1 IS THERE A FUNDAMENTAL RIGHT TO FORGET? Bruxelles – 20 May 2009

2 Right to forget vs. Right to be forgotten: two different rights, or two different features of the same right? Two different concepts: – Right to forget: right not to be accountable for ones conduct after a certain amount of time and beyond a given framework of relationships – Right to be forgotten: right not to see ones past coming back forever – These concepts, in particular the latter one, raise three main questions: until when, to what extent, and by whom Should our past be known Should a person be accountable for past conduct Should past conduct be made known, also to entities other than those entitled to know because of the specific tasks discharged and/or because of their relationships with the data subject

3 International instruments and Community law: the foundations of the rights protecting personal identity and dignity Article 8 ECHR, CoE Convention 108/81, Directive 95/46/EC, Charter of Fundamental Rights (Nice), Lisbon Treaty (article 16 TFEU, article 39 TEU, article 6 on CFR binding nature): the foundations of the right to data protection In particular: the Directive highlights the relationship between identity, human dignity and data protection the Directive can regulate personal identity seen as a feature of the relationship between individual and society Identity is a dynamic concept: past information may kept to the extent it is functional to the relationship between individual and society

4 Directive 95/46/EC The Directive sets out limitations and conditions for the processing of personal data (lawfulness, purpose limitation, proportionality) In particular: Conditions for lawful processing (consent, performance of contract, legal obligation, public interest) Data subjects rights: information (10,11), access, rectification, erasure (12), objection (14) In this context, right to forget and right to be forgotten are regulated by data protection principles: the information on ones past may be kept and used if it is necessary for the data subjects rights/expectations

5 The public interest The Directive contains provisions that highlight the public interest in processing personal data (whether past or present): – Historical, statistical, scientific purposes (with safeguards); – Journalistic purposes, artistic/literary expression; – Ordre public (security, defence, law enforcement) – in the law. In these cases the scope of protection afforded to personal data is reduced: the individuals consent is no longer the main foundation of the processing The individual is no longer fully in control

6 The Interests at Stake Societal interests: personal data may be disclosed to a large number of entities (e.g.: historical/statistical research, journalism) ISSUE: Further purpose of processing compared to collection: Is there a current interest in knowing the data? Public interests (article 13 directive): special regime on processing mechanisms and data retention Need to check whether institutional purpose is to be achieved, especially in the light of recent developments (fight against terrorism, Lisbon Treaty)

7 The Interests at Stake: Public Administrative Agencies Openness of public administration + Need for ensuring effectiveness and efficiency in discharging public functions Issue: Should there be a limitation on the administrations right to process personal data for the above purposes? Directive leaves it to Member States to find a suitable solution. Our DPAs are often required to balance the interests at stake, on a case-by-case basis Guidelines by the Italian DPA: After a certain time span, dissemination of the data via websites may impinge disproportionately on the data subjects rights – in particular if the underlying measures/provisions were adopted long before and the respective purposes have already been achieved. As well as ensuring that the data are accurate, updated, relevant and not excessive, a local authority is required to ensure compliance with data subjects right to oblivion after achieving the purposes for which the data have been processed.

8 The Right to Forget and the Digital Age New technologies = New issues – Loss of control on ones personal data – Information forever available – Search engines: fragmented identity; difficult to erase data (Collaboration with Google: cache memory) – Online archives are much more easily accessible (Decisions by Italian DPA: Online archives of media) – Trend: Public bodies increasingly publish personal information on the web (to improve efficiency & effectiveness of their work) (Decision by Italian DPA: Publishing of decisions by Italian Antitrust Authority on the Internet)

9 The Broader Picture - The right to forget/be forgotten is challenged by new technologies - In fact, the whole legal framework is challenged (directives, Convention 108/81) - Need to develop new, international, harmonised approaches (International Standards?)

10 The Broader Picture - We should not do without the right to build up our own identities, even in the digital age - Issue: Right to limited data retention (How to ensure it? Realistic?) - Right to oblivion Informational self- determination