European Union’s Proposed “Right to be Forgotten” Described

We have been reading and hearing about the European Union’s “Right to be Forgotten” and “Right to be Erased” both through a proposed data privacy regulation and a recent European Union Court of Justice decision. This article is an attempt to explain the “rationale” behind both and how it potentially affects the genealogical community—worldwide—not only in the 28-European Union (EU) member countries. A little background on what is the European Union and its legislative structure is presented in assisting you to better understand what they are doing.

What Is the European Union?

The European Union, founded in 1993, is an economic and political union of 28 member states that are located in Europe. For a list of the current 28 EU-member countries see: http://europa.eu/about-eu/countries/index_en.htm. The EU operations are founded on treaties, voluntarily and agreed by all member countries. The predecessor to the European Union, was known as the European Economic Community (EEC), created in 1958, whose initial purpose was to increase economic cooperation between six countries.

The EU Legislative Structure

The European Union Parliament is the parliamentary institution of the EU which is directly elected every five years. It is composed of 751 members (750 plus the President who is elected by the Parliament). The Members of Parliament (MEPs) are grouped not by country affiliation but by political party.[1] The number of MEPs per member country is proportionate to their population. Together with the Council of the European Union and the European Commission, it exercises the legislative function of the EU and it has legislative power that the Council and Commission do not possess The Parliament does not possess the authority to initiate legislation. (http://europa.eu/about-eu/institutions-bodies/european-parliament/index_en.htm)

The Council of the European Union (the Council) is part of the EU legislature, representing the executives of 28 EU member states. The Council is comprised of the 28 National Ministers—one for each member of the European Union. (http://europa.eu/about-eu/institutions-bodies/european-council/index_en.htm )

As both organizations share equal legislative responsibilities for the legislation to become law, both organizations must agree to an identical proposal to become law.

The European Commission is the EU’s executive body. It represents the interests of the European Union as a whole (not the interests of individual countries). The Commission’s main roles are to:

propose legislation which is then adopted by the European Parliament and the Council; enforce European law (where necessary with the help of the European Union Court of Justice); and set objectives and priorities for action. (http://europa.eu/about-eu/institutions-bodies/european-commission/index_en.htm).

Proposed Data Protection Regulation

In 1995, the EU adopted the Data Protection Directive designed to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using, or exchanging such data. In 2012, the EU unveiled a draft General Data Protection Regulation that will

supersede the 1995 Directive.[2] In March 2014, a number of amendments were adopted by the EU Parliament amending the original proposed regulation, including the provision for the “right of erasure” (amendments 23 and 27—the later replaced the “right to be forgotten” provision). The “right to erasure” provision states: “the right to erasure should not apply when the retention of personal data is necessary for the performance of a contract with the data subject, or when there is a legal obligation to retain this data.” [3] The 2012 proposed data privacy regulation included a provision for the “right to be forgotten”.

The proposed regulation would strengthen individual rights and tackle the challenges of globalization and new technologies. The scope of the proposed regulation update, applies if the data controller or processor (organization) e.g. Google, Bing, Yahoo, or the data subject (person) is based in the EU. Unlike the current 1995 Directive, the Regulation also applies to organizations based outside the EU if they process personal data of EU residents. (The non-binding Guidelines address the scope as if the EU has the authority on data regulation worldwide- see below).[4] The EU defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life”. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.

The proposed regulation does the following:

Establishes a single, pan-European law for data protection- no longer each EU member having their own data protection laws
Establishes a ‘one-stop-shop’ for businesses- no longer companies having to deal with multiple regulatory bodies.
Establishes same rules for all companies regardless of where they are located– companies based outside of Europe will have to apply the same rules when doing business in the EU. Economic penalties for non-compliance
Establishes a “right to be forgotten” for the individual
Requires the individual to give consent to process the individual’s data

In March 2014 the European Parliament voted overwhelmingly in favor of the Proposed Data Privacy Regulation. However, the EU Council did not vote before the May 2014 elections and therefore, as both chambers must vote on the same proposal; the proposal will have to be voted on by both chambers. Differences that might occur between the two chambers’ positions will have to be “negotiated”. The vote is expected later in 2015 or 2016. There are several issues, not just the “rights to be forgotten/erasure” where some EU member countries are not unified in position. The delay in voting is due to the differences that are still being negotiated.

The 1995 Data Protection Directive is different than the current proposed Data Protection Regulation as a directive, unlike a regulation, gives the member country more ability to interpret the law to their liking.

Right to be Forgotten/ Right of Erasure vs. Freedom of Expression

Today, regardless of where one resides, privacy issues are very much on the “front burner”. Legislators and regulators world-wide are addressing the concerns that have arisen due to identity theft, privacy abuses and mistakes. Sometimes the legislature has over reacted—such as in the United States with Congress enacting in 2013—Section 203 of the Bipartisan Budget Act which limited access to the Social Security Death Index. But nowhere has the reaction been as draconian as with the EU’s “right to be forgotten” and “right to be erased”.

