Tag Archives: right to be forgotten

Brief case-law companion for the GDPR professional

This collection of quotes from relevant case-law has been compiled with the purpose of being useful to all those working with EU data protection law. The majority of the selected findings are part of a “Countdown to the GDPR” I conducted on social media, one month before the Regulation became applicable, under #KnowYourCaseLaw. This exercise was prompted by a couple of reasons.

First, data protection in the EU is much older and wider than the General Data Protection Regulation (GDPR) and it has already invited the highest Courts in Europe to weigh in on the protection of this right. Knowing what those Courts have said is essential.

Data protection law in the EU is not only a matter of pure EU law, but also a matter of protecting human rights following the legal framework of the Council of Europe (starting with Article 8 of the European Convention on Human Rights – ‘ECHR’). The interplay between these two legal regimes is very important, given the fact that the EU recognizes fundamental rights protected by the ECHR as general principles of EU law – see Article 6(3) TEU.

Finally, knowing relevant case-law makes the difference between a good privacy professional and a great one.

What to expect

This is not a comprehensive collection of case-law and it does not provide background for the cases it addresses. The Handbook of data protection law, edition 2018, is a great resource if this is what you are looking for.

This is a collection of specific findings of the Court of Justice of the EU (CJEU), the European Court of Human Rights (ECtHR) and one bonus finding of the German Constitutional Court. There are certainly other interesting findings that have not been included here (how about an “Encyclopedia of interesting findings” for the next project?). The ones that have been included provide insight into specific issues, such as the definition of personal data, what constitutes data related to health, what does freely consent mean or what type of interference with fundamental rights is profiling. Readers will even find a quote from a concurring opinion of an ECtHR judge that is prescient, to say the least.

Enjoy the read!

Brief Case-Law Companion for the GDPR Professional

CJEU in Manni: data subjects do not have the right to obtain erasure from the Companies Register, but they do have the right to object

by Gabriela Zanfir-Fortuna

The recent judgment of the CJEU in Case C-398/15 Manni (9 March 2017) brings a couple of significant points to the EU data protection case-law:

  • Clarifies that an individual seeking to limit the access to his/her personal data published in a Companies Register does not have the right to obtain erasure of that data, not even after his/her company ceased to exist;
  • Clarifies that, however, that individual has the right to object to the processing of that data, based on his/her particular circumstances and on justified grounds;
  • Clarifies the link between the purpose of the processing activity and the data retention period, and underlines how important is the purpose of the processing activity when analysing whether a data subject can obtain erasure or blocking of data.
  • Provides insight into the balancing exercise between interests of third parties to have access to data published in the Companies Register and the rights of the individual to obtain erasure of the data and to object to its processing.

This commentary will highlight all points enumerated above.

1. Facts of the case

Mr Manni had requested his regional Chamber of Commerce to erase his personal data from the Public Registry of Companies, after he found out that he was losing clients who performed background checks on him through a private company that specialised in finding information in the Public Registry. This happened because Mr Manni had been an administrator of a company that was declared bankrupt more than 10 years before the facts in the main proceedings. In fact, the former company itself was radiated from the Public Registry (§23 to §29).

2. The question in Manni

The question that the CJEU had to answer in Manni was whether the obligation of Member States to keep public Companies Registers[1] and the requirement that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected[2] must be interpreted as meaning that individuals must be allowed to “request the authority responsible for maintaining the Companies Register to limit, after a certain period has elapsed from the dissolution of the company concerned and on the basis of a case-by-case assessment, access to personal data concerning them and entered in that register” (§30).

3. Applicability of Directive 95/46 (Data Protection Directive – ‘DPD’)

First, CJEU clarified that its analysis does not concern processing of data by the specialized rating company, and it only refers to the obligations of the public authority keeping the companies register (§31). Second, the CJEU ascertained that the provisions of the DPD are applicable in this case:

  • the identification data of Mr Manni recorded in the Register is personal data[3] – “the fact that information was provided as part of a professional activity does not mean that it cannot be characterized as personal data” (§34);
  • the authority keeping the register is a “controller”[4] that carries out “processing of personal data”[5] by “transcribing and keeping that information in the register and communicating it, where appropriate, on request to third parties” (§35).

