Changes to EU Data Protection Directive and the right to be forgotten


In May 2014, the European Court of Justice handed down a ruling in case No. C-131/12, brought by a Spanish national against Google and against the national Data Protection Agency in Spain. 


The case concerned historic information about a repossession notice, an issue that had been fully resolved many years before. The claimant wanted the information removed and the Court confirmed that individuals have the right — under certain conditions — to ask search engines to remove links containing personal information about them. This applies where the information displayed is inaccurate, inadequate, irrelevant or excessive, applying normal data protection principles. 


Google began to comply with the European Court ruling in May 2014. The relevant content is not deleted, but the item will not be listed in search results provided by the search engine. The right to be forgotten is not absolute, said the European Court, but must be balanced against other fundamental rights, such as the right to freedom of expression.


Proposals for a new EU General Data Protection Regulation were, at the time of writing, being discussed by the European Parliament and EU Council of Ministers. This will supersede the previous EU data protection directive (1995) and provide for a unified set of data protection rules covering all EU member states. The regulation is intended to implement more stringent data protection principles, including the right to be forgotten, and could also involve much larger fines than currently apply in the UK being levied on companies that flout the rules (up to €1 million or 2% of the global annual turnover of a company). It will also seek to extend the reach of data protection legislation to data controllers outside the EU, including Google. 


Key elements of the proposed regulation include the following: 


• a reinforced “right to be forgotten” which will enable people to have their online data deleted if there are no legitimate reasons for retaining it;


• wherever consent is required for data to be processed, it will have to be given explicitly, rather than assumed, as is sometimes the case now. In addition, people will have easier access to their own data and be able to transfer personal data from one service provider to another more easily; and


• there will be accountability by those processing personal data: for example, an obligation to report serious data breaches within 24 hours.