The rights to be forgotten/erasure is a controversial concept that allows the individual to have information posted about them on the Internet removed from search operators, such as Google, at the individual’s request, even when it is truthful. EU regulators believe the Internet prevents citizens from escaping their

past, whether they did something adverse or foolish or just don’t want their actions or information available. This concept is antithetical to the United States’ core belief in freedom of expression. The right to privacy is a highly developed area of law in Europe. This forms the debate that genealogists are continually confronting when accessing records—the right of privacy vs. the right to know— access to what we as genealogists believe is in the public domain and should be available

Some are concerned that if adopted, the proposed EU regulation could undermine press freedoms and freedom of speech. Aggrieved individuals could use the decision to hide or suppress information of public importance, including links about elected officials. In Europe, the right to privacy trumps freedom of speech; the reverse is true in the United States. Although in California a law went into effect in January 2015 providing minors with the right to erase what they placed on the Internet, other states could follow and legislation could be expanded from adolescents to all.

The concept of the right to be forgotten or the right to be erased is not all encompassing.[5] There are cases where there is a legitimate reason to keep data in a database. The example the EU used in a press release is the archives of a newspaper. It is clear that the right to be forgotten cannot amount to a right to re-write or erase history. The “right” also carries with it the “right to erasure”. The EU proposal states the individual has the “right to erasure” where a court or regulatory authority based in the EU has ruled as final and absolute that the data concerned must be erased. This provision is Article 17 of the proposed regulation. The genealogical community is most concerned with this provision so that future records are preserved.

Currently, each of the 28-member countries has their own data privacy regulation. They are not uniform. Some state the provisions of the right to be forgotten only affect the living, while others affect both the living and deceased. The proposed Data Privacy Regulation would make the rule uniform throughout the EU member states. Therefore, the concern by the genealogical community about assuring that the records of genealogical interest are not “erased”.

Viviane Reding, the former Vice-President of the EU, and EU Justice Commissioner stated, Consent is at present — and will remain under the Commission’s proposal for a General Data Protection Regulation— only one of the several grounds allowing for the lawful processing of data, such as for genealogical purposes…[6]

Article 83 in the Proposed Data Protection Regulation provides for specific conditions and safeguards for the lawful processing of personal data necessary for historical research, which may also include genealogical research. Here the consent of the data subject is only applicable in cases where the entity conducting research would wish to publish or publicly disclose personal data. Even in such cases however, consent is only one among three alternative conditions, the other two being (a) that the publication of personal data is necessary to present research findings or to facilitate research; or (b) that the data subject has made the data public.⁶

Not all member countries of the EU are satisfied with the proposed rule on the “right to be forgotten/erasure” and some are trying to get a less onerous version of the EUCJ decision incorporated into a final version.[7]

There are substantial fines for non-compliance by data aggregators such as Google. Fines up to € one million or up to 2% of the annual worldwide turnover in case of an enterprise, whichever is greater (Article 79, Number 6).[8]

Data protection regulation’s “right to be forgotten” should be balanced with public access to certain types of records for compelling reasons such as: tracing family medical history and Holocaust victims “right to be remembered”. The two individual “rights” are not mutually exclusive.

EU Court Decision—Google

In 1998, a Spanish newspaper called La Vanguardia published two small notices stating that certain property owned by Mario Costeja González, a lawyer, was going to be auctioned to pay off his debts. Costeja later cleared up his financial difficulties, but whenever someone Googled Mr. Costeja’s name, the newspaper records continued to surface. In 2010, Costeja went to Spanish authorities to demand that the newspaper remove the items from its website and that Google remove the links from searches for his name. The Spanish Data Protection Agency denied the claim against La Vanguardia but granted the claim against Google. In May 2014, the European Court of Justice (EUCJ) affirmed the Spanish agency’s decisions. La Vanguardia could leave the Costeja items up on its Web site, but Google was prohibited from linking to them on any searches relating to Costeja’s name. In a broadly worded directive, the EUCJ went on to say, that all individuals in the countries within its jurisdiction had the right to prohibit Google from linking to items that were “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.” While the actual documents are still on the Internet, most people use a search engine such as Google (which has over 85% of the search engine market in the EU), in order to find the links to the original documents.[9]^,[10]

The EU prepared a fact sheet on the EUCJ decision which addresses territoriality and applicability under the current and proposed rules.[11]

The Court’s decision continues to be controversial not only within the Internet community but several of the EU member countries do not agree with the depth of the “right to be forgotten”. One of Google’s concerns with the ruling was that no guidance was provided on how to comply with the decision. The operational guidelines that were since developed (see below) address how to put the court’s decision into practice.

