The Right to Be Forgotten

Just as bricks and mortar were the backbone of the old economy, personal data—including names, addresses, bank details, buying habits, credit references and Facebook “likes”—may be the stuff of the new.

Which is why a new directive is attempting to meet the onslaught of digital information, and to regulate its collection and transfer.

“When the first Data Protection Act came into force, the whole area was regarded as a geek’s tea party,” says Magnus Boyd, a data protection and privacy lawyer with PSB Law. “As information becomes more valuable, there’s a commensurate importance in protecting it.”

The current European Union Data Protection Directive came into force in 1995 when less than 1 per cent of Europeans had access to the Internet. Starting in 2016, a new directive will be in place that obliges companies to be more transparent about the data they hold. It will also place restrictions on the export of personal data outside of the EU, and bestow on individuals a “right to be forgotten”—i.e. the right to have their personal data deleted when a company has no legitimate grounds for retaining it. It will empower regulators to impose heavy fines on companies in breach.

The explosion of social media, along with concerns around the activities of the press that culminated in the Leveson Inquiry, have recast notions of what belongs in public and private space; but the issues themselves are hardly new. “In Europe there are two generations of lawyers for whom this is very familiar territory,” says Clive Gringras, head of the technology department at law firm Olswang, who points out that there has been legislation governing the use of data in Europe since 1981.

Data protection is a very different matter in Europe than it is in the United States. In the latter, says Gringras, “a vertical model of regulation targets specific industry sectors, such as financial services or healthcare. But ultimately powerful [corporate players] are in a strong position and can set their own terms; if their customers don’t like those terms, they can go elsewhere.”

He contrasts this with Europe where “Data protection laws are horizontal—they apply across the board regardless of industry sector. If you collect or possess personal data, you’re subject to the law.”

But if the law is more all-encompassing in Europe, it is also more weakly applied. In the US, Google’s circumvention of a Federal Trade Commission (FTC) privacy order resulted in a $22.5 million fine last August. Three months later, in the UK, Prudential was fined £50,000 by the Information Commissioner’s Office for confusing the records of two customers with the same name. It was the upper ceiling that the Information Commissioner was able to impose.

That’s changing. Under the new directive, that ceiling will stand at €1 million—or up to 2 per cent of a company’s worldwide annual turnover—and companies will be required to inform supervising authorities of serious data security breaches within 24 hours of occurrence.

“It should not surprise businesses that are seeking access to the money of European consumers that they will be bound by a strict regime controlling the way that they handle the data pertaining to those individuals,” says Gringras.

The legislation is by no means all bad for business. Companies benefit insofar as it frees them from some current obligations, such as notifying data-protection bodies that the company is undertaking data-protection-related activities. It also permits them to deal with a single data-protection authority in the EU member state in which they have their main establishment. But it also enhances the requirement for vigilance because the penalty for breach is so high.

Perhaps more fundamentally, by creating new rights for individuals—including facilitating the right to access data about them, and to transfer that data from one service provider to another—the new regime could restore public trust.