The European Data Protection Supervisor (EDPS) published last month an opinion about the European Commission’s Communication reviewing the EU legal framework for data protection. It discusses, among other topics, the introduction of personal data breach notification in EU law. The EDPS also declares it is in favor of introducing the right to data portability and the right to be forgotten in the EU legal framework.
The new legal framework must support an obligation to report security breaches
The EDPS supports the extension of the security breaches report obligation which is currently included in the revised ePrivacy Directive, as it is proposed in the Commission’s Communication.
As of now, the revised ePrivacy Directive only requires providers of electronic communication services to report security breaches. However, no other data controllers are covered by the obligation. The EPDS notes that “[t]he reasons that justify the obligation fully apply to data controllers other than providers of electronic communication services.” (§75)
Indeed, “[s]ecurity breach notification serves different purposes and aims. The most obvious one,
highlighted by the Communication, is to serve as an information tool to make individuals
aware of the risks they face when their personal data are compromised. This may help them to take the necessary measures to mitigate such risks,” such as changing passwords or canceling their accounts. (§76) Also, these notifications “contribute (…) to the effective application of other principles and obligations in the Directive. For example, security breach notification requirements incentivize data controllers to implement stronger security measures to prevent breaches,” and thus enhance data controllers‘accountability. Such notifications also serve as a tool for the enforcement by Data Protection Authorities (DPAs), as such notification may lead a DPA to investigate the overall practices of a data controller. (§76)
The new legal framework must support data portability and the right to be forgotten
The Communication vowed that the Commission would examine ways of complementing the rights of data subjects “by ensuring ’data portability’, i.e., providing the explicit right for an individual to withdraw his/her own data (e.g., his/her photos or a list of friends) from an application or service so that the withdrawn data can be transferred into another application or service, as far as technically feasible, without hindrance from the data controllers.” (Communication, p.8)
According to the EDPS, “Data portability and the right to be forgotten are two connected concepts put forward by the Communication to strengthen data subjects’ rights.”(§83) As “more and more data are automatically stored and kept for indefinite periods of time, “the data subject has very limited control over his personal data. The Internet has a “gigantic memory.” (§84) Also, “from an economic perspective, it is more costly for a data controller to delete data than to keep
them stored,” and thus [t]he exercise of the rights of the individual therefore goes against the natural economic trend.” §(84)
“Both data portability and the right to be forgotten could contribute to shift the balance in
favour of the data subject” by giving him more control of his information. The right to be forgotten “would ensure that the information automatically disappears after a certain period of time, even if the data subject does not take action or is not even aware that the data was ever stored.”(§85) This "right to be forgotten" would ensure that personal data are deleted and at the same time it would be prohibited to “further use them, without a necessary action of the data subject, but at the condition that this data has been already stored for a certain amount of time. The data would in other words be attributed some sort of expiration date.” (§88)
This new "right to be forgotten" should be connected to data portability. (§89) Data portability is “the users’ ability to change preference about the processing of their data, in connection in particular with new technology services.”(§86) “Individuals must easily and freely be able to change the provider and transfer their personal data to another service provider.”(§87)
The EDPS considers that existing rights “could be reinforced by including a portability right in particular in the context of information society services, to assist individuals in ensuring that providers and other relevant controllers give them access to their personal information while at the same time ensuring that the old providers or other controllers delete that information even if they would like to keep it for their own legitimate purposes.” (§87)
Whether the right to be forgotten online will become part of the EU data protection framework remains to be seen. However, several EU countries recognize, or plan to recognize soon, such a right. Google argued last month in a Spanish court that deleting search results, in order to respect, the country’s right to be forgotten, "would be a form of censorship." France is considering recognizing such a right as the French Congress is in the process of implementing the reviewed ePrivacy Directive. As the deadline for implementing the directive, May 25, 2011, approaches, it will be interesting to see how many Member States actually add he right to be forgotten to their legal systems.