4. The role of the data quality principles and the legitimate grounds for processing in ensuring a high level of protection of fundamental rights

Further, CJEU recalls its case-law stating that the DPD “seeks to ensure a high level of protection of the fundamental rights and freedoms of natural persons” (§37) and that the provisions of the DPD “must necessarily be interpreted in the light of the fundamental rights guaranteed by the Charter”, and especially Articles 7 – respect for private life and 8 – protection of personal data (§39). The Court recalls the content of Articles 7 and 8 and specifically lays out that the requirements under Article 8 Charter “are implemented inter alia in Articles 6, 7, 12, 14 and 28 of Directive 95/46” (§40).

The Court highlights the significance of the data quality principles and the legitimate grounds for processing under the DPD in the context of ensuring a high level of protection of fundamental rights:

“[S]ubject to the exceptions permitted under Article 13 of that directive, all processing of personal data must comply, first, with the principles relating to data quality set out in Article 6 of the directive and, secondly, with one of the criteria for making data processing legitimate listed in Article 7 of the directive” (§41 and case-law cited).

The Court applies this test in reverse order, which is, indeed, more logical. A processing activity should, first, be legitimate under one of the lawful grounds for processing and only after ascertaining that this is the case, the question of compliance with the data quality principles should arise.

CJEU finds that in the case at hand the processing activity is legitimized by three lawful grounds (§42, §43):

  • compliance with a legal obligation [Article 7(c)];
  • the exercise of official authority or the performance of a task carried out in the public interest [Article 7(e)] and
  • the realization of a legitimate interest pursued by the controller or by the third parties to whom the data are disclosed [Article 7(f)].

5. The link between the data retention principle, the right to erasure and the right to object

Article 6(1)(e) of the DPD requires that personal data are kept in a form which permits identification of data subjects for no longer than what is necessary for the purposes for which the data were collected or for which they are further processed. This means that controllers should only retain personal data up until it serves the purpose for which it was processed and automatically anonymise, erase or otherwise make unavailable that data. If the controller does not comply with this obligation, the data subject has two possible avenues to stop the processing: he/she can either ask for erasure of that data, or they can object to the processing based on their particular situation and a justified objection.

CJEU explains that “in the event of failure to comply with the condition laid down in Article 6(1)(e)” of the DPD, “Member States guarantee the person concerned, pursuant to Article 12(b) thereof, the right to obtain from the controller, as appropriate, the erasure or blocking of the data concerned” (§46 and C-131/12 Google/Spain §70).

In addition, the Court explains, Member States also must “grant the data subject the right, inter alia in the cases referred to in Article 7(e) and (f) of that directive, to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation”, pursuant to Article 14(a) DPD (§47).

The CJEU further explains that “the balancing to be carried out under subparagraph (a) of the first paragraph of Article 14 … enables account to be taken in a more specific manner of all the circumstances surrounding the data subject’s particular situation. Where there is a justified objection, the processing instigated by the controller may no longer involve those data” (§47).

6. The pivotal role of the purpose of the processing activity in granting the right to erasure and the right to object

After establishing these general rules, the Court decides that in order to establish where data subjects have the “right to apply to the authority responsible for keeping the register to erase or block the personal data entered in that register after a certain period of time, or to restrict access to it, it is first necessary to ascertain the purpose of that registration” (§48).

The pivotal role of the purpose of the processing operation should not come as a surprise, given the fact that the data retention principle is tightly linked to accomplishing the purpose of the processing operation.