Google opened a digital hotline to let Europeans complain when links to embarrassing personal information about them turns up in a search of their names. The complaints will be vetted and removed unless a company-appointed panel says the public’s right to access the information outweighs a complainant’s right to privacy.” Google has received roughly 760,000 requests, from people in Europe and outside the region, to remove links to online material of which Google agreed to about 40 percent of the requests.[12]

French Court Decision

In a recent French Court decision where Google agreed to take down links to allegedly defamatory comments, the plaintiff, a French attorney sued to have Google remove the links on its worldwide global search engine domains—and won. This set a precedent that the EU ruling should apply outside of the EU. The French judge relied on a specific point in a privacy ruling that said a company’s local subsidiary could be held liable for the activities of its parent. Google was ordered to pay a daily fine of $1,100 until the “defamatory” content was removed from all searches worldwide. Google has not paid the fine, arguing that the French Court decision does not “specifically demand” that the company’s non- European domains must comply with the judgment”. This raises the larger question of how far can the EU’s data protection rules extend?

Google created a committee to help counsel them on how to address Europe’s right-to-be-forgotten standard. The report is due out later in February. It is reported that there is not unanimity amongst the committee members on the issue if whether the EU can impose the right to be forgotten decision on all of its global search results.[13]

Non-Binding Guidelines

On November 26, 2014 the European Union issued guidelines- that would expand their “Right to be Forgotten” to all countries where the search engines operate—another words worldwide.[14] While the Court case was found against Google, the “Right to be Forgotten” is an EU concept that affects all search engines. The guideline takes the May EUCJ decision and made it into a guideline—the regulatory group known as the Article 29 Working Party stated that to give the rights to the subject in the internet search, the EU law cannot be circumvented. The press release from the EU on the guideline stated: “Decisions must be implemented in such a way that they guarantee the effective and complete protection of data subjects’ rights and that EU law cannot be circumvented.”[15] The search engines operate outside of the EU and someone could do a search on the non-EU websites and obtain the information that was removed in the EU—such as Google.com (US) vs. Google.de (Germany) or Google.fr (France).

The guidelines have 13 criteria for the data privacy administrators in the EU countries in their decision-making processes about refusals by search engines to de-listing. The privacy guidelines are not binding, and it will be up to each of the 28-EU member countries to decide how to apply them—-a potential administrative “nightmare” with each country doing “their own thing”, but could lead to fines at the national level. Aggrieved individuals could use the decision to hide or suppress information of public importance, including links about elected officials.

Why is this Important to Genealogists?

At its April 2013 meeting in Amsterdam, the Steering Committee of the Section of Professional Associations of the International Council on Archives (ICA SPA) expressed its concern about the draft European Data Protection Regulation. The French archivists stated it could mean destruction of university, land employment records and more.[16] Allowing individuals to decide what data they will request be removed from the Internet search engines is akin to an “opt-in” provision. As genealogists, we have seen a less than desirable outcome when countries have opted for an ‘opt-in’ for information to be shared, such as the more recent censuses in Canada and Australia which had low percentages for those choosing to “opt-in”.

Genealogy assists researchers in tracing family medical problems that are passed on from generation to generation. Information included in birth, marriage, and death records is critical to reconstructing families and tracing genetically inherited attributes in current family members. Access to vital records—historical as well as current— is essential in making certain that one is researching the correct person. Increasing numbers of physicians are requesting that their patients provide a “medical family tree” in order to more quickly identify conditions common within the family. It is critical to be able to trace back, not only straight-line, but also by collateral lines which afford the individual as well as future generations to measure probability and historical medical occurrences and take appropriate preventive action as required. (August 29, 2013 IAJGS Letter to 28 EU Ministers of Justice on European Union Proposed Data Protection Regulation).

[1] http://www.europarl.europa.eu/

[2] http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf

[3] http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0212&language=EN

[4] http://www.nytimes.com/2014/11/27/technology/right-to-be-forgotten-should-be-extended-beyond-europe-eu-panel-says.html?emc=eta1

[5] http://europa.eu/rapid/press-release_MEMO-14-186_en.htm

[6] http://www.europarl.europa.eu/sides/getAllAnswers.do?reference=E-2013-005400&language=EN

[7] http://www.theregister.co.uk/2014/10/10/eu_ministers_google_right_to_be_forgotten_watered_down/

[8] http://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Sanctions

[9] http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=24797

[10] http://www.nytimes.com/2014/05/14/technology/google-should-erase-web-links-to-some-personal-data-europes-highest-court-says.html

[11] http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf

[12] https://www.google.com/transparencyreport/removals/europeprivacy/?hl=en