The right to be forgotten

In a world of increasingly sophisticated IT systems where organisations have multiple servers and utilise cloud-based solutions to store personal data, the right to be forgotten is an escalating issue for companies that hold personal data about individuals.

In a recent high profile case, says Justin Tivey of Bond Dickinson LLP, an individual in Spain made a complaint against Google Spain based on the fact that when the individual’s name was searched on Google, the result showed links to web pages of a Spanish newspaper referring to the individual and a real estate auction connected with proceedings for the recovery of social security debts. The Spanish courts referred a number of questions to the Court of Justice of the European Union and particularly asked the Court whether an individual could require the operator of a search engine to remove links to the web pages publishing information about him that was prejudicial or that the individual wanted to be forgotten.

The Court found that while the newspaper article was accurate at the time it was published, the data was no longer necessary so should not be searchable by the name of the individual concerned. The UK’s Information Commissioner’s Office later emphasised that this judgment was achieved under the existing data protection framework and that it does not create a “full or absolute” right to be forgotten.  However, this case did mark a strengthening in approach and has firmly placed the “right to be forgotten” on the radar of many individuals and companies.

Historically, under the Data Protection Act 1998, a data subject (the person about whom the personal data relates) has certain rights but not the right to be forgotten.  A number of the eight data protection principles set out in the Act include safeguards which mean information is not held indefinitely and the information that is held is not excessive. Principle 5, for example, provides that personal data being processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.  However, this is an obligation on the data controller rather than a right for the data subject to request their data is erased. Section 10 of the Act sets out a right for data subjects to prevent processing of their personal data that is likely to cause damage or distress, but the damage or distress caused must be substantial and unwarranted so this is a high threshold to satisfy.

However, the IT landscape has changed dramatically since the 1998 Act was implemented and many argue that the European framework on which it is based is now no longer fit for purpose in a society where the concepts of big data, cloud computing and social media are prevalent. In order to address this, a new European Data Protection Regulation has been proposed and is currently progressing through the European legislative process. Drafts of the new Data Protection Regulation have set out a “right to be forgotten and to erasure”.

This is a substantial departure from the current position and poses a significant challenge for any organisation which holds personal data, particularly electronically.  The proposed right applies where one of the following grounds applies:

  • the data is no longer necessary for the purposes for which it was collected or processed;
  • the data subject withdraws consent (where consent was the basis on which the individual’s data was processed) and there is no other legal ground for the processing of the data;
  • the data subject objects to the processing of the personal data or the processing does not comply with the Data Protection Regulation for other reasons.

Clearly, this obligation is very broad and one which could be very time-consuming for organisations to comply with.  In addition, various influential bodies including the Information Commissioner have questioned the practical enforcement of this right.

The Regulation is currently going through the European legislative process and if all goes to plan it is likely that it will be adopted in the summer of 2016 with a final draft being published at the end of this year/early next year.  The European Regulation will have a two year implementation period to allow organisations to assess their level of compliance and implement procedures to ensure they comply with the European Regulation.

Justin Tivey, legal director, Bond Dickinson LLP
Justin Tivey is a legal director at Bond Dickinson LLP

Whatever form the right to be forgotten eventually takes, it will represent a material improvement for data subjects in their right to privacy while posing significant practical challenges for organisations.

The author of this blog is Justin Tivey, legal director, Bond Dickinson LLP.

RECENT ARTICLES

Connectbase expands baltic connectivity with Bitė partnership

Posted on: March 28, 2024

Connectbase has announced the addition of Bitė to its ecosystem. This partnership marks a step forward in enhancing connectivity options within the Baltic region, providing a link between local and

Read more

IOT Solutions World Congress 2024 connects semiconductor chips to industry

Posted on: March 27, 2024

Essential to manufacture computers, smartphones, cars, refrigerators or any electronic device, semiconductors are critical elements in the implementation of the Internet of Things. For this reason, IOT Solutions World Congress

Read more