In this case, the Court looked closely at Directive 68/151 and explained at length that the purpose of the disclosure provided for by it is “to protect in particular the interests of third parties in relation to joint stock companies and limited liability companies, since the only safeguards they offer to third parties are their assets” (§49) and “to guarantee legal certainty in relation to dealings between companies and third parties in view of the intensification of trade between Member States” (§50). CJEU also referred to primary EU law, and specifically to Article 54(3)(g) EEC, one of the legal bases of the directive, which “refers to the need to protect the interests of third parties generally, without distinguishing or excluding any categories falling within the ambit of that term” (§51).

The Court further noted that Directive 68/151 makes no express provision regarding the necessity of keeping personal data in the Companies Register “also after the activity has ceased and the company concerned has been dissolved” (§52). However, the Court notes that “it is common ground that even after the dissolution of a company, rights and legal relations relating to it continue to exist” (§53) and “questions requiring such data may arise for many years after a company has ceased to exist” (§54).

Finally, CJEU declared:

“in view of the range of possible scenarios … it seems impossible, at present, to identify a single time limit, as from the dissolution of a company, at the end of which the inclusion of such data in the register and their disclosure would no longer be necessary” (§55).

7. Conclusion A: there is no right to erasure

The Court concluded that “in those circumstances” the data retention principle in Article 6(1)(e) DPD and the right to erasure in Article 12(b) DPD do not guarantee for the data subjects referred to in Directive 68/151 a right to obtain “as a matter of principle, after a certain period of time from the dissolution of the company concerned, the erasure of personal data concerning them” (§56).

After already reaching this conclusion, the Court also explained that this interpretation of the provisions in question does not result in “disproportionate interference with the fundamental rights of the persons concerned, and particularly their right to respect for private life and their right to protection of personal data as guaranteed by Articles 7 and 8 of the Charter” (§57).

To this end, the Court took into account:

  • that Directive 68/151 requires “disclosure only for a limited number of personal data items” (§58) and
  • that “it appears justified that natural persons who choose to participate in trade through such a company are required to disclose the data relating to their identity and functions within that company, especially since they are aware of that requirement when they decide to engage in such activity” (§59).

8. Conclusion B: but there is a right to object

After acknowledging that, in principle, the need to protect the interests of third parties in relation to joint-stock companies and limited liability companies and to ensure legal certainty, fair trading and thus the proper functioning of the internal market take precedence over the right of the data subject to object under Article 14 DPD, the Court points out that

it cannot be excluded, however, that there may be specific situations in which the overriding and legitimate reasons relating to the specific case of the person concerned justify exceptionally that access to personal data entered in the register is limited, upon expiry of a sufficiently long period after the dissolution of the company in question, to third parties who can demonstrate a specific interest in their consultation” (§60).

While the Court leaves it to the national courts to assess each case “having regard to all the relevant circumstances and taking into account the time elapsed since the dissolution of the company concerned”, it also points out that, in the case of Mr Manni, “the mere fact that, allegedly, the properties of a tourist complex built … do not sell because of the fact that potential purchasers of those properties have access to that data in the company register, cannot be regarded as constituting such a reason, in particular in view of the legitimate interest of those purchasers in having that information” (§63).

9. Post Scriptum

The Court took a very pragmatic approach in dealing with the case of Mr Manni. The principles of interpretation it laid down are solid – such an analysis indeed requires looking at the legitimate grounds for processing and the relevant data quality principle. Having the Court placing strong emphasis on the significance of the purpose of the processing activity is welcome, just like having more guidance on the balancing exercise of the rights and interests in question. In addition, a separate assessment of the right to obtain erasure and of the right to object is very helpful with a view towards the future – the full entering into force of the GDPR and its heightened rights of the data subject.

The aspect of the judgment that leaves some room for improvement is analysing the proportionality of the interference of the virtually unlimited publishing of personal data in the Companies Register with Articles 7 and 8 of the Charter. The Court does tackle this, but lightly – and it brings two arguments only after already declaring that the interference is not disproportionate. Moreover, the Court does not distinguish between interferences with Article 7 and interferences with Article 8.

