?The Right to be Forgotten?: The future EU legislation takes shape
Law and Rights

?The Right to be Forgotten?: The future EU legislation takes shape





Steve Peers

The furore over the ?right to be forgotten? in EU data protection law focusses, obviously enough, on the CJEU?s judgment in Google Spain, which obliquely referred to such a right, by means of interpreting the EU?s existing data protection Directive. But in principle the Court?s ruling might have limited impact, since the EU is embarked upon a lengthy process to replace that Directive.

The initial proposal for a new General Data Protection Regulation was tabled by the Commission at the start of 2012, and the European Parliament (EP) voted its opinion on the proposal this spring. For its part, the Council (Member States? justice ministers) is moving more slowly. So far, it has only agreed its position on the external relations aspects of this proposal. But following the delivery of the Google Spain judgment this spring, it has turned its attention to the right to be forgotten.

The Council had initially discussed this issue in 2012-13 (see a record of those talks here). It then paused to wait for the Court?s judgment. Following that ruling, the incoming Italian Council Presidency then resumed discussions on the issue in July, and tabled a revised version of its proposal a couple of weeks ago. The Council has not yet agreed on this issue (see the Member States? positions here), and in any event, once the Council has adopted its position on the entire proposal, it would still have to negotiate with the EP.

However, there seems to be an emerging consensus in the Council. Given the importance of the issue, which has attracted more public interest than any EU law issue in the last few months, it?s worth examining where the discussions are going.

First, of all, it should be recalled that the Council has already agreed that search engines like Google, and possibly many other Internet companies not based in the EU, will be subject to the new Regulation, when it agreed on the external relations rules in the proposal.

As for the ?right to be forgotten? itself, it?s in Article 17 of the proposed Regulation. The Commission initially proposed that the data subject could exercise the right (which is combined with the current right of erasure) against the original data controller, on one of four grounds: the data are no longer necessary; the data subject withdraws consent or when the storage period has expired; the data subject objects to the processing on specified grounds; or the processing is no longer valid on some other ground. The data controller had to inform third parties of any request to exercise that right.

In this initial proposal, there would be exemptions from the right on grounds of: freedom of expression; public health; historical, scientific or statistical research; compliance with a national or EU legal obligation; or cases where access to the data was merely restricted.  The Commission would have the power to adopt ?delegated acts? to spell out the right in more detail.

In the EP?s view, the right could also be exercised directly against third parties, and there would be a further possibility to exercise the right following an order by a court or regulatory authority (presumably including a data protection authority).

In the Council?s latest text, these grounds for exercising the right (as amended by the EP) are retained. The obligation to inform third parties is also retained, but the Italian Presidency?s explanation of its proposal makes clear that this text is taking on board ? rather than rejecting ? the Court of Justice?s ruling that Google must itself be considered a ?controller? of the personal data, and therefore directly subject to data protection rules.

As for the exceptions to the right, the ?freedom of expression? exception remains, fleshed out with the wording of Article 10 ECHR, taking ?due account of the public interest?in relation to the personal quality of the data subject?. The Presidency?s explanations make clear that this awkward wording is meant to encompass the ?public figure? exception hinted at (but not elaborated upon) in the Google Spain judgment.  There would also be new exceptions, as regards ?archiving purposes in the public interest?, social protection, making or defending legal claims, performing a public interest task or exercising official authority. The Commission power to adopt delegated acts has been dropped.

There?s no longer an exception (as regards the right to be forgotten) for the commercial interests of data controllers such as Google. But that won?t really change the status quo, since the CJEU easily found in Google Spain that Google?s economic interests were overruled by the data subject?s right to privacy.

New clauses in the preamble would reflect the CJEU?s ruling on the ?public figure? exception, the possibility of complaint either to the controller or to a data protection authority or the courts, and the role of the controller in applying the balancing test. The preamble would also note that the right to be forgotten has to be balanced against other rights; the wording here is taken from Article 52(1) of the Charter, which sets out a general rule on limitations of Charter rights.

What are we to make of these proposals? First of all, it?s clear that the essential features of the Google Spain judgment seem likely to be codified, not overturned, by the new law. This is assumed in the Presidency?s explanatory notes. Indeed, the Google Spain judgment turned on the Court?s reasoning that it was ?no longer necessary? to make available (accurate) data on the data subject?s previous financial troubles, via means of Google. And that very ground for exercising the right to be forgotten would be expressly retained in the new legislation.

