What should be forgotten? Time to make sense of Article 17 GDPR from the point of view of data controllers, by Pieter Van Cleynenbreugel

click image to enlarge

The Court of Justice of the European Union’s recognition of a right to obtain the removal of one’s personal data displayed in search engine results (Case C-131/12, Google Spain, EU:C:2014:317) has opened policy discussions on the conditions under which individuals’ data are to be deleted by data controllers. Those discussions culminated in Article 17 of the new General Data Protection Regulation 2016/679  (GDPR) explicitly stating that every data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay. That right is not unconditional, as only data no longer necessary or unlawfully collected can be subject to such a request. In addition, to the extent that processing is necessary in the public interest, the right cannot be invoked.

Despite its explicit recognition, the exact scope of the right to be forgotten cannot be derived clearly from the wording of Article 17 GDPR. Indeed, even a superficial reading of that provision immediately allows two different interpretations of this right to be distinguished. On the one hand, a right to be forgotten could be read only to incorporate an entitlement to a simple erasure, i.e. the mere technical delisting of data from being displayed in search results or databases. On the other hand, a more fundamental obligation to ensure the permanent removal of one’s data, a so-called “oblivion” approach could equally be envisaged in this context. Throughout the GDPR, references to both approaches can be detected simultaneously.

The erasure approach

Arguing in favour of the mere erasure approach, one could argue that the provision only speaks about the erasure of data. As such, it does not seem to impose the permanent removal of those data from the controller’s processing systems. At the same time, however, Recital 65 GDPR would seem to imply that further retention of the data should be made impossible when a successful request for erasure is made. In the same way, the GDPR demands that “a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data” (recital 66). As such, the Regulation could equally be read as calling for a more extensive oblivion approach.

The lack of clarity regarding the scope of Article 17 is likely to raise practical problems from the point of view of data controllers called upon to implement it in their day-to-day business practices. When called upon to apply Article 17, erasure and oblivion approaches would entail different compliance obligations for those businesses.

On the one hand, an erasure approach would merely require from data controllers to have at their disposal tools ensuring that, upon request of an individual, the latter’s personal data are no longer displayed. Those data could still be stored and remain on the servers of the data controller in principle for any potential future – and permitted – use or may even have to be retained for law enforcement purposes in the context of applicable and valid data retention regulation.

The oblivion approach

On the other hand, an oblivion approach would seem to oblige data controllers permanently to remove personal data from their servers, rather than making them inaccessible. This approach presupposes that, at the request of a data subject, all relevant data are permanently removed and that technological tools have to be in place to make this happen. In that case, EU law would require an individual’s commercial transaction history to be deleted entirely and permanently from an online selling platform or any other data controller. In the same way, robots or robotic devises in personal homes, which register data, could be requested to have a feature to delete all private or personal data registered as side-effects of their day-to-day activities. To the extent that oblivion would be the approach preferred, businesses would or could have to put in practice means automatically and ex ante to remove irrelevant personal data from their data storages in order to comply with Article 17 GDPR. At present, it is unclear, however, to what extent such a pro-active data removal strategy is even compatible with EU and Member States’ data protection and retention regulation frameworks.

One could even speculate, in this respect, that the nature of the data controller may justify the imposition of different right to be forgotten obligations on different controllers. As such, an erasure approach is considered more feasible in certain sectors such as search engines, whereas an oblivion approach is preferable in others such as in the context of robots interacting with humans. The GDPR refrains from even hinting at the pertinence of such a distinction.

The need for clarification

In light of the foregoing uncertainty about the exact scope of Article 17 GDPR and the differing compliance consequences different interpretations of that provision entail, an interpretative communication bringing clarity regarding the scope of that provision and concrete steps to be taken for its implementation would be more than welcome. Preferably authored by the European Commission or the Working Party of Member States’ data protection authorities, the communication would have to offer concrete guidance to data controllers confronted with right to be forgotten claims. If chosen as a policy option, I would even recommend the communication to make a distinction between different types of data controllers and reflect on specifically tailored “erasure” or “oblivion” steps to be taken by them depending on their particular activities. In doing so, more specific “right to be forgotten” compliance steps could be crafted in relation to specific data protection activities engaged in by different controllers, which could help better to understand and apply the right to be forgotten as envisaged by Article 17 GDPR. In order to avoid the right to be forgotten becoming a toothless monster when the GDPR will come to apply in May 2018, now would be a good time to take such action.

Pieter Van Cleynenbreugel est professeur de droit européen à la Faculté de Droit, de Science Politique et de Criminologie de l’Université de Liège et co-directeur du Liège Competition and Innovation Institute (LCII). Il y enseigne le droit matériel de l’Union européenne ainsi que plusieurs cours spécialisés. Titulaire d’un doctorat en sciences juridiques de la KU Leuven et d’un master complémentaire en droit économique de l’Université de Harvard, ses recherches portent sur le marché unique numérique, le droit européen de la concurrence et le droit administratif européen.

See the other contributions on our e-conference on Right To Be Forgotten in Europe and Beyond

 

3 réflexions sur “What should be forgotten? Time to make sense of Article 17 GDPR from the point of view of data controllers, by Pieter Van Cleynenbreugel

  1. The post is an acute reflection about an unclear question. The author’s consideration on the nature of the data controller seems to be the right approach to make the difference between erasure and oblivion (e.g. focussing on online news: erasure would apply to search engines and oblivion would apply to original sources). Linking with that, how is the right to oblivion integrated with the right to restriction of processing (article 18 GDPR)?

    J'aime

    1. From the point of view of data controllers, Article 18 GDPR at first sight seems to tolerate both oblivion and erasure. Its paragraph 2 allows processing for storage purposes, but this does not mean that such storage would be required. A closer reading, however, indicates that the data subject can ask for restricted processing instead of erasure and that the data controller can lift the restriction on processing. Both facets hint at a preference for erasure rather than oblivion. I still think one could understand Article 18 to tolerate, in certain circumstances, the full erasure of data, provided that the data subject consents to it in the context of unlawful processing. At the same time, I fully agree that more clarity is necessary regarding when and how such oblivion can be organised in light of the right to restrict data processing and how such specific consent is to be obtained.

      J'aime

      1. Thank you Cristina, Pieter for these very interesting comments. It appears to me that the issue you’ve raised, has to be considered in the context of the elaboration of article 17 GDPR. In the Commission’s proposal the right to restriction of processing was part of the article 17 entitled Right to be forgotten and to erasure. The creation of a specific article 18 relative to the right to restriction of processing is due to the Council of the European Union. My point is that the two approach, Pieter has described in his post illustrated the tensions between the Council and the Parliament during the negotiations of article 17 GDPR. See my post Thus, it would be very interesting to see what the G29 or the European Data protection Board will have to saw about that.

        J'aime

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s