On 25 January 2012, the European Commission published a proposed new data protection framework for the E.U. The new framework, unlike the current one, is to provide a consistent and harmonised set of rules for all 27 E.U. member states. One of the main objectives of the new framework is to better ensure that individuals know what is happening to their personal data. To this end, the European Commission is proposing to introduce the ‘right to be forgotten’.
At present, the E.U. Directive 95/46/EC gives individuals rights to access personal data from third parties that hold and control their personal data (such as websites and employers). The new proposal extends the rights of individuals by requiring an organisation that controls personal data about them (a “data controller”) to delete all such data and abstain from further disseminating it, if the individual so requests. This new right is particularly concerned with personal data stored on the internet, including social networking sites.
At the heart of the right to be forgotten is a requirement for a data controller to delete personal data when requested, and, perhaps more significantly, to take all reasonable steps (including technical measures) to inform third parties of the data subject’s request, where third parties have processed such data. Where the data controller had authorized a third party publication of personal data, the controller shall be considered responsible for that publication.
A data controller would be required to act on an individual’s request to delete their personal data without delay unless there is a legitimate reason not to do so, for example, if the data controller can show that it has the right to publish the information in order to comply with a legal obligation. The proposed fine for non-compliance is significant (and controversial) – up to 1% of a company’s annual global turnover.
Individuals who have concerns about their personal privacy would welcome the ‘right to be forgotten’ as it affords internet users with greater control over their personal information. Data controllers are however more sceptical and have concerns. Compliance could be time consuming and costly as organisations would need to have processes, procedures and IT systems in place to be able to delete all personal data held about a specific individual.
Another difficulty that data controllers are grappling with is whether they would be responsible for the republication of personal data by third parties and what their obligations would be to ensure the removal of such published material. It is hoped that this is clarified in the final Regulation. The ‘right to be forgotten’ also raises potentially complex issues about censorship and freedom of speech when the information is posted by third parties. For example, would an individual’s data protection right take precedence over a third party’s right to freedom of speech?
The ‘right to be forgotten’ is undoubtedly one of the most controversial proposals of the E.U. is proposed new framework. Given the number of issues that are likely to be raised by organizations that will make representations to the European Parliament, it is anticipated (and hoped) that the ‘right to be forgotten’ will be revised and clarified before it is incorporated into the Regulation and made law. Watch this space!