Mere access to personal data: is it processing?

Abstract

This article explores the significance of access to data under the General Data Protection Regulation GDPR.1 Specifically, the definition of ‘processing’ in the GDPR does not explicitly include access as one of the examples of processing, but access may nonetheless fit the definition of processing. Some scholars have suggested that access to data generally ought to be viewed as processing, and others have suggested conversely that it ought not to be viewed as processing. The present enquiry explores these and other positions, their merits and weaknesses. Determining the status of access is important in practice. There are many instances in which people and organizations have or grant access, or may actually access data, and a determination that this is a form of processing governed by data protection law will have significant ramifications. Some commonplace examples may elucidate the significance of the enquiry. Many organizations today have cloud-based servers and document management systems, such as Sharepoint, Google Drive or Dropbox. If I invite you to share a file or folder containing personal data on Dropbox, for example, I have not sent you the data, I have merely granted you access to it. Have you now become a processor of that data? Likewise, suppose I call Dell to get support for my laptop; I grant the technician remote access to my laptop and she quickly fixes the problem. Has she, and by extension Dell, become a processor of the data on my laptop? These and many more examples highlight the need for clarity on the question of the role of access in data protection law.