Finally, I was happy to see that the predicted outcome of the case, as announced in the pdpEcho commentary on the Opinion of the Advocate General Bot, proved to be mainly correct: “the Court will follow the AG’s Opinion to a large extent. However, it may be more focused on the fundamental rights aspect of balancing the two Directives and it may actually analyse the content of the right to erasure and its exceptions. The outcome, however, is likely to be the same.”

Suggested citation: G. Zanfir-Fortuna, “CJEU in Manni: data subjects do not have the right to obtain erasure from the Companies Register, but they do have the right to object”, pdpEcho.com, 13 March 2017.


[1] Article 3 of Directive 68/151.

[2] Article 6(1)(e) of Directive 95/46.

[3] Article 2(a) of Directive 95/46.

[4] Article 2(d) of Directive 95/46.

[5] Article 2(b) of Directive 95/46.

***

If you find information on this blog useful and would like to read more of it, consider supporting pdpecho here: paypal.me/pdpecho.

The right to be forgotten goes back to the CJEU (with Google, CNIL, sensitive data, freedom of speech)

The Conseil d’Etat announced today that it referred several questions to the Court of Justice of the EU concerning the interpretation of the right to be forgotten, pursuant to Directive 95/46 and following the CJEU’s landmark decision in the Google v Spain case.

The questions were raised within proceedings involving the application of four individuals to the Conseil d’Etat to have decisions issued by the CNIL (French DPA) quashed. These decisions rejected their requests for injunctions against Google to have certain Google Search results delisted.

According to the press release of the Conseil d’Etat, “these requests were aimed at removing links relating to various pieces of information :a video that explicitly revealed the nature of the relationship that an applicant was deemed to have entertained with a person holding a public office; a press article relating to the suicide committed by a member of the Church of Scientology, mentioning that one of the applicants was the public relations manager of that Church; various articles relating to criminal proceedings concerning an applicant; and articles relating the conviction of another applicant for having sexually aggressed minors.

The Conseil d’Etat further explained that in order to rule on these claims, it has deemed necessary to answer a number of questions “raising serious issues with regard to the interpretation of European law in the light of the European Court of Justice’s judgment in its Google Spain case.

Such issues are in relation with the obligations applying to the operator of a search engine with regard to web pages that contain sensitive data, when collecting and processing such information is illegal or very narrowly framed by legislation, on the grounds of its content relating to sexual orientations, political, religious or philosophical opinions, criminal offences, convictions or safety measures. On that point, the cases brought before the Conseil d’Etat raise questions in close connection with the obligations that lie on the operator of a search engine, when such information is embedded in a press article or when the content that relates to it is false or incomplete”.

***

Find what you’re reading useful? Please consider supporting pdpecho.

The GDPR already started to appear in CJEU’s soft case-law (AG Opinion in Manni)

CJEU’s AG Bot referred to the GDPR in his recent ‘right to be forgotten’ Opinion

It may only become applicable on 25 May 2018, but the GDPR already made its official debut in the case-law of the CJEU.

It was the last paragraph (§101) of the Conclusions of AG Bot in Case C-398/15 Manni, published on 8 September, that specifically referred to Regulation 2016/679 (the official name of the GDPR). The case concerns the question of whether the right to erasure (the accurate name of the more famous “right to be forgotten”) as enshrined in Article 12 of Directive 95/46 also applies in the case of personal data of entrepreneurs recorded in the Public Registry of companies, if their organisation went bankrupt years ago. Curiously, the preliminary ruling question doesn’t specifically refer to the right to erasure, but to the obligation in Article 6(1)(e) for controllers not to retain the data longer than necessary to achieve the purpose for which they were collected.

In fact, Mr Manni had requested his regional Chamber of Commerce to erase his personal data from the Public Registry of Companies, after he found out that he was losing clients who performed background checks on him through a private company that specialised in finding information in the Public Registry. This happened because Mr Manni had been an administrator of a company that was declared bankrupt more than 10 years before the facts in the main proceedings. In fact, the former company itself was radiated from the Public Registry (§30).

