EC’s data protection draft sheds light on ‘right to be forgotten’, fines

25 May 2018 10:08am

5 December 2011. By Magnus Franklin

Brussels - A draft of the European Commission’s forthcoming data protection legislation has shed light on the specifics of provisions such as the ‘right to be forgotten,’ which have so far been only outlined at a conceptual level.

The proposal is currently circulating internally within the commission’s departments and is set to be formally proposed towards the end of January to coincide with the European Privacy Day. It is set to consist of a general regulation, which will apply directly as law, and a directive, to be implemented by member states, which focuses on police and criminal justice aspects of data protection.

The draft defines the right to be forgotten as follows: “The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data.”

This right applies when data are no longer needed for the purpose for which they were collected; when a person withdraws their consent to have the data used, or the period for which consent was granted expires; the data subject objects to the processing of the data; or processing of the data is otherwise incompatible with the regulation.

“This right shall apply especially in relation to personal data which are made available by the data subject while he or she was a child,” the draft adds.

Further, “where the controller referred to [...] has made the data public, it shall in particular ensure the erasure of any public internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service which allows or facilitates the search of or access to this personal data.”

The draft goes on to list a number of exceptions to this right, namely when the data is necessary to exercise the right to freedom of expression; for historical, statistical or scientific research; and when required under data-retention laws.

Under certain circumstances, data controllers may also be required to ‘restrict’ the processing of data, rather than erase them outright. This exemption applies when a data subject contests the accuracy of their personal details; when data are no longer strictly necessary to maintain “but they have to be maintained for purposes of proof”; when processing the data is unlawful but the data subject opposes erasure; or the data subject requests to ‘port’ the data to another provider.

Should further clarification be needed on this ‘right to be forgotten,’ the regulation also empowers the commission to adopt ‘delegated acts,’ or implementing measures to set down the criteria for erasure for particular sectors, or how the deletion of internet links and searchable data sources should take place.

- Data portability and fines -

Among the many other provisions of the directive, the draft also sets out obligations for data controllers to allow people to extract the data they hold and move to another provider.

Specifically, a data subject will have the right “to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.”

Further, such ‘portability’ requests should be complied “without hindrance from the controller from whom the personal data are withdrawn.”

Again, the commission is empowered to adopt implementing acts to specify the relevant formats, and “the technical standards, modalities and procedures for the transmission of personal data.”

The new data protection framework also sets out a new, substantially tougher, system of fines for various categories of breaches of data protection rules, including minimum fines authorities will be obliged to mete out.

The first tranche allows data protection authorities to impose fines from 100 euros to 300,000 euros, or in the case of an enterprise, one percent of global turnover. Such fines can be issued where there is no mechanism for data subjects to make information requests, or when someone charges a fee to respond to information requests or does not report internal data protection policies.

A higher set of fines – from 300 euros to 600,000 euros or three percent of turnover – will apply to “anyone who intentionally or negligently” fails to appropriately respond to information requests by data subjects, fails to rectify mistakes, does not comply with the right to be forgotten, obstructs data portability, or fails to properly adhere to specific data protection rules such as in the context of employment, or historical, statistical or scientific research.

The highest level of fines, starting at 100,000 euros and rising to five percent of global turnover, is reserved for the most serious breaches of data protection rules. These include those who illicitly process data, process particularly sensitive data in violation of specific rules that apply, fail to appoint a data protection official, or fail to comply with restrictions on ‘profiling.’

Further violations that incur the highest fines are failure to notify a breach of personal data, violation of rules on international data transfers, and obstruction of inspections by data protection authorities.

The draft is not final and is subject to change before its January publication, following scrutiny from other policy units within the commission.

Andrea Jelinek