Also available in Dutch / Nederlands

Summary

Researchers from the University of Amsterdam and Utrecht University are urging the cabinet to vote against the European Omnibus Act, as it will severely restrict the fundamental right to access personal data (Article 8(2) EU Charter). Although the European Commission states that the law preserves the GDPR and is innovation-friendly, the new wording of Article 12(5) of the GDPR will seriously undermine the right to access data.

While people can currently request access to their data without specific reason, under the guise of simplifying legislation and preventing abuse of the right to access data, this will soon only be permitted for specific data protection purposes, such as correction or deletion. Importantly, this also precludes scientific research.

Why is the Right of Access Important?

As more and more information about people is stored in databases, a growing number of people are exercising their right of access for individual or broader societal goals.

By exercising their right of access, employees have gained insight into their worked hours and successfully demonstrated in legal proceedings that overtime was not paid. In the “Schufa” case, an organization used data obtained from access requests to demonstrate that a credit rating agency discriminated on prohibited grounds when assigning a credit score.

Research participants voluntarily donate personal data they received after an access request to scientists for various research purposes, for instance, to research the influence of social media on child well-being, AI use, the dissemination of digital health data, or the manipulation of democratic processes in social media campaigns during election campaigns.

What is at Stake?

Access requests are not purpose-specific. The Court of Justice of the European Union has confirmed this repeatedly. The Omnibus Act will henceforth only permit access requests if the request serves a data protection purpose, such as rectification, erasure, or objection. If the Act is adopted with this purpose requirement, scientific research will no longer be a purpose.

Furthermore, the Omnibus Act will make it easier for a data controller to reject a request by invoking an incompatible purpose or “reasonable suspicion of excessiveness.” However, the Commission has not provided evidence that the right of access is currently being abused. The proposed restriction therefore lacks necessity and proportionality and will weaken the GDPR.

The Omnibus not only violates the fundamental right to access under Article 8(2) of the EU Charter of Fundamental Rights; it also depletes a now widely used and irreplaceable source of information for scientific research. There is a significant risk that a data controller may reject a request for access if it exposes sensitive information, if it might cause reputational damage, or is time-consuming and/or expensive. Furthermore, the Omnibus impedes the academic freedom of scientific research as enshrined in Article 13 of the EU Charter of Fundamental Rights.

Conclusion

The Omnibus Regulation should focus on genuine, demonstrable problems such as clarification, simplification, and increasing consistency in digital legislation, and should leave Article 12(5) GDPR as it currently stands, so as not to interfere with the constitutional right of access. The objectives of the GDPR must not be weakened. The Omnibus Regulation undeniably weakens the GDPR with regard to the right of access.