Académique Documents
Professionnel Documents
Culture Documents
Gordon Hughes
6 October 2014
AUSTRALIA BELGIUM CHINA FRANCE GERMANY HONG KONG SAR INDONESIA (ASSOCIATED OFFICE)
ITALY JAPAN PAPUA NEW GUINEA SAUDI ARABIA SINGAPORE SPAIN SWEDEN
UNITED ARAB EMIRATES UNITED KINGDOM UNITED STATES OF AMERICA
Overview
Context What is the "right to be forgotten"?
Europe EC 1995 Data Protection Directive
• Google case
New proposal for a "right to be forgotten"
Australia ALRC's proposal – a "right to be deleted"
• Why has this been contemplated?
• ALRC's perceived gap in current Australian law
• Current status
2
The "right to be forgotten"
3
Overview
Context What is the "right to be forgotten"?
Europe EC 1995 Data Protection Directive
• Google case
New proposal for a "right to be forgotten"
Australia ALRC's proposal – a "right to be deleted"
• Why has this been contemplated?
• ALRC's perceived gap in current Australian law
• Current status
4
European approach
• 1995 Data Protection Directive
Source: http://ec.europa.eu/
5
Article 12: right of access
Source: http://ec.europa.eu/
• Article 12 states:
Member States shall guarantee every data subject the right to obtain from the controller:
(a) without constraint at reasonable intervals and without excessive delay or expense:
- confirmation as to whether or not data relating to him are being processed and information at least as
to the purposes of the processing, the categories of data concerned, and the recipients or categories of
recipients to whom the data are disclosed,
- communication to him in an intelligible form of the data undergoing processing and of any available
information as to their source,
- knowledge of the logic involved in any automatic processing of data concerning him at least in the case
of the automated decisions referred to in Article 15 (1);
(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply
with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the
data;
(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking
carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.
• Does this provide a right to insist upon deletion of data which at the
discretion of the individual, and does this equate to a "right to be
forgotten"? Not explicit.
6
Google v Gonzalez
• Google Spain, Google Inc v AEPD and Mario Gonzalez C-131/12 (2014)
7
Google v Gonzalez
Source: http://www.theguardian.com/world/blog/2014/may/14/mario-costeja-
gonzalez-fight-right-forgotten
8
Google v Gonzalez
• AEPD ordered the withdrawal of data from the Google index and
required Google to ensure that links were not viewable via the
search engine
9
Google v Gonzalez (cont'd)
10
Google v Gonzalez (cont'd)
11
Google v Gonzalez (cont'd)
"…even initially lawful processing of accurate data may, in the course of time,
become incompatible with the directive where those data are no longer
necessary in the light of the purposes for which they were collected or
processed. That is so in particular where they appear to be inadequate,
irrelevant or no longer relevant, or excessive…
12
Google v Gonzalez (cont'd)
13
New European Commission proposal
• European Commission has released a draft "General Data
Protection Regulation" to replace the 1995 Data Protection
Directive
• The draft Regulation:
– aims to harmonise existing data protection laws across EU member
states (1995 Directive has been implemented in a fragmented
manner)
– will apply to non-EU based organisations, if they process the
personal data of EU residents
– contains a "right to erasure" in Article 17, which gives data subjects
the right to have personal data erased by a data controller under
certain circumstances
– introduces substantial penalties
Source: http://ec.europa.eu/
14
Overview
Context What is the "right to be forgotten"?
Europe EC 1995 Data Protection Directive
• Google case
New proposal for a "right to be forgotten"
Australia ALRC's proposal – a "right to be deleted"
• Why has this been contemplated?
• ALRC's perceived gap in current Australian law
• Current status
15
ALRC proposal – a "right to be deleted"
• In its Discussion Paper on Serious Invasions of Privacy in the Digital
Era (March 2014), ALRC proposed the introduction of a new APP
which would require an APP entity to:
16
ALRC proposal – a "right to be deleted"
• Possible extension of the ALRC's proposed new Australian Privacy
Principle to:
a) require the APP entity who receives the request to provide the
requesting individual with a list of third parties who have received
the information; and
b) require the APP entity who receives the request to notify any third
parties (with which it has shared the information) of the request.
