The recently ended IRISS (Increasing Resilience in Surveillance Societies) international research project, in which the Eötvös Károly Institute was the Hungarian partner institution, issued a Policy Brief and sent it to competent leaders of the ongoing European data protection reform and national data protection authorities. The Policy Brief contains recommendations aimed at strengthening subject access rights, and was drafted on the basis of the findings of the empirical research conducted by IRISS researchers in ten European countries in 2013-2014.
The empirical study on the exercise of subject access rights was a priority research area in IRISS. In the course of the study researchers investigated over 300 public and private organizations and submitted 184 subject access requests for their own personal data. Although there have been positive examples and best practices in every country, the overall picture is warning. The right of access to personal data is the basis of exercising other data protection rights (because, if one cannot discover what is held about oneself by whom, it is not possible to exercise the remainder of these rights), still citizens face significant obstacles when trying to learn their personal data and the fate of these data. The obstacles originate from three main causes: the inconsistent implementation of the current European Data Protection Directive into national laws, the specificities of national regulation – e.g. the necessity to provide motivated requests – and the incomprehensive, restrictive or dismissive practices of data controllers.
For the betterment of the situation the research consortium drafted concrete recommendations to the Council of the EU and the European Parliament. The Policy Brief containing the recommendations has been submitted to the decision-makers of the ongoing European data protection reform and to other organizations concerned.
The findings of the research were not surprising for the European data protection authorities, since IRISS researchers organized a roundtable discussion for them at the annual Computers, Privacy and Data Protection (CPDP) conference earlier this year, where representatives of six national data protection authorities, including the Hungarian authority, participated and commented the international findings and their respective detailed country reports. Representatives of the Hungarian authority could learn the research results of the Hungarian study even earlier: in November 2014 the Eötvös Károly Institute organized a workshop titled “Can’t I have what is about me? The subject’s rights and chances to learn his/her personal data” for Hungarian data controller organizations involved in the study, where the representative of the authority also participated. In addition, the leaders of the Hungarian study thoroughly informed the president of the authority about the findings of the research in writing.
The Policy Brief can be downloaded from the IRISS homepage.