Tag Archives: right to be forgotten

The GDPR already started to appear in CJEU’s soft case-law (AG Opinion in Manni)

CJEU’s AG Bot referred to the GDPR in his recent ‘right to be forgotten’ Opinion

It may only become applicable on 25 May 2018, but the GDPR already made its official debut in the case-law of the CJEU.

It was the last paragraph (§101) of the Conclusions of AG Bot in Case C-398/15 Manni, published on 8 September, that specifically referred to Regulation 2016/679 (the official name of the GDPR). The case concerns the question of whether the right to erasure (the accurate name of the more famous “right to be forgotten”) as enshrined in Article 12 of Directive 95/46 also applies in the case of personal data of entrepreneurs recorded in the Public Registry of companies, if their organisation went bankrupt years ago. Curiously, the preliminary ruling question doesn’t specifically refer to the right to erasure, but to the obligation in Article 6(1)(e) for controllers not to retain the data longer than necessary to achieve the purpose for which they were collected.

In fact, Mr Manni had requested his regional Chamber of Commerce to erase his personal data from the Public Registry of Companies, after he found out that he was losing clients who performed background checks on him through a private company that specialised in finding information in the Public Registry. This happened because Mr Manni had been an administrator of a company that was declared bankrupt more than 10 years before the facts in the main proceedings. In fact, the former company itself was radiated from the Public Registry (§30).

Disclaimer! The Opinion is not yet available in English, but in another handful of official languages of the EU. Therefore, the following quotes are all my translation from French or Romanian.

AG Bot advised the Court to reply to the preliminary ruling questions in the sense that all personal data in the Public Registry of companies should be retained there indefinitely, irrespective of the fact that companies to whose administrators the data refer are still active or not. “Public Registries of companies cannot achieve their main purpose, namely the consolidation of legal certainty by disclosing, in accordance with the transparency principle, legally accurate information, if access to this information would not be allowed indefinitely to all third parties” (§98).

The AG adds that “the choice of natural persons to get involved in the economic life through a commercial company implies a permanent requirement of transparency. For this main reason, detailed throughout the Opinion, I consider that the interference in the the right to the protection of personal data that are registered in a Public Registry of companies, specifically ensuring their publicity for an indefinite period of time and aimed towards any person who asks for access to these data, is justified by the preponderant interest of third parties to access those data” (§100).

Restricting the circle of ‘interested third parties’ would be incompatible with the purpose of the Public Registry

Before reaching this conclusion, the AG dismissed a proposal by the Commission that suggested a limited access to the personal data of administrators of bankrupt companies could be ensured only for those third parties that “show a legitimate interest” in obtaining it.

The AG considered that this suggestion “cannot, at this stage of development of EU law, ensure a fair balance between the objective of protecting third parties and the right to the protection of personal data registered in Public Registries of companies” (§87). In this regard, he recalled that the objective to protect the interest of third parties as enshrined in the First Council Directive 68/151  “is provided for in a sufficiently wide manner so as to encompass not only the creditors of a company, but also, in general, all persons that want to obtain information regarding that company” (§88).

Earlier, the AG had also found that the suggestion to anonymise data regarding the administrators of bankrupt companies is not compatible with the historical function of the Public Registry and with the objective to protect third parties that is inherent to such registries. “The objective to establish a full picture of a bankrupt company is incompatible with processing anonymous data” (§78).

Throughout the Opinion, the AG mainly interprets the principles underpinning the First Council Directive 68/151/EC (of 9 March 1968 on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community)  and it is apparent that it enjoys precedence over Directive 95/46/EC.

Finally: the reference to the GDPR

The AG never refers in his analysis to Article 12 of Directive 95/46,  which grants data subjects the right to erasure. However, come the last paragraph of the Opinion, the AG does refer to Article 17(3)(b) and (d) from Regulation (EU) 2016/679 (yes, the GDPR). He applies Article 17 GDPR to the facts of the case and mentions that the preceding analysis “is compatible” with it, because “this Article provides that the right to erasure of personal data, or ‘the right to be forgotten’, does not apply to a processing operation ‘for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ or ‘for archiving purposes in the public interest'” (§101).

While I find the Opinion of the AG clear and well argued, I have two comments. I wish he had referred more comprehensively to the fundamental rights aspect of the case when balancing the provisions of the two directives. But most of all, I wish he would have analysed the right to erasure itself, the conditions that trigger it and the exemptions under Article 13 of Directive 95/46.

