EDRi’s analysis of the EU General Data Protection Regulation

The purpose of the General Data Protection Regulation is to repeal and replace the Data Protection Directive of 1995, and in particular to provide greater harmonization of data protection rules across Europe. The draft regulation proposes to establish a European Data Protection Board to replace the existing Article 29 Working Party.

One of the widely forecast and much heralded aspects of the new regulation is an improved ‘right to be forgotten’, or ‘le droit à l’oubli’; the right to have our internet history expunged. “This ‘right to be forgotten’ (Art. 15),” says EDRi, “is basically a re-packaging of the already existing right to deletion after the purpose has been fulfilled (Art. 12 of Directive 95/46/EC).” But it goes further, now “including the right to erasure of any public Internet link to, copy or replication of personal data relating to the data subject in any public communication service.”

EDRi suggests that this article is not very well drafted, fearing that its intent to “counter the loss of purpose limitations in social media” could provide a potential misuse as a tool for censorship. It is also concerned that bloggers and other independent media that “do not comply with the 'right to be forgotten', could be fined between 500 and 600 000 Euros.”

However, EDRi does applaud the new regulations concerning the transfer of data abroad. “Article 42 addresses extra-territorial actions by third countries such as the USA Patriot Act and the USA Foreign Intelligence Surveillance Act and imposes barriers for foreign judicial authorities to access European data. This article is particularly interesting with regard to the US requests for European data such as the request for twitter account details of European citizens that might be related to WikiLeaks.”

Meanwhile, however, the European Data Protection Supervisor (EDPS) Peter Hustinx is already concerned about the application of the existing Data Protection Directive in relation to the EU-US Passenger Name Record (PNR) agreement. This agreement, he explained on Tuesday, obliges airline companies to “send to the US Department of Homeland Security (DHS) data relating to all passengers flying between the EU and the US.” But, he states, “Any legitimate agreement providing for the massive transfer of passengers' personal data to third countries must fulfill strict conditions. Unfortunately, many concerns expressed by the EDPS and the national data protection authorities of the Member States have not been met. The same applies to the conditions required by the European Parliament to provide its consent.”

What’s hot on Infosecurity Magazine?