Disclaimer! The Opinion is not yet available in English, but in another handful of official languages of the EU. Therefore, the following quotes are all my translation from French or Romanian.

AG Bot advised the Court to reply to the preliminary ruling questions in the sense that all personal data in the Public Registry of companies should be retained there indefinitely, irrespective of the fact that companies to whose administrators the data refer are still active or not. “Public Registries of companies cannot achieve their main purpose, namely the consolidation of legal certainty by disclosing, in accordance with the transparency principle, legally accurate information, if access to this information would not be allowed indefinitely to all third parties” (§98).

The AG adds that “the choice of natural persons to get involved in the economic life through a commercial company implies a permanent requirement of transparency. For this main reason, detailed throughout the Opinion, I consider that the interference in the the right to the protection of personal data that are registered in a Public Registry of companies, specifically ensuring their publicity for an indefinite period of time and aimed towards any person who asks for access to these data, is justified by the preponderant interest of third parties to access those data” (§100).

Restricting the circle of ‘interested third parties’ would be incompatible with the purpose of the Public Registry

Before reaching this conclusion, the AG dismissed a proposal by the Commission that suggested a limited access to the personal data of administrators of bankrupt companies could be ensured only for those third parties that “show a legitimate interest” in obtaining it.

The AG considered that this suggestion “cannot, at this stage of development of EU law, ensure a fair balance between the objective of protecting third parties and the right to the protection of personal data registered in Public Registries of companies” (§87). In this regard, he recalled that the objective to protect the interest of third parties as enshrined in the First Council Directive 68/151  “is provided for in a sufficiently wide manner so as to encompass not only the creditors of a company, but also, in general, all persons that want to obtain information regarding that company” (§88).

Earlier, the AG had also found that the suggestion to anonymise data regarding the administrators of bankrupt companies is not compatible with the historical function of the Public Registry and with the objective to protect third parties that is inherent to such registries. “The objective to establish a full picture of a bankrupt company is incompatible with processing anonymous data” (§78).

Throughout the Opinion, the AG mainly interprets the principles underpinning the First Council Directive 68/151/EC (of 9 March 1968 on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community)  and it is apparent that it enjoys precedence over Directive 95/46/EC.

Finally: the reference to the GDPR

The AG never refers in his analysis to Article 12 of Directive 95/46,  which grants data subjects the right to erasure. However, come the last paragraph of the Opinion, the AG does refer to Article 17(3)(b) and (d) from Regulation (EU) 2016/679 (yes, the GDPR). He applies Article 17 GDPR to the facts of the case and mentions that the preceding analysis “is compatible” with it, because “this Article provides that the right to erasure of personal data, or ‘the right to be forgotten’, does not apply to a processing operation ‘for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ or ‘for archiving purposes in the public interest'” (§101).

While I find the Opinion of the AG clear and well argued, I have two comments. I wish he had referred more comprehensively to the fundamental rights aspect of the case when balancing the provisions of the two directives. But most of all, I wish he would have analysed the right to erasure itself, the conditions that trigger it and the exemptions under Article 13 of Directive 95/46.

My bet on the outcome of the case: the Court will follow the AG’s Opinion to a large extent. However, it may be more focused on the fundamental rights aspect of balancing the two Directives and it may actually analyse the content of the right to erasure and its exceptions. The outcome, however, is likely to be the same.

A small thing that bugs me about this case is that I find there is a differentiation between searching a Registry of Companies being interested in a company name and searching a Registry of Companies being interested in a specific natural person. I mean, all third parties may very well be interested in finding out everything there is to know about bankrupt Company X, discovering thus that Mr Manni was the administrator. To me, this does not seem to be the same situation as searching the Public Registry of companies using Mr Manni’s name to find out all about Mr Manni’s background. In §88 the AG even mentions, when recognising the all encompassing interest of every third party to access all information about a certain company indefinitely, that Directive 68/151 protects the interest of “all persons that want to obtain information regarding this company“. I know the case is about keeping or deleting the personal data of Mr Manni from the Registry. And ultimately it is important to keep the information there due to the general interest of knowing everything about the history of a company. However, does it make any difference for the lawfulness of certain processing operations related to the data in the Registry that the Registry of companies is used to create profiles of natural persons? I don’t know. But it’s something that bugged me while reading the Opinion. Moreover, if you compare this situation to the “clean slate” rules for certain offenders that have their data erased from the criminal record, it is even more bugging.  (Note: at §34 the AG specifies he is only referring in his Opinion to the processing of personal data by the Chamber of Commerce and not by private companies specialising in providing background information about entrepreneurs).

