Out-Law News 3 min. read

'Unenforceable' right to be forgotten should not be included in new EU data laws, ICO says


Revisions to EU data protection laws should not give individuals a general 'right to be forgotten', the Information Commissioner's Office (ICO) has said.

Giving individuals the right to force organisations to delete the personal information they store them about would be misleading, unenforceable and have "implications" for free speech, the UK's data protection watchdog said.

"The framework should strengthen individual rights to object to and block processing, and to have their data deleted, and reverse the burden of proof so the organisation has to provide compelling legitimate grounds for continuing processing," the ICO said in a briefing (4-page / 113KB PDF) on what it would like revised EU data protection laws to provide for.

"It should not introduce a stand-alone ‘right to be forgotten’ which could mislead individuals and falsely raise their expectations, and be impossible to implement and enforce in practice. There are implications for freedom of expression and questions as to how far individuals should be able rewrite their own or others’ history," the ICO said.

The European Commission recently announced that it plans to publish formal proposed changes to the EU Data Protection Directive by the end of January. EU Justice Commissioner Viviane Reding has said that a qualified 'right to be forgotten' would be included in the proposals.

"I will ensure that when an individual no longer wants his data to be processed or when there are no legitimate grounds to retain the data, it will be deleted," Reding said. Reding has said that publishers will be able to refuse 'right to be forgotten' requests on "public interest" grounds.

The ICO said it wants the EU laws to "clarify the relationship between transparency and consent and be realistic about the levels of individual control". Reding has said the new laws will force organisations to obtain explicit prior consent from individuals before they can process their personal data.

The new framework should set out "high-level principles" but with the detail contained in "implementing measures, codes of practice and other mechanisms," the ICO said.

"It should be a single, overarching framework applying to all the processing of personal data carried out in the EU, complemented with a set of more specific rules dealing with particular areas, for example, electronic communications or law enforcement," it said.

A "list-based prescriptive approach" should be avoided and instead the explanation of key definitions and organisations' obligations "should focus on risk, context and purpose," the ICO said.

"The framework should be less prescriptive in terms of the processes we expect organisations to adopt, but clearer in terms of the standards we expect them to reach. For example, obligations on organisations to have good information management and to demonstrate compliance and accountability, without prescriptive lists of measures to take or how to demonstrate compliance and accountability," it said.

EU data protection authorities (DPAs) should also have the right to conduct a mandatory audit of all private and public sector organisations, the ICO said. While the ICO does have mandatory auditing powers for some public sector bodies it currently has to rely on private sector businesses' consent to undertake an investigation of their data protection practices. However, in some EU countries such as Ireland, DPAs do have the mandatory right to audit private sector firms as well.

"DPAs should have powers to take action against any organisation, regardless of their role in the stewardship of the personal data. These powers should include the ability to audit all organisations without consent, not just the public sector," the ICO said.

The watchdog also said that the new laws should make it easier for individuals to exercise their rights. It wants data subjects to be able to use technology to access their personal data and be able to "move their data around and have it in a reusable format". The Department for Business, Skills and Innovation (BIS) recently announced that 19 major brands, including Google, Royal Bank of Scotland, British Gas and Visa, had all signed up to enable consumers to manage their personal data via an electronic data sharing initiative.

Individuals who have complaints about data protection issues should be able to go to "whichever relevant regulator can serve them best" to resolve issues, the ICO said.

Companies building new services should be "encouraged" to build "privacy by design" although "any explicit provisions to compel privacy by design would be difficult to implement and enforce in practice," the ICO said.

Privacy laws set out in the EU's Privacy and Electronic Communications Directive already require telecommunications companies and internet service providers to notify their customers and national regulators of personal data breaches immediately. The ICO told Out-Law.com that EU plans for a uniform process to be built around this requirement were currently being considered. It said that any potential extension of that requirement to other organisations should be built on the same processes currently under discussion.

The European Commission has previously said that it would investigate the extension of the data breach notification process to more than just telecoms companies.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.