My bet on the outcome of the case: the Court will follow the AG’s Opinion to a large extent. However, it may be more focused on the fundamental rights aspect of balancing the two Directives and it may actually analyse the content of the right to erasure and its exceptions. The outcome, however, is likely to be the same.

A small thing that bugs me about this case is that I find there is a differentiation between searching a Registry of Companies being interested in a company name and searching a Registry of Companies being interested in a specific natural person. I mean, all third parties may very well be interested in finding out everything there is to know about bankrupt Company X, discovering thus that Mr Manni was the administrator. To me, this does not seem to be the same situation as searching the Public Registry of companies using Mr Manni’s name to find out all about Mr Manni’s background. In §88 the AG even mentions, when recognising the all encompassing interest of every third party to access all information about a certain company indefinitely, that Directive 68/151 protects the interest of “all persons that want to obtain information regarding this company“. I know the case is about keeping or deleting the personal data of Mr Manni from the Registry. And ultimately it is important to keep the information there due to the general interest of knowing everything about the history of a company. However, does it make any difference for the lawfulness of certain processing operations related to the data in the Registry that the Registry of companies is used to create profiles of natural persons? I don’t know. But it’s something that bugged me while reading the Opinion. Moreover, if you compare this situation to the “clean slate” rules for certain offenders that have their data erased from the criminal record, it is even more bugging.  (Note: at §34 the AG specifies he is only referring in his Opinion to the processing of personal data by the Chamber of Commerce and not by private companies specialising in providing background information about entrepreneurs).

Fun fact #1

The GDPR made its ‘unofficial’ debut in the case-law of the CJEU in the Opinion of AG Jaaskinen in C-131/14 Google v. Spain delivered on 25 June 2013. In fact, it was precisely Article 17 that was referred to in this Opinion as well, in §110. There’s another reference to the GDPR in §56, mentioning the new rules on the field of application of EU data protection law. Back then, the text of the GDPR was merely a proposal of the Commission – nor the EP, or the Council had adopted their own versions of the text, before entering the trilogue which resulted in the adopted text of Regulation 2016/679.

Fun fact #2

AG Bot is the AG that the delivered the Opinion in the Schrems case as well. The Court followed his Opinion to a large extent for its Judgment. There are fair chances the Court will follow again his Opinion.

***

Find what you’re reading useful? Consider supporting pdpecho.

UPDATE Tracing the right to be forgotten in the short history of data protection law: The “new clothes” of an old right

UPDATE:

The paper received the “Junior Scholar Award 2014”. “The junior scholar award is a new award at CPDP which is generously supported by Google. The winning paper is selected from the papers written by junior scholars who have already been selected from the general CPDP call for papers. The jury consists of: Ronald Leenes, University of Tilburg (NL), Bert-Jaap Koops, University of Tilburg (NL), Jess Hemerly, Google (US), Mariachiara Tallachini, EC-JRC (IT) and Chris Jay Hoofnagle, UC Berkeley (US). The award recognises outstanding work in the fi eld of privacy and data protection”.

This is an incredible honor! Thank you, CPDP!

***

I will present the paper Tracing the right to be forgotten in the short history of data protection law: The “new clothes” of an old right at the Computers, Privacy and Data Protection conference, next week in Brussels. I am scheduled on Wednesday, 22 January, from 15.30, at La Maison des Arts, within the “Academic/PhD session. The right to be forgotten”.

The session will be chaired by Bert-Jaap Koops, from Tilburg University (TILT).

The other papers from the session are:

  • Ten Reasons Why the ‘Right to be Forgotten’ should be Forgotten by Christiana Markou.
  • Information Privacy and the “Right to be Forgotten”: An Exploratory Survey of Public Opinion and Attitudes by Clare Doherty and Michael Lang.
  • Purpose Limitation and Fair Re-use by Merel Koning.