17
ALRC proposal – a "right to be deleted"
• Possible take-down regime empowering regulators to order an
organisation to remove private information about an individual,
whether provided by that individual or a third party, from a
website or online service controlled by that organisation where:
a) the individual makes a request to the regulator to exercise its
power;
b) the individual has made a request to the organisation and the
request has been rejected or has not been responded to within a
reasonable time; and
c) the regulator considers that the posting of the information
constitutes a serious invasion of privacy, having regard to freedom
of expression and other public interests.
• ALRC acknowledged impact on freedom of expression, and hence
only flagged as a possibility.
18
ALRC's perceived gaps in Australian law…
• Limitations of existing APPs
19
Update on ALRC's position
• Final report dated June 2014 was tabled in Parliament on
3 September 2014
20
Overview
Context What is the "right to be forgotten"?
Europe EC 1995 Data Protection Directive
• Google case
New proposal for a "right to be forgotten"
Australia ALRC's proposal – a "right to be deleted"
• Why has this been contemplated?
• ALRC's perceived gap in current Australian law
• Current status
21
Hong Kong
• Personal Data (Privacy) Ordinance
22
India
• Information Technology Act 2000, Information Technology Rules
2011
• Rule 5 (Collection of information):
• "(7) The provider of information [to a body corporate] shall, at any time
while availing the services or otherwise, also have an option to withdraw
its consent given earlier to the body corporate."
23
The Philippines
• Data Privacy Act 2012
• Section 16 (Rights of the data subject) include to:
• "(d) dispute the inaccuracy or error in the personal information and have
the personal information controller correct it immediately and
accordingly, unless the request is vexatious or otherwise unreasonable …
third parties who have previously received such process personal
information shall be informed of its inaccuracy and its rectification upon
reasonable request of the data subject."
24
Singapore
• Personal Data Protection Act 2012
• Section 16 (Withdrawal of consent):
• "(1) On giving reasonable notice to the organisation, an individual may at
any time withdraw any consent given, or deemed to have been given
under this Act, in respect of the collection, use or disclosure by those
organisations of personal information about the individual for any
purpose…
• (4) if an individual withdraws consent to the collection, use or disclosure
of personal data…, the organisation shall cease … collecting, using or
disclosing the personal data …"
• Section 22 (Correction of personal data):
• "(1) an individual may request an organisation to correct an error or
omission in the personal data about the individual that is in the
possession or under the control of the organisation.
• Singapore has joined with Hong Kong in requesting Google to
develop a similar "right to be forgotten" system for its citizens.
25
Overview
Context What is the "right to be forgotten"?
Europe EC 1995 Data Protection Directive
• Google case
New proposal for a "right to be forgotten"
Australia ALRC's proposal – a "right to be deleted"
• Why has this been contemplated?
• ALRC's perceived gap in current Australian law
• Current status
26
Balancing interests…
Real-name Freedom of
policies v right of expression v
pseudonymity privacy
Source:
http://mashable.com/2014/05/13/right-to-be-
forgotten-europe-google/
Re-writing Anonymity v
history v privacy accountability
27
Overview
Context What is the "right to be forgotten"?
Europe EC 1995 Data Protection Directive
• Google case
New proposal for a "right to be forgotten"
Australia ALRC's proposal – a "right to be deleted"
• Why has this been contemplated?
• ALRC's perceived gap in current Australian law
• Current status
28
Where to from here?
Source: http://www.techhive.com/article/2359982/what-
the-eus-new-right-to-be-forgotten-online-means.html
Source: http://commonseoquestions.com/2014/07/25/the-
right-to-be-forgotten/
29
This presentation material is intended to provide a summary of the subject
matter covered for training purposes only. It does not purport to be
comprehensive or to render legal advice. No reader should act on the basis of
any matter contained in this presentation without first obtaining specific
professional advice.
AUSTRALIA BELGIUM CHINA FRANCE GERMANY HONG KONG SAR INDONESIA (ASSOCIATED OFFICE)
ITALY JAPAN PAPUA NEW GUINEA SAUDI ARABIA SINGAPORE SPAIN SWEDEN
UNITED ARAB EMIRATES UNITED KINGDOM UNITED STATES OF AMERICA
231673762_1