Fun fact #1

The GDPR made its ‘unofficial’ debut in the case-law of the CJEU in the Opinion of AG Jaaskinen in C-131/14 Google v. Spain delivered on 25 June 2013. In fact, it was precisely Article 17 that was referred to in this Opinion as well, in §110. There’s another reference to the GDPR in §56, mentioning the new rules on the field of application of EU data protection law. Back then, the text of the GDPR was merely a proposal of the Commission – nor the EP, or the Council had adopted their own versions of the text, before entering the trilogue which resulted in the adopted text of Regulation 2016/679.

Fun fact #2

AG Bot is the AG that the delivered the Opinion in the Schrems case as well. The Court followed his Opinion to a large extent for its Judgment. There are fair chances the Court will follow again his Opinion.

***

Find what you’re reading useful? Consider supporting pdpecho.

UPDATE Tracing the right to be forgotten in the short history of data protection law: The “new clothes” of an old right

UPDATE:

The paper received the “Junior Scholar Award 2014”. “The junior scholar award is a new award at CPDP which is generously supported by Google. The winning paper is selected from the papers written by junior scholars who have already been selected from the general CPDP call for papers. The jury consists of: Ronald Leenes, University of Tilburg (NL), Bert-Jaap Koops, University of Tilburg (NL), Jess Hemerly, Google (US), Mariachiara Tallachini, EC-JRC (IT) and Chris Jay Hoofnagle, UC Berkeley (US). The award recognises outstanding work in the fi eld of privacy and data protection”.

This is an incredible honor! Thank you, CPDP!

***

I will present the paper Tracing the right to be forgotten in the short history of data protection law: The “new clothes” of an old right at the Computers, Privacy and Data Protection conference, next week in Brussels. I am scheduled on Wednesday, 22 January, from 15.30, at La Maison des Arts, within the “Academic/PhD session. The right to be forgotten”.

The session will be chaired by Bert-Jaap Koops, from Tilburg University (TILT).

The other papers from the session are:

  • Ten Reasons Why the ‘Right to be Forgotten’ should be Forgotten by Christiana Markou.
  • Information Privacy and the “Right to be Forgotten”: An Exploratory Survey of Public Opinion and Attitudes by Clare Doherty and Michael Lang.
  • Purpose Limitation and Fair Re-use by Merel Koning.

As for my paper, here you have its abstract:

When the European Commission (EC) published its draft Data Protection Regulation (DPR) in early 2012, a swirl of concern hit data controllers regarding the introduction of a sophisticated “right to be forgotten” in the proposal for the future DPR, which was considered to unprecedentedly impact the internet and its economics. Critics and advocates of the right to be forgotten engaged in consistent theoretical debates, doubled by the technical discourse about its (un)feasibility. This paper “decomposes” the right to be forgotten into the tangible prerogatives which are in fact granted to individuals. It shows that those prerogatives already exist to an extended degree in EU law, and have existed in the first data protection laws enforced in Europe. In addition, the controversial obligation to inform third parties about the erasure request is a “duty of best efforts” which pertains to controllers and which is significantly different than a duty to achieve a result. Recourse will be made to private law theory to underline this difference.

Keywords: the right to be forgotten, data protection, privacy, duty of best efforts.

For further information on CPDP 2014, check out the conference web page. It looks like it will be a tremendous get-together of privacy people.

LIBE Committee votes all the amendments of the General Data Protection Regulation * No more “right to be forgotten”? * And why is everybody so excited/alarmed?

