Data subject rights constitute critical tools for empowerment in the digitized society. There is a growing trend of relying on third parties to facilitate or coordinate the collective exercises of data rights, on behalf of one or more data subjects. This contribution refers to these parties as ‘Data Rights Intermediaries’ (DRIs), ie where an ‘intermediating’ party facilitates or enables the collective exercise of data rights. The exercise of data rights by these DRIs on behalf of the data subjects can only be effectuated with the help of mandates. Data rights mandates are not expressly framed in the GDPR their delineation can be ambiguous. It is important to highlight that data rights are mandatable and this without affecting their inalienability in light of their fundamental rights’ nature. This article argues that contract law and fiduciary duties both have longstanding traditions and robust norms in many jurisdictions, all of which can be explored towards shaping the appropriate environment to regulate data rights mandates in particular. The key in unlocking the full potential of data rights mandates can already be found in existing civil law constructs, whose diversity reveals the need for solidifying the responsibility and accountability of mandated DRIs. The continued adherence to fundamental contract law principles will have to be complemented by a robust framework of institutional safeguards. The need for such safeguards stems from the vulnerable position of data subjects, both vis-à-vis DRIs as well as data controllers.
The authors argue
The vicious circle of rapid technological and economic developments, and exponential data production, brings about countless social, legal, and ethical concerns. Many of these concerns can be traced back to the significant information and power asymmetries that characterize today’s political economy of data. Transparency asymmetries result from the size and complexity of data infrastructures as well as engineered opaqueness by those who control the infrastructures. Power asymmetries result from the ability to exploit these data infrastructures in light of strong (commercial/political) imperatives at the expense of individuals, communities, and/or society at large.
Data rights are emerging as an emancipatory legal tool to challenge these asymmetries, empowering people to render visible data infrastructures and govern the use of their data. They feature in a growing number of legal frameworks, in Europe and elsewhere. Indeed, we can observe a proliferation of data rights in recent EU policymaking, either reinforcing or introducing new legal mechanisms to mitigate information/power asymmetries in the data economy. As (EU) policymakers are gradually catching up with the digital transformation of society, we also anticipate future legal frameworks will increasingly include data rights in specific contexts. For the time being, the most important legal source for data rights is chapter III of the General Data Protection Regulation (GDPR). The ‘rights of the data subject’ in this Chapter are intent-agnostic and can be deployed in many different ways in order to safeguard countless interests, rights, or freedoms.
While underused for many years, recent initiatives have demonstrated the value of data rights in a variety of contexts; from invoking the rights of access, portability and not to be subject to automated decision-making to obtain better working conditions, to reverse engineering discriminatory credit scoring algorithms,8 or enabling academic research using digital trace data. As these examples illustrate, data rights should not be seen as (just) individualistic legal tools; they hold significant potential for tackling systemic data-driven injustices at a collective level.
Despite the growing availability and awareness of data rights, important questions remain as to their functionality and effectiveness. Systemic transparency problems—resulting from the size and complexity of data infrastructures as well as engineered opaqueness by those who control those infrastructures—thwart fair and lawful data processing, proper enforcement, and effective exercises of data rights. Additionally, rights holders often lack the (technical, legal, financial)capacity, time, or knowledge to effectively deploy their rights.
In light of the above, there is a growing trend of relying on a third party to facilitate or coordinate the (collective) exercises of data rights, on behalf of one or more data subjects. Within the context of this article, we term these intermediating parties ‘data rights intermediaries’ (DRI). We define data rights intermediation broadly, as situations where an ‘intermediating’ party facilitates or enables the (collective) exercise of data rights. Importantly, for our purposes here, DRIs should be clearly distinguished from data intermediaries. The concept of the data intermediary is used in a wide variety of contexts, generally to refer to organizations that capitalize on pooling data in one way or another. DRIs do not necessarily valorize any (personal) data, but simply assist in the (collective) exercise of data rights, whether it be the right to object, erasure, portability, or indeed access personal data.
Data rights intermediation in general can range from simply making templates available to the public for anyone to use, to more organized initiatives like data trusts, which involve an active role of the intermediating parties in data governance. A central question in many of these initiatives is whether data subjects can effectively mandate the respective data rights to a third party. For the purposes of this article, we use the term ‘mandate’ to refer to situations where a data subject assigns to another party, the power to bring a legal action or exercise a right on the subject’s behalf.
Under what conditions can data rights be lawfully exercised by someone other than the data subject, on behalf of one or more data subjects? As a key source of data rights, the GDPR, is essentially silent about whether intermediating parties can exercise data rights on behalf of the data subject. That is to say, the GDPR neither rejects nor explicitly condones data rights to be exercised by an intermediating party. Having said that, the GDPR does recognize the ability of data subjects to have specific types of organizations represent them, to obtain remedies for GDPR violations if such representation is recognized in Member State law. The role of such representatives is also acknowledged in relation to data protection impact assessments, where controllers are encouraged to ‘seek the views of data subjects or their representatives [emphasis added] on the intended processing.’ In this context, it is also worth mentioning that the Court of Justice of the European Union (CJEU) recently clarified that Article 80(2) of the GDPR does not preclude national legislation that allows a consumer protection association to bring legal proceedings in the absence of a mandate conferred on it for that purpose (and independently of the infringement of specific rights of a data subject), by alleging infringement of the prohibition of unfair commercial practices, consumer protection legislation or the prohibition of the use of invalid general terms and conditions. Important as it is, the latter ruling still leaves open the question of whether—and under what conditions—the data subject rights granted by chapter III GDPR can be mandated to a DRI.
As will become more apparent throughout this article, there are many different understandings of the term ‘mandate’ both in normative descriptions and in case law. Because of the contrasted legal histories behind its uses in different jurisdictions, the concept of ‘mandate’ suffers from a significant degree of ambiguity. Yet its use in the GDPR, recent case law, and EU policy initiatives have made it a salient and increasingly important concept in a data protection context. This article addresses the sources of this conceptual confusion to highlight the practical significance of mandates if data protection regimes are to take on board both the relational (hence collective) dimension of personal data and the fundamental (hence inalienable) underpinnings of data rights.