Episode 127: Rights Requests

Hosted by Jasmine Harrison, Phil Brining and Joe Kirk.

Unveiling the Power of Individual Rights Requests

Introduction: Welcome back to another engaging episode of the Data Protection Made Easy podcast hosted by Data Protection People. In this week’s session (Episode 127), our knowledgeable hosts Jasmine Harrison, Joe Kirk, and Philip Brining came together to share top tips and expert insights on individual rights requests beyond Subject Access Requests (SARs). We’ve covered SARs extensively in previous episodes, and now it’s time to explore the broader landscape of individual rights requests. But before diving into the main discussion, let’s catch up on some noteworthy news from the data protection world.

News of the week:

UK and US Commit to Establish a Data Bridge: The UK and the US have made significant progress towards establishing the UK Extension to the Data Privacy Framework, forming a “data bridge” between the two countries. This collaboration aims to remove the burden of costly contract clauses, ensuring the maintenance of protection and privacy standards.

EDPB Releases Guidelines on Administrative Fines Calculation: The European Data Protection Board (EDPB) has finalised its Guidelines on calculating administrative fines under the GDPR. These guidelines emphasise the importance of a human assessment based on relevant facts and circumstances, rather than relying on automatic calculations.

ICO Publishes Report on Neurotechnology: The ICO has recently published a report highlighting the rapid development of neurotechnology, which involves monitoring data directly from the brain and nervous system. While neurotech holds promising applications, the ICO raises concerns about potential bias and inaccurate data if not developed and tested across a wide range of individuals.

Dutch Regulator Requests Information from OpenAI: The Supervisory Authority in the Netherlands has sought clarification from OpenAI regarding the treatment of personal information in the context of generative artificial intelligence. The regulator aims to ensure organisations using AI technologies handle personal data appropriately.

Amazon Settles Child Privacy Violation Allegations: Amazon has agreed to pay $25 million to settle claims of violating children’s privacy rights with its Alexa voice assistant. The settlement addresses allegations of unlawfully retaining voice recordings collected by Alexa and using them to improve its algorithms without proper consent.

Japan Regulator Warns OpenAI on Sensitive Data Collection: Japan’s data protection regulator has cautioned OpenAI against collecting sensitive data without individuals’ permission, signaling potential consequences if actions are not taken to address this concern.

EDPS Criticises Frontex for Data Dumping: The European Data Protection Supervisor (EDPS) has criticised the European Border and Coast Guard Agency (Frontex) for automatically sharing migrant testimonies with Europol without assessing the strict necessity of such exchanges.

ICO Reprimands Thames Valley Police: The Information Commissioner’s Office (ICO) has reprimanded Thames Valley Police for disclosing details that allowed suspected criminals to discover the address of a witness. The ICO recommends improvements in training, policy updates, and continuous review of processes for handling personal data.

Main Session Highlights

During this week’s episode, our hosts explored a range of individual rights requests. Here are some key points discussed:

Right to be Informed: The ICO now provides guidance on privacy information when applying AI to personal data, emphasising transparency and upfront communication about processing purposes.

Subject Access Requests (SARs): SARs remain the most common rights request for data controllers, and we have covered this topic extensively in previous episodes.

Erasure Requests: When consent is wrongly relied upon, and an individual requests erasure, it is essential to choose the most appropriate lawful basis from the beginning. Exemptions may apply when there is a legal obligation or public interest involved.

Objecting to Direct Marketing: Objecting to direct marketing is an absolute right that individuals possess. The hosts also discussed objections related to legitimate interests and the importance of conducting balancing tests.

Denying Requests: Requests can be denied if they are manifestly unfounded or excessive. Additionally, denial may be appropriate when an exemption under Schedule 2 of the Data Protection Act 2018 applies.

Refusing Requests: When refusing to comply with a request, it is crucial to inform the individual of the reasons, their right to complain to the ICO, and their ability to seek enforcement through legal channels.

As the episode concluded, our hosts provided valuable insights into the process of responding to individual rights requests. They addressed common questions and challenges faced by organisations in fulfilling these requests effectively and in compliance with data protection regulations.

Be sure to listen to Episode 127 of the Data Protection Made Easy podcast for a more comprehensive understanding of individual rights requests and how to navigate this evolving landscape.

Remember, knowledge is power when it comes to data protection, and our commitment is to empower you, our valued listeners, with the latest insights and expert advice.

Stay tuned for our upcoming episodes, and thank you for being part of our engaged community.