According to a press release of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament, “a major overhaul of current EU data protection rules, to put people in control of their personal data while at the same time making it easier for companies to move across Europe” was voted on Monday.

The vote has been described as being “historic” and “a breakthrough”, the latter being declared by Jan Philipp Albrecht, the man of the hour, who was the rapporteur MEP for the General Data Protection Regulation proposal. According to Albrecht, “this evening’s vote is a breakthrough for data protection rules in Europe, ensuring that they are up to the the challenges of the digital age. This legislation introduces overarching EU rules on data protection, replacing the current patchwork of national laws”.

The Commissioner of Justice, Viviane Reding, was as excited about the news as Albrecht. She twitted shortly after the vote concluded: “With a large majority vote, @Europarl_EN committee has sent a strong signal tonight: as of today data protection is made in #Europe”.

However, all this excitement could be seen as premature, when one thinks that the European Council has still to achieve a common ground regarding the draft regulation. This means that the governments of all the 28 EU Member States must conclude the debates on the GDPR and come up with the Council’s own amendments. After the final draft of the Council is ready, the Parliament and the Council must also achieve a common ground regarding the GDPR before they vote it and it will enter into force.

Forget the “right to be forgotten”

The text of the draft GDPR voted by the LIBE committee has not yet been published. The only official indications with regard to its content are entailed in the press release previously cited. According to it, we find out that the controversial “right to be forgotten”, originally enshrined in Article 17 of the GDPR proposal, will lose its catchy name and probably the main reason it received so much attention. The good news is that the content of the right seems to remain the same:

“any person would have the right to have their personal data erased if he/she requests it. To strengthen this right, if a person asks a data controller (e.g. an Internet company) to erase his/her data, the firm should also forward the request to others where the data are replicated. The “right to erasure” would cover the “right to be forgotten” as proposed by the Commission”.

The reverse of general excitement: why the “Safe Harbor” panic?

While the EU officials directly involved in the GDPR legislative process are applauding the vote of the LIBE committee, voices from the US started to panic because of the imminent danger which apparently threatens (“torpedoes“?) the Safe Harbor agreement, already imagining a world without it.

Both the extreme happiness and panic are not justified at this point of the legislative process. There are still difficult stages to surpass before this piece of legislation will enter into force. The will of the governments of the 28 MSs rarely mirrors the vision of the European Parliament. As such, unfortunately, we will have to wait a bit more before affirming that data protection is made in #Europe.

 

 

 

 

 

Christopher Wolf on the Critical Time for the EU Data Protection Regulation

243Christopher Wolf, who co-chairs the Future of Privacy Forum, wrote an article on the state of the art in data protection and privacy law at the beginning of 2013, pointing out the main developments in the field of last year and sketching what could happen in the year that just began.

The article focuses on the European developments in the data protection legal regime, as “what happens in the EU has an impact on multinational organizations operating across borders, and on the evolution of privacy frameworks around the world.”

Wolf writes about the main critiques the Regulation in its entirety faces, emerging especially from UK and also from France, but also discusses topical issues, such as “the right to be forgotten”.

In November 2012, Europe’s Network and Information Security Agency (ENISA), released a report on the technical aspects of the “right to be forgotten”. ENISA pointed out that any technical solution for the “right to be forgotten” would require an unambiguous definition of the personal data that is covered by the “right to be forgotten”, a clear notion of who can enforce the right, and a mechanism for balancing the “right to be forgotten” against other rights such as freedom of expression. According to the Report, the text of the current European proposal leaves each of these subjects open to debate, making it difficult to implement technical mechanisms to deal with the “right to be forgotten”.

You can find the piece HERE.

 

Reuters: Spain refers Google privacy complaints to EU's top court

Reuters writes that Spain’s highest court wants the top court in Europe to decide if requests by Spanish citizens to have data deleted from Google’s search engine are lawful, in a case that could put more pressure on it to review its privacy policies.

