First guidelines of the EU data protection authorities after the ECJ Safe Harbour judgment

Yesterday, the EU data protection authorities (hereafter DPAs) assembled in the Article 29 Working Party made a first statement on the ECJ decision on the Safe Harbour agreement and defined the further steps to be taken by data protection authorities.


Here the main points of the statement:

  1. DPAs urge Member States and the European institutions to make a new intergovernmental agreement between EU and US. Nevertheless, this time, the agreement should provide adequate solutions in terms of data protection, which should be assisted “by clear and binding mechanisms and include at least obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights”.
  2. The Article 29 Working Party will continue the analysis of the impact of the ECJ judgment on the other transfer tools (i.e. Standard Contractual Clauses e Binding Corporate Rules), which can still be used by companies, until the definition of the new legal framework.
  3. In any case, DPAs will be able to investigate particular cases of trans-border data flows that are based on the transfer tools mentioned above.
  4. Ultimatum: “If by the end e end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions”.

DPAs clearly point out that, after the ECJ judgment, data transfers that are still taking place under the Safe Harbour decision are unlawful. In this light, the authorities will make an adequate communication campaign to ensure that all stakeholders are sufficiently informed on the effects of the ECJ decision.


A brief comment to the statement

First, European DPAs urge EU and US authorities to make a new and fair agreement for data transfer between the two sides of the Atlantic.

Second, companies should move from Safe Harbour system to different transfer tools, which are based on contractual agreements or co-regulation (i.e. Standard Contractual Clauses e Binding Corporate Rules).

Finally, it should be pointed out that the regional German DPA of Schleswig-Holstein has already expressed a negative opinion on the use of the standard contractual clauses to solve the problem of the EU-US data transfer. Nevertheless, Schleswig-Holstein authority is known for its rigorous interpretation of data protection rules and its position may not be adopted by the other DPAs.

Finding a solution to the Google’s dilemma on the “right to be forgotten”, after the “political” ECJ decision.

The decision of the European Court of Justice on the Google case has re-opened the debate on the importance of remembering and forgetting in the digital age. Legal scholars, columnists and experts have either agreed with the position of the court on the right to be forgotten or, on the contrary, criticised the decision as an attempt to limit the freedom of expression.

Now, the dust is settling and the first “transparency report” published by Google shows a limited effect of removals on freedom of expression, although the report presents only a few aggregated data.

For this reason, the time has come to assess the long-term effect of the decision.

From this perspective, the consequences should not be overestimated. This is not a decision on the right to be forgotten, since the news is still available in newspaper archives. It concerns the worldwide access via search engines to online information.

Nor is it a decision against the freedom of expression, since the court explicitly required a balancing test between individual rights and access to information.

Nevertheless, it is a controversial decision. It transforms each search engine into a judge, which should decide when the freedom of expression prevails and in which cases “the publicity goes to unreasonable lengths in revealing facts about one who has resumed the private, lawful and unexciting life led by the great bulk of the community”, as stated by the 2nd Restatement Torts, in the US.

The critical aspect is not the private nature of the company that makes the balancing test. In a number of legal systems across Europe, the same balancing test is used by media companies in cases regarding privacy, right to be forgotten or defamation. However, in those cases, the test is made by journalists, who take responsibility for checking the facts they publish and have the professional skills to make the above-mentioned test.

On the contrary, Google, as well as any other search engine, neither investigates and checks the facts, nor has the professional expertise of a media company.

For this reason, I consider this mainly a “political” decision, in the sense it pertains to citizens (from Greek polítes “citizens”). Remembering and forgetting are fundamental aspects of our individual and social life, and the balance between remembering and forgetting has a substantial impact on our digital society (Mayer-Schönberger, V. 2011).

In spite of that, the decision has pointed to the direction, but has not built the path.

