Out-Law / Your Daily Need-To-Know

Justice Ministers review feasibility of 'right to be forgotten' among other proposed data protection reforms

Out-Law News | 18 Jan 2013 | 4:52 pm | 3 min. read

European Justice Ministers have been asked to consider whether businesses will be able to comply with proposed new laws that would give individuals a 'right to be forgotten'.

The Irish Presidency of the European Council said (3-page Word document) the Ministers should "discuss" the matter an "informal" agenda-setting gathering on Thursday and Friday this week. It asked Ministers whether they support the European Commission's plans to create a 'right to be forgotten' and, if so, if it is "reasonable and feasible" for data controllers to comply with the obligations imposed by the right.

The European Council is an official body within the structure of the EU that gathers representatives from member states and the European Commission to determine general political policies and priorities for the trading bloc.

Under proposed new EU data protection laws published by the European Commission in January 2012, individuals would have a general 'right to be forgotten'. The general right would enable them to force organisations to delete personal data stored about them "without delay". Organisations that have made the data public would be liable for the data published by third parties and would be required to "take all reasonable steps, including technical measures" to inform those groups to delete the information.

Organisations would be able to oppose the deletion of information if they could show they have a right to publish the data under the fundamental principle of freedom of expression or if it is in the public interest for the data to remain in existence.

Under current EU data protection laws the 'right to be forgotten' does exist in less defined terms in that organisations are generally required only to collect and store personal data that is strictly necessary and proportionate for its purposes. Individuals have the "right to obtain, at his request ... the rectification, erasure or blocking of data which are incomplete, inaccurate or stored in a way incompatible with the legitimate purposes pursued" by organisations that hold their personal data.

Ministers were also asked to review other aspects of the Commission's proposed data protection reforms at their informal meeting. According to its data protection discussion paper, the Irish Presidency wanted the Ministers to review the planned sanctions regime that the Commission proposes be adopted to address breaches of the new legal framework.

Under the Commission's draft General Data Protection Regulation, businesses that fail to correspond to rules on notifying regulators about data breaches or otherwise infringe on rules set out in the Regulation could face fines "fixed with due regard to the nature, gravity and duration of the breach" of up to 2% of their annual global turnover.  Organisations not engaged in economic activity, such as charities or public bodies, could be fined up to €1 million for serious breaches.

However, the Irish Presidency has asked Ministers to review whether regulators should be given additional options, besides the levying of fines, when seeking to enforce compliance with the new regime.

"It appears, subject to limited exceptions, that the imposition of fines is intended to be mandatory and in each individual case 'effective, proportionate and dissuasive'," the Presidency said in its discussion paper. " The factors to be taken into account when determining the level of fine also include: the intentional or negligent character of the infringement; the degree of responsibility of the individual or legal person and previous breaches; and the level of cooperation with the supervisory authority in order to remedy the breach."

"Therefore the Presidency invites Ministers to discuss whether the [draft] framework of fines ... is appropriate; if wider provision should be made for warnings or reprimands, thereby making fines optional or at least conditional upon a prior warning or reprimand; if supervisory authorities should be permitted to take other mitigating factors, such as adherence to an approved code of conduct or a privacy seal or mark, into account when determining sanctions," it said.

The Irish Presidency also asked Ministers to consider whether a carve out from the proposed new data protection regime is "too narrowly defined". The Commission's draft Regulation contains a particular provision that exempts the rules laid out in the text from applying to "the processing of personal data ... by a natural person without any gainful interest in the course of its own exclusively personal or household activity".

The Irish Presidency has asked for suggestions from Ministers about how "the scope" of this 'household exemption' should be "extended" if they do feel the exemption is too narrowly defined.

An official report outlining the "formal finding on the issues discussed" will be issued after the Ministers meet formally in March, a spokesperson for the Irish Presidency said, according to a report by Data Guidance.