Fundamentals of IT Law: Data Protection and the Right to be Forgotten

Privacy Protection

Transparency must be ensured when personal data are collected from the data subject Art. 13 of EU GDPR provides that where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with the following information:

• identity and contact details of the controller;
• the contact details of the data protection officer (DPO);
• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• the period for which the personal data will be stored;
• the existence of the right to withdraw consent at any time

Privacy Protection in EU GDPR

Violation of Personal Data

When a violation can be considered to have been realized? A violation of personal data can be ascertained in case of:

• Theft
• illegal access
• Damage to reputation
• Loss of confidentiality of personal data protected by professional secrecy

Consequences of Personal Data Violation

Consequences in case of violation (that should be avoided due to the irreversible effect of personal data breach):

• A complaint should be addressed to the National Authority of Protection of Personal Data (in Italy "Garante") by the controller
• A complaint can be notified also by the data subject to the National Authority or to judicial authority

Claiming Personal Data Violation

The person whose data have been violated enjoys the possibility to bring a claim to the National Authority of Protection of Personal Data or to domestic judicial authorities There are therefore two different proceedings: i) administrative; ii) judicial CJEU, 12 January 2023 (Nemzeti Adatvedelmi) focused on the relationship between administrative and judicial proceedings: they are concurrent and therefore parallel proceedings can be prosecuted by the claimant; the decision firstly rendered is binding for the second one? What is their relationship?

CJEU, 12 January 2023 (Nemzeti Adatvedelmi) Decision

Decision: GDPR provides different proceedings in order to ensure the GDPR observance

• Between civil and administrative proceedings there is not an alternative relationship: they can both be exploited by the claimant;
• There is not any hierarchy between those proceedings;
• It means that a decision previously given by one of these authorities is not binding for the second one

Protection for Data Subject Complaints

What is the protection that the data subject can obtain when issuing a compliant?

• When the compliant is notified to the National Authority, the latter must answer in three months
• When the compliant is notified to the judicial authorities a compensation for damages can be otained: For economic loss (people working with their image for example) For non economic loss connected to moral damages suffered in connection to the unlawful use of personal data

Data Protection Officer (DPO)

He or she is the person liable to monitor compliance with privacy protection rules

• This subject is particularly relevant in public bodies: every public administration has the duty to select a DPO
• DPO must have all the requirements in order to grant the efficiency of its monitoring activity: expertise; independence; independent resources; there must be no conflict of interests
• It is the subject who citizens can refer to in any case where privacy issues arise
• DPO identity and contacts must be provided before the provision of data by citizens; must be published on the public body's website

Sanctions for Non-Compliance

Sanctions that can be applied to enteprises and public administration Severe penalties can be applied to those entities that are not compliant with privacy rules: administrative and criminal sanctions

• These sanctions can amount to: 10 million euro;
• Or 2 or 4 per cent of enterprises' turnover if higher than 10 million

Right to be Forgotten

Right to be Forgotten (Art. 17 EU GDPR)

Art. 17: «The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
• the data subject withdraws consent on which the processing is based
• the data subject objects to the processing and there are no overriding legitimate grounds for the processing

Limitations of the Right to be Forgotten

The right to be forgotten cannot be applied to the extent that processing is necessary (art. 17, para. 3 EU GDPR):

• for exercising the right of freedom of expression and information
• for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes It means that the decision concerning the removal (when directly made by the web search engine or when ordered by an administrative or judicial authority) requires a balance

Origin of the Right to be Forgotten

It is a right that was first created by jurisdictional authorities: because there was not a normative provision. The first time this right was mentioned in France by jurisdictional authorities (1965 and 1970) as a complement of the right to privacy Despite the lack of a disposition providing for this right (until EU Directive 95/46 and then GDPR) it has been recognised to be crucial by virtue of its link with the protection of personality It can be defined as the right to control our own personal life, a component of digital autodetermination

Expression of Personality

Why it is considered to be expression of personality

• Everyone has the right to see his or her data updated, completed
• In case of an unfortunate incident everyone has the right to not be associated with the latter
• Everyone has the right to enjoy his or her personal or social development with the consequent social reintegration

Balancing with Online Relationships

It needs to be balanced with online relationships features: internet represents a timeless archive of data. Once something has been uploaded on a website it can always be searched and found Internet is a field without borders, where the activity of web search engines is aimed to collect and organise information uploaded world-wide, giving access to all internet users

Statistic Landscape of De-referencing Requests

Statistic landscape: De-referencing or delisting requests are addressed to Google, for example, in order to delete informations provided by:

• News websites (19 %)
• Social networks, such as Facebook or Instagram (the majority)
• Third parties content provider (Youtube)

Importance of Delisting

Delisting an information from web search engine is something different from the right to obtain the removal of personal data from a specific website; A web search engine can be more harmful than a single website in terms of spread of information; The removal of an information from a single website could not be enough if the involved subject finds its name associated to a specific event when it is searched through a web search engine; on the other hand delisting an information from a web search engine does not necessarily requires removal by the single website controller (e.g. when the publication is legal)

Statistic Landscape: Inadequate and Professional Information

Statistic landscape:

• 23,6 % of requests is about inadequate informations: it is addressed in order to complete or clarify some personal informations
• 17,8 % of requests is about professional informations

Balancing with the Right of Information

The right to be forgotten naturally implies the need to balance it with the right of information The right of information is protected by fundamental dispositions as well (e.g. art. 10 ECHR, art. 11 European Union Charter on fundamental rights)

• This is because the freedom of expression protects the rights to be informed as well
• Internet is a timeless archive where the right to data access can be limitless and freely exercised We have a competition between fundamental rights and freedoms in the same normative hierarchical position

CJEU, Google Spain 2014

It represented a crucial moment in regulating the right to be forgotten: from 29 May 2014 Google has introduced an «official request process» (an internal proceeding aimed to evaluate data subjects requests concerning the application of this right) The right to be forgotten through the duty imposed to web search engines to delist the informations object of a request by the data subject: delisting from web search engine is a different right compared with the right to ask removal