January 28, 2017

2018: the right to be forgotten by social media and search engines becomes law

The 28th of January 2017 is the Data Protection Day!

It is the right occasion to remember that 2018 will see the new General Data Protection Regulation becoming effective. Regulation (EU) 2016/679 will indeed apply from 25 May 2018. It shall introduce one single set of rules across Europe enabling EU privacy law to meet the speed of an increasingly fast technological world and digital operators to enact cost-efficient privacy practices for their businesses while safeguarding the privacy rights of people.

The General Data Protection Regulation will become effective in all EU States without the need of being transposed into national laws. 

In the meanwhile, EU Member States shall transpose the linked, albeit independent, Directive (EU) 2016/680 into their national law (by 6 May 2018). This Directive is another important legislative milestone for the protection of privacy rights, as it safeguards citizens’ fundamental right to data protection whenever personal data is used by criminal law enforcement authorities.

The new regulatory framework will:

·       Consolidate the “right to be forgotten”, particularly on social media: when users no longer want their data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted;

·       Easier people’s access to their own data: individuals will be entitled to receive more information on how their data is processed in a clear and understandable way;

·       Establish a right to data portability: it will be easier for data subjects to transfer personal data between service providers;

·       Establish the right to know when data has been hacked: companies and organisations shall notify the national supervisory authority of serious data breaches as soon as possible, in order for users to take appropriate measures. 

·       Establishing a ‘one-stop-shop’ system – a single data protection authority (DPA) would be responsible for a company operating in several countries (the DPA where the company has its main base);

Data protection officer for every non-SMEs;

·       Abolish unnecessary bureaucratic requirements such as notification obligations.

The “right to be forgotten” is already considered an important part of EU privacy law.

On 13 May 2014 the European Court of Justice acknowledged that European citizens already have the right to request internet search engines to remove search result directly related to them (C-131/12 – Google Spain and Google).

However, the Court’s judgment only concerned the right to be forgotten with respect to search engine results involving a person’s name.

The General Data Protection Regulation will increase the scope of such protection further on. Search engine operators will act under the supervision of the competent national data protection authority. National courts will have the final word on whether the freedom of expression will prevail over the right to personal data protection under a case-by-case approach.

Member States law are mandated by the General Data Protection Regulation to reconcile the rules governing freedom of expression and information, including journalistic, academic, artistic and or literary expression with the right to the protection of personal data pursuant to the Regulation itself.