News and Events

Data Protection: A Computer Never Forgets!

View profile for Paul Herbert
  • Posted
  • Author

The EU is currently in negotiation with Member States over a General Data Protection Regulation, which would have the intention of rebalancing the relationship between the individual and the internet and which includes an initiative to enable anyone to request that their personal details be deleted from online service providers. Not for the first time the Ministry of Justice appears to be clashing with Brussels and accordingly it’s looking more likely that Britain will opt out.

Current data protection legislation permits organisations to collect and store personal data, only if and as long as it is strictly necessary and proportionate for the purpose for which it is being stored. Individuals also have a right to request access to that information. This right would be expanded much further under the new Regulation, allowing individuals to force organisations to delete personal data they hold.

The suggestion from the EU Justice Commissioner’s Office is to create a right to be forgotten and to implement fines of up to 2% of global turnover for those companies that refuse to comply with requests to erase customer’s personal details. Once an individual has requested data to be deleted, the burden of proof will lie with the data controller to show that the data is needed. Such a right would not extend to journalistic archives, comments on articles or posts by bloggers – in an attempt to preserve freedom of expression. Vivian Reding, the EU Justice Commissioner, has stated that the Regulation will replace contradicting laws across the EU’s 27 states with one mechanism and that this should save around £1.9bn a year – quite an incentive! As a Regulation it would be directly applicable without the need for implementing national legislation. However, one potential issue concerns how the national regulatory bodies will put this Regulation into place. It is not inconceivable that there may be differences with enforcement procedures, which could lead to companies ‘forum shopping’ as to where they centralise their decision-making.

The focus here is the usual balancing act between the freedom of expression and privacy, with the main impetus being the increase in complaints that online reputation is being significantly damaged by outdated, malicious or inaccurate information which cannot be removed. Such complaints are more regularly targeted against social media companies. The Regulation attempts to provide more accountability for those companies involved in data processing. This effectively means the creation of a culture of monitoring, reviewing and assessing data processing procedures. All of this should, in the eyes of the EU, reduce the unauthorised retention of data.

A survey carried out by the University of Berkeley, California, has found that 84% of 18 to 24 year olds support the right to be forgotten, which seems to indicate that there is a strong consensus amongst those born into the digital age that internet companies have too much power over their data.

Why is Britain opposing this?

The MoJ has expressed concern that the proposals are unrealistic and unfair, as they impose “potentially impossible requirements for data controllers to manage third-party erasure”. The concern is that it may sometimes be a herculian task to erase every trace of data once an individual has shared it online. The Regulation appears to require organisations to completely delete the personal data, unless they can justify its retention, but there is little guarantee that this could always be achieved. Therefore, it could impose onerous or impossible obligations on organisations.

The final draft of the Regulation is eagerly awaited and for whatever reason, the final  implementation and outcomes of this Regulation are unlikely to be forgotten!


CNil, the French Data Protection Regulator, which had been leading an investigation into Google’s new privacy policy on behalf of the Article 29 Working Party, published its findings and recommendations in October 2012. CNil gave Google three to four months to make the necessary changes in order to ensure that the new policy, a consolidation of over 60 of its privacy policies, complies with the requirements set out in the Data Protection Directive (1995/46/EC). It has now been announced by CNiL earlier this month that in response to Google’s failure to implement any significant compliance measures there will be further investigations carried out by the Data Protection authorities of France, Germany, Italy, the Netherlands, Spain and the UK in order to determine if the policy is compliant with their own national legislation. In the UK, the ICO has confirmed that it will be carrying out further investigation as to whether Google’s privacy policy is compliant with the Data Protection Act 1998.

This article was written by Paul Herbert, Partner, Media with assistance from Chris Smith.

This guide is for general information and interest only and should be relied upon as providing specific legal advice.  If you require any further information please contact the author or call 0207 404 0606 and ask for your usual Goodman Derrick contact.