Article 17 of the EU Proposal for a General Data Protection Regulation offered a more analytical definition of the right to erasure provided by Article 12 of the Directive 95/46/CE. This provision has been misunderstood by many commentators and interpreted as a general right to delete personal information.
The central prescription of Article 17 recognizes “the right to obtain from the controller the erasure of personal data”, in a manner analogous to the above-mentioned Article 12 of the Directive 95/46/CE.
The EU proposal does not impose a general obligation to erase data managed by third parties, but requires only that third parties be informed that a data subject has requested to delete any links or copy or replication. Article 17 further restricts this obligation by introducing the notion of proportionality when it requires they take all “reasonable” steps to achieve its aim.
This duty to inform third parties represents the significant innovation of the EU Proposal and an adequate remedy in a context characterized by big players and by a massive exploitation of personal information. Here, the balance between the individual right to be forgotten and the “right to make profits” can not be found by requiring the data subjects to have an active role in searching for any information concerning them, which was spread on-line by the controller.
This innovative and updated version of the right to erasure seems to be drastically limited in the recent draft report on the proposed amendments to the EU Proposal General Data Protection Regulation, presented by Jan Philipp Albrecht.
This is the original wording of Article 17 (2):
Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.
This is the new wording of Article 17 (2):
Where the controller referred to in paragraph 1 has transferred or made the personal data public without a justification based on Article 6(1), it shall take all necessary steps to have the data erased, without prejudice to Article 77.
Since under Article 6 (1) the processing of personal is lawful if the data subject gave their consent and Article 17 (2) refers to data “transferred or made […] public”, we should conclude that the controller “shall take all necessary steps to have the data erased” only in the hypothesis in which the data was originally transferred or made public without the consent of the data subject.
In the most frequent case, in which there consent has been withdrawn by data subjects, the controller will erase the data exiting in their databases, but it seems not have any duty to inform third parties to which the data were transmitted.
Follow me on Twitter: https://twitter.com/mantelero