Europe is currently undergoing a significant reform of its privacy regime. Under the current European Union (EU) Privacy Directive, individuals already have broad rights curtailing companies’ ability to process their personal data. The proposed EU Privacy Regulation seeks to broaden these rights even further. In particular, the proposed “right to be forgotten” may ultimately impose substantial new burdens on companies, especially social media and Internet businesses.
European privacy laws restrict the information that companies can process regarding individuals, and grant to individuals several rights with respect to their personal data (e.g., access and correction rights). The current EU Privacy Directive came into force in 1995 and has continued to apply ever since with various updates in the intervening years. The Europeans, however, are currently discussing a proposed EU Privacy Regulation that would further strengthen the protection of personal data of individuals by, among other things, introducing new rights. Among the new rights being proposed is the “right to be forgotten.” Essentially, under this proposed new right, individuals would be able to request—under certain circumstances—that companies erase all information in their systems and databases regarding such individuals. Companies receiving such requests would be obligated to comply.
The right to request removal from a company’s records is not new. Under the current EU Privacy Directive, an individual can request that a company remove his or her data from its system under certain circumstances, for example, because there is no legal basis for the company having such data in the first place or because the individual no longer has a relationship with that company (e.g., if a customer switches mobile phone carriers). However, this current right of removal is not absolute and can take a backseat to other interests, such as a company’s duty to maintain books and records of its business.
The new right to be forgotten would strengthen and expand the current right of removal. In particular, the new right would require a company to not only erase the applicable information and cease any further dissemination of the information but also take all reasonable steps necessary to inform third parties to whom the company has made the data available and to request that such third parties also remove the data from their systems. In other words, the new right would require a complete cleanup of the data originating from the company. A phone company receiving the request would therefore have to not only remove the data from its systems, but also inform, for example, its collections agencies, advertising and marketing agencies and outsourcing providers (such as installation services companies) that the request was made and that they should also remove the applicable data from their systems (as currently drafted, the company would only have to pass along the request, and would not be required to verify compliance with such request by other companies).
The right to be forgotten has been conceived in particular to address social media companies and other online businesses. Regarding such providers, the European legislatures find it of paramount importance that individuals be able to control what information is online about them (even when they have put the information online themselves), especially with respect to minors under the age of 18. While the rationale for this approach may be understandable, the way that the right is currently drafted, a social media site that receives a request to be forgotten could be obligated to inform third parties about the request, including other users of the social media site, other social media sites to which the data has been linked (e.g., via Twitter feeds or integration), search engines and any other website that the social media site knows has received the data. Given the expansive scope of the right as currently drafted, this right could potentially create burdensome and costly compliance obligations for social media sites and other online services, once the proposed EU Privacy Regulation is in force.
The proposed reform is currently being discussed in the European Parliament and is not expected to be finalized until 2014 at the earliest, after which there will be another two years before it would take effect. The proposals in the Regulation may still change pending ongoing debate, although it is expected that many of the new rights and requirements, including the right to be forgotten, will be maintained in some form.