As for my paper, here you have its abstract:

When the European Commission (EC) published its draft Data Protection Regulation (DPR) in early 2012, a swirl of concern hit data controllers regarding the introduction of a sophisticated “right to be forgotten” in the proposal for the future DPR, which was considered to unprecedentedly impact the internet and its economics. Critics and advocates of the right to be forgotten engaged in consistent theoretical debates, doubled by the technical discourse about its (un)feasibility. This paper “decomposes” the right to be forgotten into the tangible prerogatives which are in fact granted to individuals. It shows that those prerogatives already exist to an extended degree in EU law, and have existed in the first data protection laws enforced in Europe. In addition, the controversial obligation to inform third parties about the erasure request is a “duty of best efforts” which pertains to controllers and which is significantly different than a duty to achieve a result. Recourse will be made to private law theory to underline this difference.

Keywords: the right to be forgotten, data protection, privacy, duty of best efforts.

For further information on CPDP 2014, check out the conference web page. It looks like it will be a tremendous get-together of privacy people.

LIBE Committee votes all the amendments of the General Data Protection Regulation * No more “right to be forgotten”? * And why is everybody so excited/alarmed?

According to a press release of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament, “a major overhaul of current EU data protection rules, to put people in control of their personal data while at the same time making it easier for companies to move across Europe” was voted on Monday.

The vote has been described as being “historic” and “a breakthrough”, the latter being declared by Jan Philipp Albrecht, the man of the hour, who was the rapporteur MEP for the General Data Protection Regulation proposal. According to Albrecht, “this evening’s vote is a breakthrough for data protection rules in Europe, ensuring that they are up to the the challenges of the digital age. This legislation introduces overarching EU rules on data protection, replacing the current patchwork of national laws”.

The Commissioner of Justice, Viviane Reding, was as excited about the news as Albrecht. She twitted shortly after the vote concluded: “With a large majority vote, @Europarl_EN committee has sent a strong signal tonight: as of today data protection is made in #Europe”.

However, all this excitement could be seen as premature, when one thinks that the European Council has still to achieve a common ground regarding the draft regulation. This means that the governments of all the 28 EU Member States must conclude the debates on the GDPR and come up with the Council’s own amendments. After the final draft of the Council is ready, the Parliament and the Council must also achieve a common ground regarding the GDPR before they vote it and it will enter into force.

Forget the “right to be forgotten”

The text of the draft GDPR voted by the LIBE committee has not yet been published. The only official indications with regard to its content are entailed in the press release previously cited. According to it, we find out that the controversial “right to be forgotten”, originally enshrined in Article 17 of the GDPR proposal, will lose its catchy name and probably the main reason it received so much attention. The good news is that the content of the right seems to remain the same:

“any person would have the right to have their personal data erased if he/she requests it. To strengthen this right, if a person asks a data controller (e.g. an Internet company) to erase his/her data, the firm should also forward the request to others where the data are replicated. The “right to erasure” would cover the “right to be forgotten” as proposed by the Commission”.

The reverse of general excitement: why the “Safe Harbor” panic?

While the EU officials directly involved in the GDPR legislative process are applauding the vote of the LIBE committee, voices from the US started to panic because of the imminent danger which apparently threatens (“torpedoes“?) the Safe Harbor agreement, already imagining a world without it.

Both the extreme happiness and panic are not justified at this point of the legislative process. There are still difficult stages to surpass before this piece of legislation will enter into force. The will of the governments of the 28 MSs rarely mirrors the vision of the European Parliament. As such, unfortunately, we will have to wait a bit more before affirming that data protection is made in #Europe.

 

 

 

 

 

Christopher Wolf on the Critical Time for the EU Data Protection Regulation

243Christopher Wolf, who co-chairs the Future of Privacy Forum, wrote an article on the state of the art in data protection and privacy law at the beginning of 2013, pointing out the main developments in the field of last year and sketching what could happen in the year that just began.

The article focuses on the European developments in the data protection legal regime, as “what happens in the EU has an impact on multinational organizations operating across borders, and on the evolution of privacy frameworks around the world.”

Wolf writes about the main critiques the Regulation in its entirety faces, emerging especially from UK and also from France, but also discusses topical issues, such as “the right to be forgotten”.

In November 2012, Europe’s Network and Information Security Agency (ENISA), released a report on the technical aspects of the “right to be forgotten”. ENISA pointed out that any technical solution for the “right to be forgotten” would require an unambiguous definition of the personal data that is covered by the “right to be forgotten”, a clear notion of who can enforce the right, and a mechanism for balancing the “right to be forgotten” against other rights such as freedom of expression. According to the Report, the text of the current European proposal leaves each of these subjects open to debate, making it difficult to implement technical mechanisms to deal with the “right to be forgotten”.

