Childlike wonder (and the GDPR)

I’ll tell you what annoys me: those people who tell you to “see the world through the eyes of a child”. Show me the kid who’s paying bills and sleeping six hours a night whilst desperately trying to maintain some semblance of their own pre-parental identity.  Do they look filled with wonder at the beauty of the world?  Obvs not.  So absent all of those stresses, of course playing tag seems like the greatest thing ever.*

If you’re a controller that's subject to the GDPR, I’m guessing you don’t think much about playing tag.  That should probably start to change, following an opinion issued yesterday by ECJ advocate general Collins.  (Just so we’re clear, and you've no doubt figured it out already, but in order for the rest of this article to work we’re going to equate playing tag and a controller passing along a data subject’s GDPR rights request to other relevant third-party controllers.)

The case before AG Collins concerned a Belgian mobile telephone directory service that failed to address a data subject’s request for deletion of their data.  In a nutshell, the facts are as follows:

• Individual asks directory service to delete their information from the directory.
• Directory service updates its records to make clear that the information shouldn’t be made public.
• Directory service subsequently receives updated contact details from the individual's phone provider, but isn’t aware that those details shouldn’t be publicised, and so includes them in its directory.
• Directory service argues that it is merely a recipient to whom personal data have been disclosed, and so is not required to take reasonable steps to communicate requests to other controllers.
• Collins rejects the argument, saying that a regulator can rightly conclude that Articles 5(2) and 24 of the GDPR require a controller to inform other controllers of the individual’s rights request.

For many businesses, particularly those who don’t receive a high volume of data subject requests, dealing with the exercise of access, erasure or revocation rights can be time-consuming, confusing and stressful.  So it’s understandable that they may not also step back and consider whether the request needs to be passed on – to tag another controller, if you will.  

Although we need to wait until the ECJ issues its judgment on the case, it usually follows the AG's opinion, so it's likely that Collins's conclusion is going to stand. With that in mind, the next time you receive a GDPR rights request, try to see that request through the eyes of a data protection-savvy child and ask yourself whether there's anyone you need to tag. 

*Depending on where you grew up, you may know the game as “tig”, “tick”, “it” or one of many other names.