Read out

Harald Eberhard

Video Harald Eberhard

Harald Eberhard

Researcher of the Month

The right to be for­got­ten – what kind of pro­tec­tion does the new EU Data Pro­tec­tion Reg­u­la­tion provide?

In 2016, the European Union ad­op­ted the new Gen­eral Data Pro­tec­tion Reg­u­la­tion, designed to provide the European and na­tional ju­di­ciar­ies with a com­pletely new basis for data pro­tec­tion and pri­vacy law. At WU, Har­ald Eber­hard, pro­fessor of pub­lic law at the In­sti­tute for Aus­trian and European Pub­lic Law, in­vestig­ates vari­ous is­sues raised by data pro­tec­tion law. His cur­rent work fo­cuses on the ef­fects of the EU’s new Gen­eral Data Pro­tec­tion Reg­u­la­tion on Aus­trian data pro­tec­tion law. The “right to be for­got­ten” that is ex­pli­citly en­shrined in the new le­gis­la­tion will reg­u­late which of their di­gital foot­prints people will be able to erase in the fu­ture. Pro­fessor Eber­hard calls for le­gis­la­tion that is clearer about the cri­teria for bal­an­cing the con­flict­ing in­terests that are rel­ev­ant to these ques­tions.  

In today’s world, data has be­come an im­port­ant eco­nomic factor, and as a con­sequence, cor­por­a­tions world­wide are keen on col­lect­ing as much data as they possibly can. People are re­veal­ing per­sonal in­form­a­tion with al­most every click in their web browsers or on their cell phones, every time they drive their cars with in­ter­net con­nectiv­ity, and every time they use their cus­tomer loy­alty cards in the su­per­mar­ket. The new “right to be for­got­ten” is in­ten­ded to provide clear guidelines as to which of these di­gital foot­prints can be erased, espe­cially on the in­ter­net. WU Pro­fessor Har­ald Eber­hard is work­ing to fig­ure out how this new right should be put into prac­tice in Aus­tria. “The ‘right to be for­got­ten,’ that is the right to have our di­gital foot­prints erased on the web, is one of the key pil­lars of Aus­tria’s fu­ture data pro­tec­tion law. So far, Aus­trian le­gis­la­tion has been very vague in this regard, and failed to take into ac­count today’s tech­no­lo­gical possib­il­it­ies. This makes it even more im­port­ant to draw up clear reg­u­la­tions for the in­ter­pret­a­tion of the EU’s Gen­eral Data Pro­tec­tion Reg­u­la­tion to im­prove data and pri­vacy pro­tec­tion for the people,” ex­plains Pro­fessor Eber­hard.  

Whose in­terests count?

To develop clearer cri­teria for de­termin­ing which types of on­line con­tent users can re­quest to have taken down – for in­stance posts on for­ums, private pho­tos, com­ments, etc. – Har­ald Eber­hard sug­gests that the in­ter­pret­a­tion of the le­gis­la­tion should be guided by a fun­da­mental prin­ciple: “When assess­ing some­body’s right to re­quest the de­le­tion of spe­cific posts on the in­ter­net, the de­cision should be guided by the ques­tion of whose in­terests are served by the pos­ted con­tent. If the post is of pub­lic in­terest, for in­stance, the poster then has no legal claim to have it de­leted, be­cause the post may ini­ti­ate a de­bate that is rel­ev­ant to so­ci­ety at large or con­trib­ute to pub­lic dis­course in a mean­ing­ful way.” These ar­gu­ments may for in­stance ap­ply to an on­line doc­tor rat­ing pos­ted on a re­view site, ac­cord­ing to a re­cent rul­ing by the Aus­trian Su­preme Court of Justice (Ober­ster Gericht­shof, OGH). 

