Researcher of the Month
The right to be forgotten – what kind of protection does the new EU Data Protection Regulation provide?
In 2016, the European Union adopted the new General Data Protection Regulation, designed to provide the European and national judiciaries with a completely new basis for data protection and privacy law. At WU, Harald Eberhard, professor of public law at the Institute for Austrian and European Public Law, investigates various issues raised by data protection law. His current work focuses on the effects of the EU’s new General Data Protection Regulation on Austrian data protection law. The “right to be forgotten” that is explicitly enshrined in the new legislation will regulate which of their digital footprints people will be able to erase in the future. Professor Eberhard calls for legislation that is clearer about the criteria for balancing the conflicting interests that are relevant to these questions.
In today’s world, data has become an important economic factor, and as a consequence, corporations worldwide are keen on collecting as much data as they possibly can. People are revealing personal information with almost every click in their web browsers or on their cell phones, every time they drive their cars with internet connectivity, and every time they use their customer loyalty cards in the supermarket. The new “right to be forgotten” is intended to provide clear guidelines as to which of these digital footprints can be erased, especially on the internet. WU Professor Harald Eberhard is working to figure out how this new right should be put into practice in Austria. “The ‘right to be forgotten,’ that is the right to have our digital footprints erased on the web, is one of the key pillars of Austria’s future data protection law. So far, Austrian legislation has been very vague in this regard, and failed to take into account today’s technological possibilities. This makes it even more important to draw up clear regulations for the interpretation of the EU’s General Data Protection Regulation to improve data and privacy protection for the people,” explains Professor Eberhard.
Whose interests count?
To develop clearer criteria for determining which types of online content users can request to have taken down – for instance posts on forums, private photos, comments, etc. – Harald Eberhard suggests that the interpretation of the legislation should be guided by a fundamental principle: “When assessing somebody’s right to request the deletion of specific posts on the internet, the decision should be guided by the question of whose interests are served by the posted content. If the post is of public interest, for instance, the poster then has no legal claim to have it deleted, because the post may initiate a debate that is relevant to society at large or contribute to public discourse in a meaningful way.” These arguments may for instance apply to an online doctor rating posted on a review site, according to a recent ruling by the Austrian Supreme Court of Justice (Oberster Gerichtshof, OGH).
The crucial difference
If the content posted online only reflects private interests, however, and is only intended by the poster to present him or herself, take-down requests would clearly have to be granted, according to this line of reasoning. This is because in such a scenario, other legal interests, for instance regarding the expression of opinions or the provision of information, do not outweigh data protection and privacy concerns. If the content in question constitutes a criminal offense or is insulting or damaging to a person’s reputation, this also needs to be taken into account when assessing and comparing all the relevant interests. Going back to the example of the doctor rating mentioned above, this means that the Supreme Court would probably reach a different decision if the post in question was written in an insulting manner. As always when conflicting fundamental rights come to bear on a question, the different interests have to be assessed and weighed against each other – a task that ultimately is up to the appropriate courts. The crucial aspect about the EU’s new General Data Protection Regulation is, however, that it explicitly defines the criteria to be applied in the process of assessing conflicting interests. In this way, the Regulation details aspects that have not been dealt with adequately in the existing legislation. Now important decisions have to be made as to how the Regulation should be integrated into national law, and about how Austria’s data protection law can be made as clear as possible. “At this point, it’s very important to reach a decision on which interests should be given preference: the right to privacy, data protection, and confidentiality on the one hand or the public interest, freedom of expression, and the public’s right to information on the other,” Professor Eberhard points out.
The EU’s new General Data Protection Regulation also brings about a number of other changes that are currently being studied by WU Professor Harald Eberhard and his colleagues at the Institute for Austrian and European Public Law. In addition to the “right to be forgotten,” technological neutrality is another key aspect of the new Regulation. This means that in the future, data protection regulations will apply regardless of whether data is processed manually or digitally. Another key element of the Regulation is the provision that consent must be freely given, i.e. services must not be made conditional on the user’s consent to data processing. “In the future, service providers will only be allowed to request personal data from users if the data is actually needed to perform a service,” Professor Eberhard explains. Under the new General Data Protection Regulation, violations of the applicable data protection regulations may result in hefty fines of up to € 20 million or four percent of a company’s global annual turnover.
A call for more privacy awareness
Harald Eberhard stresses, however, that it is important to keep in mind that “take-down requests are only a last resort. It’s important to be aware of the ways in which we reveal personal information online and the extent to which we give consent to the processing of our personal data. We should all be more mindful not to give our consent lightly, and we should be more careful to protect our privacy in general,” says Harald Eberhard.