You can find the piece HERE.

 

Reuters: Spain refers Google privacy complaints to EU's top court

Reuters writes that Spain’s highest court wants the top court in Europe to decide if requests by Spanish citizens to have data deleted from Google’s search engine are lawful, in a case that could put more pressure on it to review its privacy policies.

The court, the Audiencia Nacional, said it had asked the European Court of Justice (ECJ) to clarify whether Google should remove data from its search engine’s index and news aggregator even when it is not responsible for producing the content in its search results.

Madrid’s data protection authority has received over 100 requests from Spanish citizens to have their data removed from Google’s search results.

Among the cases is one of a Spanish man who complained to the national regulator about a notice of his home’s repossession for non-payment of social security, which kept appearing in a national newspaper in the Google News aggregator. In another case, a plastic surgeon wants to get rid of archived references to a botched operation.

The Spanish judges also asked the ECJ whether the complainants must take their grievances to California, where Google is based and said it wanted the matters heard.

The referral of the case to the ECJ marks the first formal inquiry into when people can demand that their data be deleted.

Personal note: this is one interesting case. If dealt with properly by the CJEU, than we will have the first reference to the concrete ways to enforce a right to be forgotten. I’m really eager to see its outcome.

The preliminary question I find particularly interesting is the one referring to the quality of the information required to be deleted from search engines.

“Finalmente, los jueces preguntan al Tribunal de Luxemburgo si la protección de datos incluye que el afectado se niegue a que una información referida a su persona se indexe y difunda, aun siendo lícita y exacta en su origen, pero que la considere negativa o perjudicial para su persona”, which means that the Spanish court has asked whether the data subject can ask for data to be deleted even in the case the information is legitimate and true, but the data subject considers it to bring prejudices.

Read the rest of the story HERE and HERE.

The EU right to be forgotten, already criticized by US academics. Does it really threaten freedom of speech?

Professor Jeffrey Rosen published in the Stanford Law Review some very serious criticism against the soon to be enforced in the EU right to be forgotten, stating mainly that it is a threat to freedom of speech. You can find the article HERE.

I don’t really see how obliging a person to erase an embarrassing photo of yourself   infringes that person’s right to free speech. At least, one should balance the right to dignity against freedom of speech in a particular situation and afterwards make a decision in this respect.

Then again, the European system for the protection of human rights is very elaborated and exhaustive, a particular system, with concrete mechanisms of protection and precise principles to be effectively applied (such as the balance I was talking about).

Where is the freedom of speech breached here? “Any person should have the right to have personal data concerning them rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.” This is recital 53 of the Preamble of the proposed regulation for data protection, which means Art. 17 of the regulation should be interpreted according to the principles stated in this recital.

I think the provision is very clear and when reading it I feel my privacy protected and not my freedom of speech threatened.

Facebook could face €100,000 fine for holding data that users have deleted. And it all started from a 24 year old student!

The Guarding writes today one of my kind of stories: a little guy taking things in his own hands and fighting back against giants. And this happens in the data protection universe 😉

Max Schrems, 24, decided to ask Facebook for a copy of his data in June after attending a lecture by a Facebook executive while on an exchange programme at Santa Clara University in California.

Schrems was shocked when he eventually received a CD from California containing messages and information he says he had deleted from his profile in the three years since he joined the site.

After receiving the data, Schrems decided to log a list of 22 separate complaints with the Irish data protection commissioner, which next week is to carry out its first audit of Facebook. He wrote to Ireland after discovering that European users are administered by the Irish Facebook subsidiary. A spokeswoman for the commissioner confirmed its officers would be investigating alleged breaches raised by Schrems as part of the audit. If the commissioner decides to prosecute and Facebook or any employees are found guilty of data protection breaches, the maximum penalty is a fine of €100,000.

What bedazzles me is the kind of data Facebook stores about its users!

Among the 1,200 pages of data Schrems was sent were rejected friend requests, incidences where he “defriended” someone, as well as a log of all Facebook chats he had ever had. There was also a list of photos he had detagged of himself, the names of everyone he had ever “poked”, which events he had attended, which he hadn’t replied to, and much more besides.

This story sounds like the beginning of some severe legislation on the right to be forgotten, at least in the European Union.

More about the war Schrems creates, on Europe v. Facebook webpage.