Out-Law / Your Daily Need-To-Know

Health data should be outside scope of 'right to be forgotten' regime, say MEPs

Out-Law News | 25 Mar 2013 | 10:24 am | 2 min. read

Consumers should not be able to force organisations to delete the health records they hold about them under a new EU data protection framework, a committee at the European Parliament has said.

Last week the Parliament's Legal Affairs Committee (JURI) issued a new non-binding opinion on European Commission proposals to reform EU data protection laws. Whilst the Commission has proposed the creation of a formal 'right to be forgotten' for individuals under its draft General Data Protection Regulation, the Committee said that the right should not exist in the case of health data.

"Legal affairs specialists in Parliament support the 'right to be forgotten' as proposed by the Commission in its draft data protection regulation," the Committee said in a statement. "This would oblige companies, such as social networks or online shops, to delete personal data on request. However, the committee says in its non-binding opinion that this right should not apply to data processed for healthcare purposes. They believe that is important to retain complete health records in order to ensure the best care and treatment."

Under current EU data protection laws organisations are generally allowed only to collect and store personal data that is strictly necessary and proportionate for its purposes. An individual has the "right to obtain, at his request ... the rectification, erasure or blocking of data which are incomplete, inaccurate or stored in a way incompatible with the legitimate purposes pursued" by organisations that hold their personal data.

This 'right to be forgotten' would be expanded upon under the Commission's draft Regulation. Under the regime a specific qualified 'right to be forgotten' would be particularly specified and would give individuals a general right to force organisations to delete personal data stored about them "without delay". Organisations that make the data public would be liable for the data published by third parties and would be required to "take all reasonable steps, including technical measures" to inform them to delete the information.

However, organisations would be able to oppose the deletion of information if they could show they have a right to publish the data under the fundamental principle of freedom of expression or if it is in the public interest for the data to remain in existence.

JURI members also voted to back provisions that would prevent businesses building profiles of individuals based on data reflecting their ethnicity, religion or sexual orientation. The MEPs also backed plans to require organisations to obtain "explicit" consent from individuals if they wish to rely on those individuals' consent to process their personal data.

JURI is the fourth and final committee at the European Parliament to issue a draft opinion on the data protection reforms. The lead committee is the one on Civil Liberties, Justice and Home Affairs (LIBE). It is expected to reflect on more than 3,000 amendments that have been suggested to the Commission's text and is expected to vote on a final opinion at the end of May.

"I am optimistic that we will succeed in a common [European Parliament] position covering almost all fields," the European Parliament's rapporteur on the data protection reforms Jan Albrecht MEP said, according to the JURI statement.

The final European Parliament opinion would be taken forward as a negotiating position with EU Ministers, who must also back any reform in sufficient number, in a bid to arrive at a final framework to replace to the existing 1995 Data Protection Directive.

EU Ministers have been concurrently scrutinising the Commission's proposed reforms at the same time as the MEPs.

In a latest observation, justice officials in Sweden said that the EU data protection reforms must not impinge on citizens' freedom of information rights. The country has expressed concern at text contained in the Commission's draft Regulation which stipulates that "the principle of public access to official documents" can be "taken into account" when considering privacy rights, according to a report by the EU Observer website.

David Torngren, an official at the country's Ministry of Justice, told the publication that the Regulation must "make it perfectly clear that member states may keep their national rules on access to documents". He said those rules had "proved essential to ensure public oversight of public affairs".