The other grounds for exercising that right, as set out in the proposal, were not addressed in the judgment, although the Court would likely have ruled that they existed if it had been asked. Here, it?s important to point out the express power to withdraw consent for data processing. This would clearly cover cases of ?revenge porn?,  where one sexual partner initially agreed to the images being posted on the Internet but withdrew his or her consent when the relationship broke down. (For cases where there was never any consent to posting such images on the Internet, data protection law would have been violated from the outset).

Moving on to the exceptions from the right, the most controversial aspect is the reconciliation of the right to be forgotten with the freedom of expression. As noted above, the proposal codifies but does not clarify the ?public figure? exception. There?s a cross-reference to Article 80 as regards the freedom of expression. This Article (in the Commission?s original proposal) reproduces the current ?journalist exception? for the ?processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression?. While some Member States object that this exception does not apply to bloggers (see the footnotes to the latest text), the CJEU took a broad approach to this exception in the case of Satamedia, regarding a company which sends out text messages about people?s tax information as a journalist. On the other hand, the Court did not regard Google itself as a journalist.

The better view is surely that bloggers and anyone otherwise expressing themselves on social media fall within the scope of the ?freedom of expression? exception, even if they are not professional journalists. After all, such persons are still exercising their freedom of expression, and it would be deeply unprincipled, in the modern world, to protect that freedom for one group of people but not others. Moreover, such a distinction would clearly violate Article 10 ECHR, in light of the relevant case law of the European Court of Human Rights.

The CJEU did not consider in Google Spain whether freedom of expression could be relied upon to argue that journalists (and others) need unrestricted Internet access to do their jobs properly. So arguably this is still an open issue that could be raised by a journalist in an appropriate case.

More fundamentally, the latest draft entrenches the CJEU?s position that Google is mainly responsible for processing complaints about privacy, without ensuring that it is accountable. In other areas of law, there are reporting requirements imposed upon companies to ensure that they meet their legal, social and ethical obligations. Since Google will in practice usually be in charge of striking the balance between privacy and freedom of expression, the new legislation should require that it report on how it has balanced these rights, so that there can be a public discussion of the appropriateness of its actions.

Finally, how might the new Regulation (in the current draft) apply to Wikipedia and social networks? As discussed in a previous blog post, obviously Wikipedia could try to rely upon the ?public figure? exception. It could also try to rely upon the exceptions for archiving or historical interest, although that depends upon the final wording of other provisions of the Regulation.

Equally, the precise application of the new rules to entities like Facebook depends on the final wording of the ?household exception? in the new legislation, as well as the open question of how (if at all) the Google Spain judgment applies to user-generated content, as well as user-controlled privacy settings.

Overall, the latest drafts of the new Regulation on the ?right to be forgotten? will disappoint not only the fiercest critics of the Google Spain ruling, who regard any limitation of search engine results on privacy grounds as anathema, but also the more moderate critics (like myself) who believe that the ruling failed to strike clearly the right balance between the right to privacy and the right to freedom of expression. It?s not yet too late to urge the Council (and then, the Council and the EP) to address issues such as the unjustified special treatment of journalists, the accountability of search engines and the application of the new rules to other types of Internet use.



Barnard & Peers: chapter 9




- Data Protection: The Cjeu Clarifies The Applicable Law And Jurisdiction
Lorna Woods, Professor of Internet Law, University of Essex*The CJEU recently gave judgment in the Weltimmo case, concerning the reach of data protection supervisors, ruling that one Member State?s supervisor can have jurisdiction on organisations mainly...

- Basic Data Protection Principles In The Proposed Data Protection Regulation: Back To The Future?
Steve Peers So far, 2015 is not like the Back to the Future movies promised it would be like. In particular, there are no hoverboards (drones are a poor substitute). Moreover, instead of agreeing a data protection framework fully fit for 2015, the...

- Bringing Data Protection Home? The Cjeu Rules On Data Protection Law And Home Cctv
  Lorna Woods, Professor of Law, University of Essex  Does EU data protection law apply to home CCTV cameras? The CJEU addressed that issue yesterday in the judgment in Case C-212/13 Ryne? v. Ú?ad pro ochranuosobníchúdaj?. In its judgment,...

- Reforming Eu Data Protection Law: The Council Takes Its First Baby Steps
Steve Peers The EU?s controversial data protection rules, currently in the form of a Directive dating back to 1995, would be reformed profoundly if a Regulation proposed by the Commission is adopted. Talks on this proposal have been underway...

- The Cjeu's Google Spain Judgment: Failing To Balance Privacy And Freedom Of Expression
By Steve Peers The EU?s data protection Directive was adopted in 1995, when the Internet was in its infancy, and most or all Internet household names did not exist. In particular, the first version of the code for Google search engines was first written...



Law and Rights








.