The right to be forgotten: key issues and developments in the EU General Data Protection Regulation Luca De Matteis Justice counsellor (criminal law, data protection) Permanent representation of Italy to the European Union
SUMMARY Origins of the right to be forgotten (“RTBF”) RTBF in current European data protection law The Court of Justice of the EU and the “Google Spain” judgment The 2016 EU General Data Protection Regulation The Right to Be Forgotten - 10 October 2016
RTBF BEFORE THE AGE OF INTERNET “Mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops’.” The Right to Be Forgotten - 10 October 2016
RTBF BEFORE THE AGE OF INTERNET “Mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops’.” (1890, “The Right to Privacy” by Louis D. Brandeis and Samuel Warren) The Right to Be Forgotten - 10 October 2016
The origins of the RTBF In the United States In Europe 2010 France: “Charte du droit à l’oubli numérique” 2008-2009: court cases in Germany (Wikipedia, Youtube) 1995: court cases in Italy The Right to Be Forgotten - 10 October 2016
The origins of the RTBF in europe RTBF is a reflection of the right to reputation Which concerns public knowledge of facts of a person’s past which may be harmful to one’s reputation Information which has been lawfully disseminated By any means RTBF as a civil right / a fundamental right? it becomes a fundamental right as part of the wider fundamental right to protection of personal data The Right to Be Forgotten - 10 October 2016
Main LEGAL ACTS ON DATA PROTECTION IN EUROPE 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (+2001 Protocol) Directive 95/46/EC of 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Charter of fundamental rights of the EU, Articles 7 and 8 Regulation (EU) 2016/679 of 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (+ Directive) The Right to Be Forgotten - 10 October 2016
The rtbf in the 1995 data protection directive (DIRECTIVE 95/46/ec) Article 6 1. Member States shall provide that personal data must be: […] (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. The Right to Be Forgotten - 10 October 2016
The rtbf in the 1995 data protection directive (DIRECTIVE 95/46/ec) Article 12 : Right of access Member States shall guarantee every data subject the right to obtain from the controller : (…) (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data; (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort. The Right to Be Forgotten - 10 October 2016
The rtbf in the 1995 data protection directive (DIRECTIVE 95/46/ec) The principles of purpose limitation, data minimization and storage limitation dictate What data can be processed How it may be processed How it must be stored and in what form For how long it must be stored If a data subject has a right or interest contrary to the interest of the processor to maintain the data and IF the processing no longer can be justified according to the above principles right to erasure The Right to Be Forgotten - 10 October 2016
The “google spain” judgment Court of Justice of the European Union, Case C-131/12 of 13 May 2014, Google Spain SL, Google Inc. vs. Agencia Española de Protección de Datos, Mario Costeja Gonzáles Case against Google, not the original newspaper editor! Territoriality Applicability of data protection rules to a search engine RTBF: is it included in the scope of the right to erasure? RTBF: against whom can/must it be exercised? RTBF: is it absolute? What is the interest of the processor? Which are the other competing interests? RTBF: general rules or case-by-case? The Right to Be Forgotten - 10 October 2016
The general data protection regulation 2016: processing principles Article 5, “Principles relating to processing of personal data”: 1. Personal data shall be: b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes […] subject to implementation of the appropriate technical and organisational measures […] in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); The Right to Be Forgotten - 10 October 2016
The general data protection regulation 2016: right to erasure (“right to be forgotten”) Article 17 The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; […] 3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: for exercising the right of freedom of expression and information (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; The Right to Be Forgotten - 10 October 2016
The general data protection regulation 2016: “new” scope for rtbf? New definition, clearer conditions and limitations Territoriality Article 3 Obligation to inform other processors of the deletion Sanctions Data protection authorities cooperate (European Data Protection board) The Right to Be Forgotten - 10 October 2016
To conclude RTBF as a “killer of free speech” RTBF as an “instrument of censorship” RTBF as a “blunt instrument” RTBF as a chance to rethink how we process, store and share information The Right to Be Forgotten - 10 October 2016
THANK YOU FOR YOUR ATTENTION luca.dematteis@giustizia.it luca.dematteis@esteri.it This presentation is solely based on the personal views of the author The Right to Be Forgotten - 10 October 2016