Subject Access Request
   HOME

TheInfoList



OR:

The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in
data protection Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data pr ...
laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." This right is often operationalized as a Subject Access Request.


European Union

The right of access is enshrined as part of the fundamental right to data protection in the
Charter of Fundamental Rights of the European Union The Charter of Fundamental Rights of the European Union (CFR) enshrines certain political, social, and economic rights for European Union (EU) citizens and residents into EU law. It was drafted by the European Convention and solemnly proclai ...
. It is in fact the only one of the practical rights relating to personal data that is listed there. In the
GDPR The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in parti ...
, this right is defined in various sections of Article 15. There is also a right to access in the GDPR's partner legislation, the Data Protection Law Enforcement Directive. The European Data Protection Board (EDPB) has considered it "necessary to provide more precise guidance on how the right of access has to be implemented in different situations". When the EU Directive is transposed into Member State national law, the right of access may be suspended or restricted, as in the case of Germany in Article 34 of its Bundesdatenschutzgesetz. Moreover, on the European level, Europol offers a right of access.


United Kingdom

In the United Kingdom, the website of the
Information Commissioner's Office The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). It is the independe ...
states regarding Subject Access Requests (SARs): "''You have the right to find out if an organization is using or storing your personal data. This is called the right of access. You exercise this right by asking for a copy of the data, which is commonly known as making a ‘subject access request.''" Before the General Data Protection Regulation (GDPR) came into force on 25 May 2018, organizations could charge a specified fee for responding to a SAR, of up to £10 for most requests. Following the GDPR: "''A copy of your personal data should be provided free in a commonly used and machine readable format. An organization may charge for additional copies. It can only charge a fee if it thinks the request is ‘manifestly unfounded or excessive’. If so, it may ask for a reasonable fee for administrative costs associated with the request''."


Singapore

Personal data in
Singapore Singapore (), officially the Republic of Singapore, is a sovereign island country and city-state in maritime Southeast Asia. It lies about one degree of latitude () north of the equator, off the southern tip of the Malay Peninsula, bor ...
is protected under the Personal Data Protection Act 2012 (PDPA). The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. Access to personal data is laid out as part of Part IV, chapter 21 which states that on request of an individual, an organization shall, as soon as reasonably possible, provide the individual with: * (a) personal data about the individual that is in the possession or under the control of the organization; and * (b) information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the organization within a year before the date of the request


United States

Five
federal law Federal law is the body of law created by the federal government of a country. A federal government is formed when a group of political units, such as states or provinces join in a federation, delegating their individual sovereignty and many po ...
s include a right of access to personal data: * FCRA
Fair Credit Reporting Act The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 ''et seq'', is U.S. Federal Government legislation enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. It ...
, * FERPA
Family Educational Rights and Privacy Act The Family Educational Rights and Privacy Act of 1974 (FERPA or the Buckley Amendment) is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded e ...
, * COPPA
Children's Online Privacy Protection Act The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law, located at (). The act, effective April 21, 2000, applies to the online collection of personal information by persons or entities under U.S. juri ...
, * HIPAA
Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1 ...
. *
Privacy Act of 1974 The Privacy Act of 1974 (, ), a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintaine ...
. In addition, some state laws like the CCPA
California Consumer Privacy Act The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Je ...
have started to include this right.


Brazil

According to the Brazilian General Data Protection Law, Subject Access Requests need to be fulfilled within 15 days.


Transatlantic data flows

Transatlantic data flows (or at least those going West, towards the US) are governed by the
EU–US Privacy Shield The EU–US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes was to enable US companies to more easily receive ...
. One of the Privacy Shield principles is the right of access. Indeed, it is most fundamental in enabling accountability mechanisms around personal data processing. This example demonstrates that a European-style conception of privacy does not necessarily have to be perceived by American actors as unduly imposing new restrictions on free speech by data subjects. This Privacy Shield practice also shows that the case of civilian data protection (as under GDPR) is quite different from the case of criminal investigation, where a right of access is exercised as a "data request" by a government, not an individual, as in the US Supreme Court case Microsoft Corp. v. United States. The individual in criminal cases does maintain a right to know what data is being used about him/her, and of what crime s/he is accused.


United Nations

The aspirational Sustainable Development Goal 16, target 9, calls for the provision of legal identity for all human beings. "In the digital economy, this becomes the right to a digital identity." Such an identity could help in filing Subject Access Requests.


See also

* Max Schrems#Complaints with the Irish Data Protection Commissioner 2011 *
Facebook–Cambridge Analytica data scandal In the 2010s, personal data belonging to millions of Facebook users was collected without their consent by British consulting firm Cambridge Analytica, predominantly to be used for political advertising. The data was collected through an app ca ...
*
Data access Data access is a generic term referring to a process which has both an IT-specific meaning and other connotations involving access rights in a broader legal and/or political sense. In the former it typically refers to software and activities relat ...
* Microsoft Corp. v. United States


References

{{Reflist


Further reading

* Norris, Clive, Antonella Galetta, Paul de Hert, and Xavier L'Hoiry. 2016. The Unaccountable State of Surveillance: Exercising Access Rights in Europe (book). * Ausloos, Jef, René Mahieu, Michael Veale. 2019. Getting Data Subject Rights Right: A submission to the European Data Protection Board from international data rights academics, to inform regulatory guidance, 40 pages , doi=10.31228/osf.io/e2thg , * Mahieu, René, Jef Ausloos. 2020. Recognising and Enabling the Collective Dimension of the GDPR and the Right of Access. LawArXiv. July 2. doi:10.31228/osf.io/b5dwm Digital rights Access to Knowledge movement