U.S. Concern about the European Right to Be Forgotten and Free Speech: Much Ado About Nothing?

Contents: 1. Introduction. – 2. The right to be forgotten in Europe. – 3. The right to be forgotten in the U.S. – 4. The EU Proposal for a General Data Protection Regulation. – 5.
False perspectives and real problems.

1. – After the official presentation of the EU Proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), various opinions of lawyers and law scholars have been published in U.S. newspapers, legal blogs and law reviews. Many of these do not consider the entire framework of the new provisions and seem to use the rhetorical figure of synecdoche, considering a part (the right to be forgotten) for the
whole.

Read the full paper here

 

Data Protection in a Global World

The initial approach to data protection was local, different countries adopted specific legislative measures, and in some cases concerned only specific sectors characterized by a high need for data protection. This approach is no more adequate in a world where data flows across national boundaries many times a second, and in the context of big data, where it is not possible to define in advance which kind of information is relevant and sensible.

Read the full article here (pdf format)

A working paper on Big Data

In our society, information has assumed a fundamental role in every decisional and social process. Governments and big private companies collect huge amounts of data that represent a strategic and economically relevant asset. The predictive relevance of big data management and the global dimension of this phenomenon has led us to reflect on the nature and the dynamics of a centralized power held by only a few subjects. The increasing power that derives from big data necessitates the adoption of adequate remedies to control and limit the information asymmetries and their consequences in terms of economic advantages and social control. From this perspective it is important to adopt adequate measures to control those who have this power, in order to limit possible abuse and illegitimate advantages, and, at the same time, to increase access to information, in order to spread informational power.

Mantelero, Masters of Big Data: Concentration of Power Over Digital Information, in Social Science Research Network (http://www.ssrn.com/)

The EDPS criticisms on the Proposal for a Directive amending Directive 2003/98/EC on re-use of public sector information (PSI)

The EDPS expressed an opinion on the Proposal for a Directive amending Directive 2003/98/EC on re-use of public sector information (PSI), observing that the authority has not been consulted as required by Article 28(2) of Regulation (EC) 45/2001 and that “this is regrettable in view of the large amount of personal data potentially concerned by this initiative”.

According to the EDPS, although the public sector information can be publicly available, the information referred to an identified or identifiable natural person remains subject to the prescriptions of data protection law.

EDPS remarked that “increased accessibility of information may also increase the risks of misuse of personal data” and, from this perspective, expressed different criticism to the proposal.

As observed by many legal scholars, the critical aspect concerning the re-use of personal data concerns the limit imposed by the Article 6 (1) (b) of the Directive 95/46, which provides that personal data should be collected for specified, explicit and legitimate purposes and “not further processed in a way incompatible with those purposes” (see in the same sense the article 5 (b) of the recent Proposal for a General Data Protection Regulation). Regarding to this aspect the EDPS affirmed that “the challenge is to clearly define in advance the personal data that could be made publicly available and the appropriate data protection safeguards which ensure legal certainty while allowing innovation and reuse for any (lawful) purpose”.

Considering that the legal framework for data protection is currently under review, the Authority suggested to take into account concepts such as privacy by design and accountability and procedural solutions such as data protection impact assessments.

In this perspective, the EDPS has given specific recommendations with regard to various provisions of the Proposal for a Directive amending Directive 2003/98/EC.

The EDPS recognized a fundamental role to the license conditions in order to guarantee the respect of the principle of the Directive 95/46 when the data are re-used, to introduce appropriate contractual clauses to permit the trans-border data flow and to prohibit re-identification of individuals where the data should be fully or partially anonymized.

Finally, the EDPS considered that the proposal should be modified in order to require that “an assessment be carried out by the public sector body concerned before any PSI containing personal data may be made available for reuse”.

The Spanish Audiencia Nacional refers a complaint against Google to European Court of Justice.

The original case was decided by Spanish Data Protection Authority in 2010 and concerned a claim based on the right to be forgotten with regard to some information appeared on a Spanish newspaper and made searchable on line by Google. The DPA issued a resolution against Google Spain SL and Google Inc “urging the agency to take steps to remove its index data and precludes future access to the same”. This decision has been appealed by Google Inc and Google Spain. During the following process, the court has raised some prejudicial questions to European Court of Justice regarding these topics:

– the application of national law on data protection to a non-EU company providing search engine services;

– the role assumed by these non-EU companies in data processing

– the protection of the right to be forgotten.

Here the decision.

CNIL: Google’s new policy seems not meet the requirements of the European Directive on Data Protection

On 27 February 2012, in a letter addressed to Google Inc. CEO Larry Page, the French DPA (CNIL) affirmed that “preliminary analysis shows that Google’s new policy does not meet the requirements of the European Directive on Data Protection (95/46/CE), especially regarding the information provided to data subjects“.

The DPA observed that the new privacy policy provides only general information about all the services and types of personal data Google processes and “it is impossible for average users who read the new policy to distinguish which purposes, collected data, recipients or access rights are currently relevant to their use of a particular Google service“.

In the opinion of the DPA”the fact that Google informs users about what it will not do with the data (such as sharing personal data with advertisers) is not sufficient to provide comprehensive information either“. The DPA considered that more information should be given to the data subject on service and the purpose of the processing for which the data are collected.

The DPA considered that further information should be provided to the person concerned in the service and the purposes for which data are collected.

The letter ended by stating that “The CNIL and the EU data protection authorities are deeply eoneerned about the combination of personal data across services: they have strong doubts about the lawfulness aud fairness of such processing, and about its compliance with European Data Protection legislation, especially with articles 6 and 7 ofthe Data Protection Directive“.

On 2 February 2012, the Article 29 Working Party invited the CNIL to take the lead in the analysis of Google’s new privacy policy.