The Right to Be Forgotten: Complying with New European Privacy Law

Posted by Mark Greisiger

EuropeCyberA Q&A with Claire Bernier, Bersay & associés
Part of the future General Data Protection Regulation currently under discussion between European State Members, Europe’s Right to be Forgotten regulation will apply to any company that does business in the European Union (EU). I asked Paris-based attorney Claire Bernier of Bersay & Associés about this pending law and what implications it might have for organizations around the world.

Can you please explain the Right to be Forgotten for a layperson?
The concept is that any individual should be allowed to ask any entity that is collecting or displaying information about him/her to remove old or irrelevant data from its website or any link to this information on the internet, and that when asked, said company must oblige. Once the regulation is voted on (expected in 2015), it will be two years before it goes into effect within Europe, and it will be applied in each country across Europe (no specific implementation needed) and with the same strength as a domestic law.

What types of organization will be impacted by this law? And why should a business be concerned about it?
It will impact every single company with a website containing information about people—employees or otherwise—within Europe. Mainly, of course, it will affect massive contents/data providers such as search engines. The EUCJ decision of May 13, 2014 re. Google is notable as it related to a general manager of a company that went bankrupt years ago, but the individual had no problems since then and wanted to have that past information removed from the internet because it could impact future business opportunities. The EUCJ confirmed that this (old) information should not be considered relevant anymore and should be deleted.

You can’t possibly remove everything all of the time, but companies need to be in a position to respond to these requests.

What are the possible penalties for non-compliance?
The current drafting of the regulation provides for a fine of up to 2 percent of global worldwide turnover (i.e. revenue) of the infringing company.

How might a company comply with the regulation in good faith? Are there any technical hurdles that might complicate compliance?
As we know, it’s impossible to erase information from the internet once it’s out there. One of the solutions is to stop giving easy access to this data. Technically, that could be accomplished by getting rid of any referrals or links to it. If a content provider or a search engine indexes aren’t listing the data, it’s much harder to find. You can’t possibly remove everything all of the time, but companies need to be in a position to respond to these requests. That means investing in human resources, tools and procedures to deal with this issue. So far there is no software that can automatically parse what information stays and what needs to go. This process requires, for the time being, human decisions. Data protection authorities will probably focus on the effort a company is making to obey the law, and whether the company can demonstrate that it has invested in human, financial and technical resources to be compliant.

In Summary…
We want to thank Claire for this concise summary about a cyber risk issue that will eventually impact many global organizations—not just those that operate throughout Europe but all those that store data on European citizens in their systems. I am interested in speaking to insurers and their clients this coming year about their concerns with regard to this emerging exposure. Interestingly, Google recently revealed that they have already received approximately 90,000 requests for information to be taken down. These requests obviously require significant human involvement and analysis, evidenced by the fact that Google has only approved 53% of them, denying 32%. That poses the question: Will denial of these requests spur future costly litigation or other legal actions? We will be keeping an eye on this issue.