The direction is represented by the strong support to data subject’s rights (“the data subject’s rights protected by those articles [7 and 8, Charter of Fundamental Rights of the European Union] also override, as a general rule, that interest of internet users [in having access to information]”) and, more specifically, by the support to the right to erasure of personal information that have not been ”fairly and lawfully” processed. This is not a new right, as it has been represented in various comments, but an already existing right, which has been recognized both by European law and national courts in Europe.

Even though the direction has been defined, the technical solution provided by the courts (the “path”) is still inadequate. It should be noted that the reason for this lies in the fundamental inadequacy of the existing legal framework. This was written during the 90’s and now it has to address the issues arising from a completely different digital environment.

From this perspective, the decision puts the trade-off between remembering and forgetting at the centre of the debate and it (hopefully) induces to reconsider the provisions of the Article 17 of the EU Proposal for a General Data Protection Regulation. This is the “political” value of the decision.

In the light of the above, the future EU regulation should consider the peculiar nature of search engines as data controllers. It should introduce an ad hoc legal provision, which excludes the direct enforcement of the right to erasure carried out by data controllers and requires a complaint direct to a court or data protection authority (DPA). This avoids that search engines play the (improper) role of judges in these cases.

At the same time, this provision should also impose to data controllers the temporary removal of the links in dispute, when they receive a motivated request from a data subject. This “freeze” of the link will be maintained for a short period of time (e.g. 20-30 days). If the data subject does not take legal action within this time, the link will be reactivated and no legal action can be made in the future for the same link, except in the case of change of the surrounding circumstances.

The added value of this approach is represented by the fact that it combines a short temporary restriction to information access with a model based on a decision adopted by a court or DPAs, not by a private entity.

On the contrary, there are still some aspects that need to be further investigated and improved. They regard the above described process and the related need to track the requests. Nevertheless, this seems to be an easy-to-solve problem considering that the solution should be implemented by the major IT companies.

A few notes about the Google case and the right to be forgotten

The decision of the Court of Justice of the European Union reopens the debate on the right to be forgotten (see Mantelero, 2013).

The Court has affirmed:

“As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.”

The most controversial aspect of the decision is the evaluation of the opposing interests (right to be forgotten vs freedom of expression). (Zittrain, 2014)

The Court suggests that “supervisory authority or judicial authority” may order search engines “to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages published by third parties containing information relating to that person”. Nevertheless, the provisions of the Directive 95/46/EC do not exclude that the request can be made directly by the data subject to data controllers (i.e. search engines). In this case, to avoid lawsuits and claims for damages, search engines should promptly perform a balancing test of the interest in the person in his or her privacy versus the interest in the public at large to be informed, but this kind of test should be made by judicial authorities or DPAs and not by a private company.

In the past, DPAs ordered to media to modify the robot.txt file in order not to make specific contents indexable by crawlers of search engines. In those cases, a prior balancing test may be also conducted by publishers, which have professional skills and the duty to check the newsworthiness of the news. For this reason, publishers are in better position than search engines to balance the opposing interests.

Anyway, the positive aspect of this decision is that it induces to reconsider positively the Article 17 of the EU Proposal for a General Data Protection Regulation, which is clearer that the scenario depicted by this decision. This provision admits a specific exception for freedom of expression and recognizes the role played by courts and regulatory authorities in deciding which data must be erased. Finally, it empowers the Commission to define detailed procedures and solutions to delete personal information.

Giving a “political” interpretation to the decision, it seems an anticipation of the provisions of the EU Proposal, although made in a way that should induce lobbies to reconsider their opposition against the “right of erasure” defined in the Proposal.

NSA: The Google request

Docket No. Misc. 13-03
Pursuant to 28 U.S.C. § 2201 and Foreign Intelligence Surveillance Court (“FTSC”) Rule of Procedure 6(d), Google Inc. (“Google”) respectfully moves this Court for a declaratory judgment that Google may disclose statistics regarding Google’s receipt of orders issued by this Court, if any, without violating the Foreign Intelligence Surveillance Act (“FlSA”) or the FISC Rules of Procedure.

