EU Regulating Privacy: What Is the Point?

-- By ClementLegrand - 03 Nov 2016


On the 27th of April 2016, the European Union officially published the General Data Protection Regulation (GDPR), replacing a directive dating back from 1995. This regulation intends to regulate, as from the 25 may 2018, the processing (i.e. any operation which is performed on personal data) of personal data (i.e. any information relating to an identified or identifiable natural person) in Europe (2). The European Union opted for one single normative instrument to regulate every kind of uses of personal data. This approach raises several questions. Perhaps the most important one is: how does this regulation achieve protecting privacy?

Autonomy, Right to be forgoten

GDPR: Protecting the autonomy of data subjects

Privacy is a complex notion. It protects several aspects of an individual's personality. Among these aspects, the ones most commonly invoked are the following: the autonomy, the secrecy, and the anonymity of a person. Because anonymity and secrecy are not always possible (e.g. companies often need to have a list of their employees, a list of their providers and customers, such lists include most of the time some personal data such as names, adresses for deliveries), the GDPR's main goal is to ensure the autonomy of the individuals whose personal data is being processed, through ensuring control by these individuals over their data. Under the GDPR, any natural person (i.e. excluding companies) whose personal data is being processed qualifies as "data subject", and can therefore invoke a series of rights (e.g. the right to be informed,to access and rectify,...). One of the main tool to ensure data subjects' autonomy is the so called "right to be forgotten", that I will analyze in the next section. These rights will apply despite any contrary contractual provisions. The GDPR is not based on contractual freedom, even though it sometimes requires the consent of the data subject as a starting point. But even then, the rules continue to apply to prevent data controller from doing whatever they want with the data. Consent is merely one of the legal grounds authorizing the processing. The processing activity is then regulated and limited by other rules such as data minimization or purpose limitation (which in theory, strongly restrict the possibility to have big data).

Right to be forgotten : Protecting the autonomy

The right ot be forgotten is the quintessence of the individual's autonomy in protecting their privacy: it allows individuals to object to the processing of their personal data under certain circumstances.

Under Google v. Costeja Gonzalez, the claimant, Consteja Gonzalez, objected to the processing of its personal data by a Spanish newspaper and by Google. The claimant objected to the fact that when an internet users entered his name in a search engine, the results showed articles dating back from 1998 mentioning him as being subject to a public auction for the recovery of unpaid social security debts. In particular, the claimant insisted that the procedure had been resolved for many years and that referencing it was now irrelevant. The Spanish data protection authority rejected Costeja Gonzalez's complaint against the newspaper (because it found that the newspaper was processing the information lawfully and for a legitimate purpose) but it upheld the complaint against Google. The cases ended up in front of the European Court of Justice who ruled that Google was also responsible for the processing of the data and that it could be obliged to remove links from its search engine. If this case was advertised as creating a new "right to be forgotten", it is in reality an application of the right to object, on compelling legitimate grounds relating to and individual's particular situation to the processing of data relating to him. This case was based on the current regime of data protection (i.e. the rules set out by the European directive of 1995).

As from may 2018, the GDPR will replace the directive and a new right to be forgotten will be created. Article 17 of the GDPR states that individuals shall have the right to request the erasure of their data when:

  1. the processing of the data is no longer necessary with regard to the purpose for which it was initially collected;
  2. the individual to whom the data relates withdraw his consent (if the data was initially collected based on the consent of the individual);
  3. the individual objects and there are no overriding legitimate grounds for the processing;
  4. the data has been unlawfully processed;
  5. the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; or
  6. the data has been obtained from a child in the offering of an information society services.

Whilst we do not have a lot of guidance yet as to how this article will be applied, it appears that it will ensure a strong autonomy of the individuals: they will be entitled to control their data and to decide by whome they want to be forgotten.

Conclusion: Conflict with freedom of speech?

The Usa and Europe have a slightly different approach to fundamental rights. Under European law, the States have an obligation to make sure that the fundamental rights are protected. This means that a European state can be sued for not preventing private parties from violating a human right. This creates some conflicts between different human rights, including the right of data protection and the freedom of tought, speech and information. THis is why the court in Costeja Gonzalez insisted on the fact that the data controller should balance the right of privacy of the user with the interest of the public to have access to the information. In the new article of the GDPR, it also excluded from the scope of the right to be forgotten, data processing where the controller has an overriding legitimate ground. This incorporates the right of freedom of thought (which has no limit), speech and information (which have certain limits)and all the long established European case law in the field. In the USA, it is argued that a such a regulation would violate the first amendment. But should all information be equally protected? Is there as much need in protecting the gathering of metadata as there is in protecting collection of information of public interest? The famous article of Warren and Brandeis, which introduced the notion of Privacy in the USA, argued for a "right to be let alone". The authors feared the new technology of handheld cameras. Today, the technology allows to gather much more data about anybody. I think that not granting autonomy to persons over their personal data because of the protection of the first amendment (applying indiscriminately to any kind of information) is not adapted to today's world.