The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in

data protection Data protection may refer to: * Information privacy, also known as data privacy * Data security {{Authority control ...

laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." This right is often implemented as a

Subject Access Request The Data Protection Act 1998 (c. 29) (DPA) was an act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Pro ...

(SAR) or Data Subject Access Request (DSAR).

United Nations

The aspirational Sustainable Development Goal 16, target 9, calls for the provision of legal identity for all human beings. "In the digital economy, this becomes the right to a digital identity." Such an identity could help in filing subject access requests.

Brazil

Brazil's General Data Protection Law (LGPD) is its first comprehensive data protection regulation. According to LGPD, subject access requests need to be fulfilled within 15 days.

European Union

The right of access is enshrined as part of the fundamental right to data protection in the

Charter of Fundamental Rights of the European Union The Charter of Fundamental Rights of the European Union (CFR) enshrines certain political, social, and economic rights for European Union (EU) citizens and residents into EU law. It was drafted by the European Convention and solemnly procla ...

. It is in fact the only one of the practical rights relating to personal data that is listed there. In the

GDPR The General Data Protection Regulation (Regulation (EU) 2016/679), abbreviated GDPR, is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of ...

, this right is defined in various sections of Article 15. There is also a right to access in the GDPR's partner legislation, the Data Protection Law Enforcement Directive. The

European Data Protection Board The European Data Protection Board (EDPB) is a European Union independent body with juridical personality whose purpose is to ensure consistent application of the General Data Protection Regulation (GDPR) and to promote cooperation among the EU� ...

(EDPB) has considered it "necessary to provide more precise guidance on how the right of access has to be implemented in different situations". When the EU Directive is transposed into Member State national law, the right of access may be suspended or restricted, as in the case of Germany in Article 34 of its

Bundesdatenschutzgesetz The German (BDSG) is a federal Information privacy, data protection act, that together with the data protection acts of the German States of Germany, federated states and other area-specific regulations, governs the exposure of personal data, wh ...

. Moreover, on the European level,

Europol Europol, officially the European Union Agency for Law Enforcement Cooperation, is the law enforcement agency of the European Union (EU). Established in 1998, it is based in The Hague, Netherlands, and serves as the central hub for coordinating c ...

offers a right of access.

Singapore

Personal data in

Singapore Singapore, officially the Republic of Singapore, is an island country and city-state in Southeast Asia. The country's territory comprises one main island, 63 satellite islands and islets, and one outlying islet. It is about one degree ...

is protected under the

Personal Data Protection Act 2012 The Personal Data Protection Act 2012 ("PDPA") sets out the law on data protection in Singapore. The PDPA regulates the processing of personal data in the private sector. Overview The PDPA establishes a general data protection regime, origina ...

(PDPA). The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. Access to personal data is laid out as part of Part IV, chapter 21 which states that on request of an individual, an organization shall, as soon as reasonably possible, provide the individual with:

United Kingdom

In the United Kingdom, the website of the

Information Commissioner's Office The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regu ...

states regarding Subject Access Requests (SARs): Before the General Data Protection Regulation (GDPR) came into force on 25 May 2018, organizations could charge a specified fee for responding to a SAR, of up to £10 for most requests.

United States

Five

federal law Federal law is the body of law created by the federal government of a country. A federal government is formed when a country has a central government as well as regional governments, such as subnational states or provinces, each with constituti ...

s include a right of access to personal data: * FCRA

Fair Credit Reporting Act The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 ''et seq.'', is federal legislation enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. It was intended ...

, * FERPA

Family Educational Rights and Privacy Act The Family Educational Rights and Privacy Act of 1974 (FERPA or the Buckley Amendment) is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded ...

, * COPPA

Children's Online Privacy Protection Act The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law The law of the United States comprises many levels of Codification (law), codified and uncodified forms of law, of which the supreme law is ...

, * HIPAA

Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Ted Kennedy, Kennedy–Nancy Kassebaum, Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President ...

. *

Privacy Act of 1974 Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of ...

. In addition, some state laws like the CCPA

California Consumer Privacy Act The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the state of California in the United States. The bill was passed by the California State Legislature and si ...

have started to include this right.

EU–US data flows

Data flows between the EU and the US (or at least those going West, towards the US) are governed by the

EU–US Privacy Shield The EU–US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes was to enable US companies to more easily receive ...

. One of the Privacy Shield principles is the right of access. Indeed, it is most fundamental in enabling accountability mechanisms around personal data processing. This example demonstrates that a European-style conception of privacy does not necessarily have to be perceived by American actors as unduly imposing new restrictions on free speech by data subjects. This Privacy Shield practice also shows that the case of civilian data protection (as under GDPR) is quite different from the case of criminal investigation, where a right of access is exercised as a "data request" by a government, not an individual, as in the US Supreme Court case ''

Microsoft Corp. v. United States ''Microsoft Corp. v. United States'', known on appeal to the U.S. Supreme Court as ''United States v. Microsoft Corp.'', 584 U.S. ___, 138 S. Ct. 1186 (2018), was a data privacy case involving the extraterritoriality of law enforcement seek ...

''. The individual in criminal cases does maintain a right to know what data is being used about him/her, and of what crime he or she is accused.