DPC Billy Hawkes on the right to be forgotten

The

within the European Commission’s draft data protection framework outlining “the right to be forgotten and to erasure” has both regulators and stakeholders asking whether it is viable.

The draft framework states it would grant data subjects the right to withdraw their consent for their personal data to be collected or processed, except for in cases where the collection and processing is necessary for “historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law, or where there is a reason to restrict the processing of the data instead of erasing them.” In addition to complying in applicable cases, data controllers would also be required to alert third parties of the data subject’s request.

In a recent

for

, experts discussed concerns surrounding the provision, including whether a differentiation should be made between user-generated content and content posted about a data subject by a third party; whether such requirements would be technologically possible, and whose responsibility it should be to ensure third parties comply with a data subject’s request for data deletion.

European Data Protection Supervisor Peter Hustinx recently

on the framework, and European Commission Vice-President Viviane Reding

on the “delicate balancing acts…between the fundamental right to privacy and other fundamental rights.” Meanwhile, in the Article 29 Working Party’s (WP)

to the European Commission’s public comment period, it indicated concern over “the way in which these rights are configured by the regulation and the reality of how the Internet works.”

Specifically, the WP has concerns about how data subjects could request data erasure if the original data controller no longer exists; the logistics of placing the obligation on the data controller to ensure all third parties that have copied or replicated the original data are informed of the data subject’s deletion request, and how to ensure third-party compliance with erasure requests, as “no provision in the regulation seems to make it mandatory for third parties to comply with the data subject’s request, unless they are also considered as controllers,” the response states.

recently chatted with Irish Data Protection Commissioner Billy Hawkes, a member of the Article 29 Working Party, to ask for his perspective on the draft regulation’s provision.  

I think there’s a more general concern as to whether or not there’s been sufficient attention to the extra burden the regulation would place on data protection authorities (DPAs). The right to be forgotten, as it was boiled down in the regulation, is a right to first of all, to be told how long your data will be held on to and, secondly, the right to have the data erased, but obviously that’s subject to a large number of qualifications. The joke is, “I’m afraid you can’t eliminate your debts this way,” when it comes to record of your debts. But then you get into a more difficult territory in terms of your right to historical records and your rights to freedom of expression, which of course would be particularly strong within the U.S. And yes, because there are a number of bases on which the data controller can decline to erase the data, and judgment is required on that. Yes, I think it is one other example of where data protection authorities may be asked to arbitrate between data subjects and data controllers.

Yes, very much. And this is a point that has been emphasized by European data protection authorities acting collectively, and we’ve raised the issue with the European Commission. Besides my country, many countries are going through a period of austerity and the imperative is to save money, including on public services. So yes, it will be very challenging to data protection authorities to be able to do what’s being asked of them with the resources that some of them, including ourselves, have at present. That would include also, apart from the right to be forgotten, consistency mechanisms, the need for far closer coordination for data protection authorities and, for some of us who may have a large number of multinational companies headquartered in our countries, a one-stop-shop company concept that a multinational would only have one primary regulator—that would certainly impact heavily on a DPA like ours. So yes, it is a further example of the extra burden that will be imposed on data protection authorities.

Well, first of all, to be fair to the commission, they did consult extensively before the proposal. They were addressing the criticism that there were 27 versions of what was supposed to be a common law, so there was a certain inevitability that a regulation would be more prescriptive than a directive. There’s a focus on the issue of the regulatory burden on businesses, as the new regulation does have significant regulatory requirements on businesses, even though it does lift some of them, there is still a significant burden. In relation, there is also a significant burden on DPAs, and in situations where DPAs are going to have difficulty obtaining resources, something has to give, in fact, if the regulation is to be effective. So there may be a happy medium where certain aspects of the regulation may be made less prescriptive and perhaps focus more on accountability approaches on the part of data controllers and data processors with less prescription. Perhaps as the draft goes through the legislative process, some of these issues will be resolved.