Right to be Forgotten &EU GDPR

Data Security Day London

EU GDPR: IMPORTANT MOMENTS & DECISIONS

Europe's top court supports

'right to be forgotten' in

Google privacy case

2010 MAY ‘14 JUN ‘15 DEC ‘15

EU GDPR: IMPORTANT MOMENTS & DECISIONS

2010

EU Court ruled on a number of areas related to data

protection. These include the territoriality

of EU rules, the applicability of EU data

protection rules to a search engine and the “right to be forgotten.”

MAY ‘14 JUN ‘15 DEC ‘15

EU GDPR: IMPORTANT MOMENTS & DECISIONS

The European Commission, the

European Parliament and the European Council all met to

negotiate the requirements of the

proposed EU General Data Protection

Regulation

JUN ‘152010 MAY ‘14 DEC ‘15

EU GDPR: IMPORTANT MOMENTS & DECISIONS

2010 MAY ‘14DEC ‘15

Final version of GDPR expected

JUN ‘15

The Territoriality of EU Rules

The Applicability of EU Data Protection Rules to a Search Engine

The “Right to be Forgotten”

EU COURT RULES ON THREE KEY AREAS

Even if the physical server of a company processing data is located

outside Europe, EU rules apply to search engine operators if they have a

branch or a subsidiary in a Member State, which promotes the selling of

advertising space offered by the search engine.

THE TERRITORIALITY OF EU RULES

Search engines are controllers of personal data. Google can therefore not escape its responsibilities before

European law when handling personal data by saying it is a search engine.

EU data protection law applies and so does the right to be forgotten.

THE APPLICABILITY OF EU DATA PROTECTION RULES TO A SEARCH

ENGINE

Individuals have the right - under certain conditions - to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing. At the same

time, the Court explicitly clarified that the “right to be forgotten” is not absolute but will always need to be balanced against other

fundamental rights, such as the freedom of expression and of the media. A case-by-case assessment is needed considering the type of information in question, its sensitivity for the individual’s private

life and the interest of the public in having access to that information. The role the person requesting the deletion plays in

public life might also be relevant.

THE RIGHT TO BE FORGOTTEN

EU GDPR:

KEY REQUIREMENTS

The GDPR’s jurisdiction will reach outside the EU, with extraterritorial jurisdiction tied to the offering of

goods or services to, or the monitoring of, data subjects in the EU. Non-EU

controllers that satisfy this jurisdictional nexus will need to

appoint an EU representative “unless the processing is occasional and

unlikely to result in a risk for the rights and freedoms of individuals.”

The draft mandates breach notification to Supervisory Authorities and affected individuals;

specifically, Supervisory Authorities and affected individuals must be notified of

breaches that are likely to result in a high risk for the rights and freedoms of individuals, with notice to Supervisory Authorities due in within 72 hours, and notices to affected individuals

due “without undue delay.”

The information that must be provided to data subjects regarding the processing of their

personal data remains extensive, including specifying the legitimate interests pursued by the controller or the statutory or contractual

requirements that are being relied on to justify processing (if this is the case); data subjects

must also receive an explanation of the various rights they have in relation to the data (but none of the Parliament’s icons that signpost

data use has been included).

The maximum administrative fines proposed on a tiered system are up to 2-5% of annual worldwide turnover, or €100m, depending on which amount is

higher.

EU GDPR:

IMPORTANT TERMS & DEFINITIONS

An incident in which sensitive, protected or confidential data has

potentially been viewed, stolen or used by an individual unauthorized to do

so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual

property*

DATA BREACH

* Tech Target

Operations performed on a given set of data to extract the required

information in an appropriate form*

DATA PROCESSING

* Business Dictionary

An all-encompassing term for any collection of data sets so large and complex that it

becomes difficult to process using on-hand data management tools or traditional data

processing applications

BIG DATA

* Wikipedia

A tool that you can use to identify and reduce the privacy risks of your projects

A PIA can reduce the risks of harm to individuals through the misuse of their personal

information. It can also help you to design more efficient and effective processes for handling

personal data.

DATA PROTECTION IMPACT ASSESSMENT

* ICO