The cru­cial dif­fer­ence  

If the con­tent pos­ted on­line only re­flects private in­terests, however, and is only in­ten­ded by the poster to present him or her­self, take-­down re­quests would clearly have to be gran­ted, ac­cord­ing to this line of reas­on­ing. This is be­cause in such a scen­ario, other legal in­terests, for in­stance regard­ing the ex­pres­sion of opin­ions or the pro­vi­sion of in­form­a­tion, do not out­weigh data pro­tec­tion and pri­vacy con­cerns. If the con­tent in ques­tion con­sti­tutes a crim­inal of­fense or is in­sult­ing or dam­aging to a per­son’s repu­ta­tion, this also needs to be taken into ac­count when assess­ing and com­par­ing all the rel­ev­ant in­terests. Go­ing back to the example of the doc­tor rat­ing men­tioned above, this means that the Su­preme Court would prob­ably reach a dif­fer­ent de­cision if the post in ques­tion was writ­ten in an in­sult­ing man­ner. As al­ways when con­flict­ing fun­da­mental rights come to bear on a ques­tion, the dif­fer­ent in­terests have to be assessed and weighed against each other – a task that ul­timately is up to the ap­pro­pri­ate courts. The cru­cial aspect about the EU’s new Gen­eral Data Pro­tec­tion Reg­u­la­tion is, however, that it ex­pli­citly defines the cri­teria to be ap­plied in the pro­cess of assess­ing con­flict­ing in­terests. In this way, the Reg­u­la­tion de­tails aspects that have not been dealt with ad­equately in the ex­ist­ing le­gis­la­tion. Now im­port­ant de­cisions have to be made as to how the Reg­u­la­tion should be in­teg­rated into na­tional law, and about how Aus­tria’s data pro­tec­tion law can be made as clear as possible. “At this point, it’s very im­port­ant to reach a de­cision on which in­terests should be given pref­er­ence: the right to pri­vacy, data pro­tec­tion, and con­fid­en­ti­al­ity on the one hand or the pub­lic in­terest, freedom of ex­pres­sion, and the pub­lic’s right to in­form­a­tion on the other,” Pro­fessor Eber­hard points out.  

Fur­ther changes  

The EU’s new Gen­eral Data Pro­tec­tion Reg­u­la­tion also brings about a num­ber of other changes that are cur­rently be­ing stud­ied by WU Pro­fessor Har­ald Eber­hard and his col­leagues at the In­sti­tute for Aus­trian and European Pub­lic Law. In ad­di­tion to the “right to be for­got­ten,” tech­no­lo­gical neut­ral­ity is an­other key aspect of the new Reg­u­la­tion. This means that in the fu­ture, data pro­tec­tion reg­u­la­tions will ap­ply regard­less of whether data is pro­cessed manu­ally or di­git­ally. An­other key ele­ment of the Reg­u­la­tion is the pro­vi­sion that con­sent must be freely given, i.e. ser­vices must not be made con­di­tional on the user’s con­sent to data pro­cessing. “In the fu­ture, ser­vice pro­viders will only be al­lowed to re­quest per­sonal data from users if the data is ac­tu­ally needed to per­form a ser­vice,” Pro­fessor Eber­hard ex­plains. Un­der the new Gen­eral Data Pro­tec­tion Reg­u­la­tion, vi­ol­a­tions of the ap­plic­able data pro­tec­tion reg­u­la­tions may res­ult in hefty fines of up to € 20 mil­lion or four per­cent of a com­pany’s global an­nual turnover.  

A call for more pri­vacy aware­ness

Har­ald Eber­hard stresses, however, that it is im­port­ant to keep in mind that “take-­down re­quests are only a last re­sort. It’s im­port­ant to be aware of the ways in which we re­veal per­sonal in­form­a­tion on­line and the ex­tent to which we give con­sent to the pro­cessing of our per­sonal data. We should all be more mind­ful not to give our con­sent lightly, and we should be more care­ful to pro­tect our pri­vacy in gen­eral,” says Har­ald Eber­hard.