The court, the Audiencia Nacional, said it had asked the European Court of Justice (ECJ) to clarify whether Google should remove data from its search engine’s index and news aggregator even when it is not responsible for producing the content in its search results.

Madrid’s data protection authority has received over 100 requests from Spanish citizens to have their data removed from Google’s search results.

Among the cases is one of a Spanish man who complained to the national regulator about a notice of his home’s repossession for non-payment of social security, which kept appearing in a national newspaper in the Google News aggregator. In another case, a plastic surgeon wants to get rid of archived references to a botched operation.

The Spanish judges also asked the ECJ whether the complainants must take their grievances to California, where Google is based and said it wanted the matters heard.

The referral of the case to the ECJ marks the first formal inquiry into when people can demand that their data be deleted.

Personal note: this is one interesting case. If dealt with properly by the CJEU, than we will have the first reference to the concrete ways to enforce a right to be forgotten. I’m really eager to see its outcome.

The preliminary question I find particularly interesting is the one referring to the quality of the information required to be deleted from search engines.

“Finalmente, los jueces preguntan al Tribunal de Luxemburgo si la protección de datos incluye que el afectado se niegue a que una información referida a su persona se indexe y difunda, aun siendo lícita y exacta en su origen, pero que la considere negativa o perjudicial para su persona”, which means that the Spanish court has asked whether the data subject can ask for data to be deleted even in the case the information is legitimate and true, but the data subject considers it to bring prejudices.

Read the rest of the story HERE and HERE.

The EU right to be forgotten, already criticized by US academics. Does it really threaten freedom of speech?

Professor Jeffrey Rosen published in the Stanford Law Review some very serious criticism against the soon to be enforced in the EU right to be forgotten, stating mainly that it is a threat to freedom of speech. You can find the article HERE.

I don’t really see how obliging a person to erase an embarrassing photo of yourself   infringes that person’s right to free speech. At least, one should balance the right to dignity against freedom of speech in a particular situation and afterwards make a decision in this respect.

Then again, the European system for the protection of human rights is very elaborated and exhaustive, a particular system, with concrete mechanisms of protection and precise principles to be effectively applied (such as the balance I was talking about).

Where is the freedom of speech breached here? “Any person should have the right to have personal data concerning them rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.” This is recital 53 of the Preamble of the proposed regulation for data protection, which means Art. 17 of the regulation should be interpreted according to the principles stated in this recital.

I think the provision is very clear and when reading it I feel my privacy protected and not my freedom of speech threatened.

Facebook could face €100,000 fine for holding data that users have deleted. And it all started from a 24 year old student!

The Guarding writes today one of my kind of stories: a little guy taking things in his own hands and fighting back against giants. And this happens in the data protection universe 😉

Max Schrems, 24, decided to ask Facebook for a copy of his data in June after attending a lecture by a Facebook executive while on an exchange programme at Santa Clara University in California.

Schrems was shocked when he eventually received a CD from California containing messages and information he says he had deleted from his profile in the three years since he joined the site.

After receiving the data, Schrems decided to log a list of 22 separate complaints with the Irish data protection commissioner, which next week is to carry out its first audit of Facebook. He wrote to Ireland after discovering that European users are administered by the Irish Facebook subsidiary. A spokeswoman for the commissioner confirmed its officers would be investigating alleged breaches raised by Schrems as part of the audit. If the commissioner decides to prosecute and Facebook or any employees are found guilty of data protection breaches, the maximum penalty is a fine of €100,000.

What bedazzles me is the kind of data Facebook stores about its users!

Among the 1,200 pages of data Schrems was sent were rejected friend requests, incidences where he “defriended” someone, as well as a log of all Facebook chats he had ever had. There was also a list of photos he had detagged of himself, the names of everyone he had ever “poked”, which events he had attended, which he hadn’t replied to, and much more besides.

This story sounds like the beginning of some severe legislation on the right to be forgotten, at least in the European Union.

More about the war Schrems creates, on Europe v. Facebook webpage.