, especially where the omission or the mistake can result in a detriment to the data subject? ( Or in this case, is it discrimination against a Gaeilgeoir?) Your name is either correct or not correct, and this is not a hair-splitting exercise. Simple mistakes happen, but they must be rectified and made accurate before there is a detriment to the data subject.
“In a related context, the European Court of Human Rights has concluded that the omission of diacritical marks from a person’s name in certain official documents did not entail a breach of the right to private and family life guaranteed under Article 8 of the European Convention on Human Rights: see, for example, Šiškins and Šiškina v Latvia (Application no. 59727/00, 8 November 2001).” Expect more related cases, but under the GDPR these will be going to the CJEU.
Patrick Rowland, GDPRXpert. ie
Data Protection Consultants, GDPRXpert, based in Carlow/Kilkenny and Mayo, provide a nationwide service.
Visit www.gdprxpert.ie to learn more.