Written by Shara Monteleone,
Increasing use of digital technologies in almost every daily activity and the related flow of data have made access to and availability of personal data easier for companies, governments and citizens. In particular online, finding information about a fact or a person has become unprecedentedly easy.
Data protection as a fundamental right
Any information relating to a person identified or identifiable (even indirectly) is personal data. Most Europeans use the internet to read news, join social networks, and shop, sharing data in the process. However, the majority are concerned about data being collected or used without their knowledge. Losing control of our data is one of the three main challenges of the web according to its inventor, Tim Berners-Lee. Keeping control of our data means keeping control over our lives. In the EU, data protection is enshrined in the Charter of Fundamental Rights, along with the right to privacy. EU law, as a consequence, regulates data processing, striking a balance between data protection and other rights or interests (e.g. freedom of expression, public security), and sets strict conditions under which data may be processed.
The ‘right to be forgotten’
Data protection should be effective, as judgments of the Court of Justice of the EU have underlined. In the landmark Google Spain case, legitimate grounds relating to a particular individual situation were recognised as justifying objections to data processing. In that case, a Spanish citizen, Mario Costeja, gained the right to have personal data deleted from search engines, following a complaint that an old (solved) debt problem continued to affect his reputation as it still appeared online in links to newspaper pages from 1998. The Court confirmed that search engine activities amount to data processing, and are thus subject to the 1995 Data Protection Directive, and that a search engine is a ‘data controller’ with the obligation to ensure protection.
The Court stressed that the data subject had the right ‘at a certain point in time’ to request that the information no longer be made available, over-riding not only the economic interest of a search engine, but also the interest of the general public to have access to that information. Google would thus now be obliged to delete links to third-party webpages related to a person from the list of search results, even when publication on these webpages is lawful. However, it made clear that, in other circumstances, the interest of the general public to have access to information may be preponderant. The Court thus contributed to defining rights now included in the EU’s General Data Protection Regulation, to be fully applicable from May 2018. This strengthens citizens’ rights, through, for instance, a clear and affirmative consent requirement and increased transparency obligations on how data are used. Building on existing doctrine on le droit à l’oubli and the right to delete, it includes the ‘right to be forgotten’: unless there are legitimate grounds for retaining data, e.g. press freedom or for archiving purposes, individuals may have their data deleted.
Nevertheless, an individual’s right to be forgotten is not absolute, as confirmed by the Court in a recent ruling (Manni case) which sought a fair balance between this and other individuals’ right to access data in a public register (namely a companies’ register). This third-party right to access data on public registers can only be limited if, on a case-by-case basis, legitimate and over-riding reasons to hide or erase personal data exist.
Issues may arise with regard to third parties’ interest in keeping and accessing information (e.g. for historical purposes) and freedom of expression. However, the EU approach does not necessarily see these rights as excluding each other; rather, data protection and privacy are instrumental for other rights. As the European Data Protection Supervisor recently affirmed, data protection and privacy and other rights and freedoms under EU law are interdependent. The UN special rapporteur on privacy, Joseph Cannataci, sees privacy as an enabling right, or foundation, supporting other rights.
This note has been prepared by EPRS for the European Parliament’s Open Days in May 2017.