The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

French DPA Launches Public Consultation on Right to Be Forgotten

The French DPA, the (CNIL), launched on May 30 a public consultation on the right to be forgotten. As noted, in French, on the CNIL’s website:

The draft European Regulation would establish the principle of a digital “right to be forgotten” which would allow us to better control our online life. This new right would be exercised in respect of freedom of expression, the right of the press and the duty of memory. In this context, the CNIL has launched an online consultation about this right, which is often cited but whose contours remain unclear. In parallel, the CNIL also will consult professionals concerned with this issue. “

Some Questions Asked by the CNIL

Here are some of the questions individuals may choose to answer.

The CNIL asks individuals if they have ever published on the Internet their email, name, photographs or videos representing them, or if they have published personal information on a social network, such as their address or geolocation. The CNIL also asks individuals if they regularly check how their personal information is disseminated on the Internet.

The CNIL also asks individuals if they have ever found that information about themselves has been posted on the Internet without their consent, and if such dissemination of personal data has had negative consequences for them, whether it be on their personal life, professional life, or both. Participants may also share whether they have tried to remove or have removed this information, or have tried to remove or have removed this information on behalf of their minor children.

The CNIL also asks participants to share their opinion about the right to be forgotten. Do they think that this right constitutes the ability to erase one’s digital traces such as cookies, the ability to delete negative information about oneself, or the ability to control everything that is said about oneself, or even a form of Internet censorship?

The CNIL also asks whether individuals would like to be able to choose to index in search engines the information they post, or to de-reference information from a search engine once the information has been removed from the original site, or if websites should offer the opportunity to set “expiration dates” for one’s own publications, such as social networks posts.

The European Union Proposal Would Provide a Right to Be Forgotten

Article 17 of the Proposal would provide the data subject a right to be forgotten and to erasure. Article 12(b) of Directive 95/46/EC already provides such right. The data controller must, at the request of the data subject rectify, erase or block data which does not comply with the Directive, particularly if the personal data is incomplete or inaccurate.

The new Regulation would expand that right. The controller would have the obligation to inform third parties which are processing data of the data subject’s request to have any links to, or copies, or replications of that personal data, erased.

The debate on the right to be forgotten is open. The European Network and Information Security Agency (ENISA) published a report on the topic in November 2012. It states that the right to be forgotten would require defining the scope of personal data. ENISA asked whether personal data should include information that can be used to identify a person “with high probability but not with certainty” such as a picture of a person, or if it should include information identifying a person “not uniquely, but as a member of a more or less small set of individuals, such as a family.”

ENISA also pointed out the importance of clarifying who has the right to ask for deletion of personal data, and why this is needed. The report gives as example a photograph representing Bob and Alice. If Alice wants the picture to be “forgotten,”but not Bob, who should have the right to final decision? In the US, many believe that the right to be forgotten may be a threat to freedom of expression.

The results of the public consultation will be published on the CNIL’s site. We’ll keep you posted.

Leave a comment

The European Data Protection Supervisor on data breaches, data portability, and the right to be forgotten


The European Data Protection Supervisor (EDPS) published last month an opinion about the European Commission’s Communication reviewing the EU legal framework for data protection. It discusses, among other topics, the introduction of personal data breach notification in EU law.  The EDPS also declares it is in favor of introducing the right to data portability and the right to be forgotten in the EU legal framework.


The new legal framework must support an obligation to report security breaches


The EDPS supports the extension of the security breaches report obligation which is currently included in the revised ePrivacy Directive, as it is proposed in the Commission’s Communication.


As of now, the revised ePrivacy Directive only requires providers of electronic communication services to report security breaches. However, no other data controllers are covered by the obligation. The EPDS notes that “[t]he reasons that justify the obligation fully apply to data controllers other than providers of electronic communication services.” (§75)


Indeed, “[s]ecurity breach notification serves different purposes and aims. The most obvious one,

highlighted by the Communication, is to serve as an information tool to make individuals

aware of the risks they face when their personal data are compromised. This may help them to take the necessary measures to mitigate such risks,” such as changing passwords or canceling  their accounts. (§76) Also, these notifications “contribute (…) to the effective application of other principles and obligations in the Directive. For example, security breach notification requirements incentivize data controllers to implement stronger security measures to prevent breaches,” and thus enhance data controllers‘accountability. Such notifications also serve as a tool for the enforcement by Data Protection Authorities (DPAs), as such notification may lead a DPA to investigate the overall practices of a data controller. (§76)


The new legal framework must support data portability and the right to be forgotten


The Communication vowed that the Commission would examine ways of complementing the rights of data subjects “by ensuring ’data portability’, i.e., providing the explicit right for an individual to withdraw his/her own data (e.g., his/her photos or a list of friends) from an application or service so that the withdrawn data can be transferred into another application or service, as far as technically feasible, without hindrance from the data controllers.” (Communication, p.8)

According to the EDPS, “Data portability and the right to be forgotten are two connected concepts put forward by the Communication to strengthen data subjects’ rights.”(§83)  As “more and more data are automatically stored and kept for indefinite periods of time, “the data subject has very limited control over his personal data. The Internet has a “gigantic memory.” (§84) Also, “from an economic perspective, it is more costly for a data controller to delete data than to keep

them stored,” and thus [t]he exercise of the rights of the individual therefore goes against the natural economic trend.” §(84)


“Both data portability and the right to be forgotten could contribute to shift the balance in

favour of the data subject” by giving him more control of his information. The right to be forgotten “would ensure that the information automatically disappears after a certain period of time, even if the data subject does not take action or is not even aware that the data was ever stored.”(§85) This "right to be forgotten" would ensure that personal data are deleted and at the same time it would be prohibited to “further use them, without a necessary action of the data subject, but at the condition that this data has been already stored for a certain amount of time. The data would in other words be attributed some sort of expiration date.” (§88)


This new "right to be forgotten" should be connected to data portability. (§89) Data portability is “the users’ ability to change preference about the processing of their data, in connection in particular with new technology services.”(§86)  “Individuals must easily and freely be able to change the provider and transfer their personal data to another service provider.”(§87)


The EDPS considers that existing rights “could be reinforced by including a portability right in particular in the context of information society services, to assist individuals in ensuring that providers and other relevant controllers give them access to their personal information while at the same time ensuring that the old providers or other controllers delete that information even if they would like to keep it for their own legitimate purposes.” (§87)


Whether the right to be forgotten online will become part of the EU data protection framework remains to be seen. However, several EU countries recognize, or plan to recognize soon, such a right. Google argued last month in a Spanish court that deleting search results, in order to respect, the country’s right to be forgotten, "would be a form of censorship." France is considering recognizing such a right as the French Congress is in the process of implementing the reviewed ePrivacy Directive. As the deadline for implementing the directive, May 25, 2011, approaches, it will be interesting to see how many Member States actually add he right to be forgotten to their legal systems.