Competitive value of data protection: the impact of data protection regulation on online behaviour


  • The increasing demand from individuals to have their privacy respected or to take decisions about the management of their information assumes a significant role in business activities and it becomes an important element for building public trust in service providers.

  • In this scenario, keeping the focus of data protection only on the individual and his or her decisions is no longer adequate. If legislators consider data protection as a fundamental right, it is necessary to reinforce its protection in order to make it effective and not conditioned by the asymmetries which characterize the relationship between data subject and data controllers.

  • This aim is implemented by the EU proposal by means of three different instruments: data protection impact assessment, privacy by design/by default solutions, and the data minimization principle.

  • The competitive value of data protection can be assured and enhanced only if the user’s self-determination over personal data is guaranteed. From this point of view, countering the phenomena of data lock-in and ‘social’ lock-in is fundamental in order to offer privacy-oriented and trustworthy services, which increase user propensity to share data and stimulate the digital economy and fair competition.

International Data Privacy Law (2013), Oxford University Press

[electronic pre-print version]

The EU Proposal for a General Data Protection Regulation and the roots of the ‘right to be forgotten’


The EU Proposal for a General Data Protection Regulation has caused a wide debate between lawyers and legal scholars and many opinions have been voiced on the issue of the right to be forgotten. In order to analyse the relevance of the new rule provided by Article 17 of the Proposal, this paper considers the original idea of the right to be forgotten, pre-existing in both European and U.S. legal frameworks. This article focuses on the new provisions of Article 17 of the EU Proposal for a General Data Protection Regulation and evaluates its effects on court decisions. The author assumes that the new provisions do not seem to represent a revolutionary change to the existing rules with regard to the right granted to the individual, but instead have an impact on the extension of the protection of the information disseminated on-line.


The right to be forgotten partially erased in the new draft of the EU Proposal on Data Protection

Article 17 of the EU Proposal for a General Data Protection Regulation offered a more analytical definition of the right to erasure provided by Article 12 of the Directive 95/46/CE. This provision has been misunderstood by many commentators and interpreted as a general right to delete personal information.

The central prescription of Article 17 recognizes “the right to obtain from the controller the erasure of personal data”, in a manner analogous to the above-mentioned Article 12 of the Directive 95/46/CE.

The EU proposal does not impose a general obligation to erase data managed by third parties, but requires only that third parties be informed that a data subject has requested to delete any links or copy or replication. Article 17 further restricts this obligation by introducing the notion of proportionality when it requires they take all “reasonable” steps to achieve its aim.

This duty to inform third parties represents the significant innovation of the EU Proposal and an adequate remedy in a context characterized by big players and by a massive exploitation of personal information. Here, the balance between the individual right to be forgotten and the “right to make profits” can not be found by requiring the data subjects to have an active role in searching for any information concerning them, which was spread on-line by the controller.

This innovative and updated version of the right to erasure seems to be drastically limited in the recent draft report on the proposed amendments to the EU Proposal General Data Protection Regulation, presented by Jan Philipp Albrecht.

This is the original wording of Article 17 (2):

Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.

This is the new wording of Article 17 (2):

Where the controller referred to in paragraph 1 has transferred or made the personal data public without a justification based on Article 6(1), it shall take all necessary steps to have the data erased, without prejudice to Article 77.

Since under Article 6 (1) the processing of personal is lawful if the data subject gave their consent and Article 17 (2) refers to data “transferred or made […] public”, we should conclude that the controller “shall take all necessary steps to have the data erased” only in the hypothesis in which the data was originally transferred or made public without the consent of the data subject.

In the most frequent case, in which there consent has been withdrawn by data subjects, the controller will erase the data exiting in their databases, but it seems not have any duty to inform third parties to which the data were transmitted.

 Follow me on Twitter: