UK seeks opt-out of "unrealistic" European 'right to be forgotten' laws

Out-Law News | 05 Apr 2013 | 3:23 pm | 3 min. read

The UK is attempting to opt out of changes to European data protection laws which will allow individuals to force social networks and other websites to delete their personal data, according to press reports.

The Guardian said that the UK Government objected to the proposed 'right to be forgotten', as it would create "unrealistic expectations" for individuals because it will only have a modest impact on the way data is traded across websites. The EU's draft General Data Protection Regulation proposes the creation of a general right to allow individuals to force companies to delete their personal data "without delay".

According to the newspaper, the UK is pressing for the change to be made as part of a 'directive' as opposed to a 'regulation', which will give EU member states more flexibility around how to implement it. It is also lobbying for separate rules to apply to small businesses which operate nationally rather than cross-border, according to a letter sent to the Justice Secretary by EU Justice Commissioner Viviane Reding.

"This piece of legislation is one of the biggest market-openers of the last few years," Reding said. "It eliminates 27 conflicting rules and replaces them with ... a mechanism for the whole continent. This means saving €2.3bn a year."

"[But] the British government have asked us not to do this and [would prefer] two laws: one for Britain and one for other people, meaning there would be separate layers of complication. I have exchanged letters with [UK Justice Secretary] Chris Grayling on this, which is rather like Kafka. Britain is meant to oppose red tape; here Britain wants a supplementary layer of red tape," she said.

Under current EU data protection laws organisations are generally allowed only to collect and store personal data that is strictly necessary and proportionate for its purposes. An individual has the "right to obtain, at his request ... the rectification, erasure or blocking of data which are incomplete, inaccurate or stored in a way incompatible with the legitimate purposes pursued" by organisations that hold their personal data.

The right to request the deletion of data would be expanded under the Commission's draft Regulation. Article 17 specifies a specific, qualified 'right to be forgotten'; giving individuals a general right to force organisations to delete personal data stored about them "without delay". Organisations that make the data public would be required to "take all reasonable steps, including technical measures" to inform them to delete the information. However, organisations would be able to oppose the deletion of information if they could show they have a right to publish the data under the fundamental principle of freedom of expression or if it is in the public interest for the data to remain in existence.

Information and technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that although the idea of a right to be forgotten "sounds like a very good one", the UK was right to raise its concerns. New EU laws should "focus on bringing about effective solutions, not illusory ones", he said.

"Everyone wants the ability to protect their identity and not have adverse decisions made about them in relation to employment, insurance or credit, based on information that was once true but, as circumstances change, has become no longer accurate," he said. "But it is clear, even to the Commission it would seem, that its proposed law cannot practically guarantee that all traces of data that a person has ever shared could be irreversibly erased, even though that is what is written on the label. This certainly creates an unfair expectation, a concern that the Information Commissioner has also expressed."

"The European Commission's focus should be on 'how to enable individuals to have effective control of their data', not 'what must a business do to demonstrate that it has tried its best to erase your data'. In reality the Commission's proposal is in danger of creating a situation where small and medium size businesses will spend more time putting administrative processes in place to prove that they have done all they could to comply with legal obligations rather than seeking out and testing effective technical solutions to assist individuals in protecting their personal information and digital assets," he said.

The Ministry of Justice said that it did not support the right as proposed by the European Commission as "the title raises unrealistic and unfair expectations of the proposals". The UK's data protection watchdog, the Information Commissioner, raised similar concerns in February; warning that it was "unclear" how the right as drafted "will be delivered in practice".