DATA PROTECTION REGULATION
DATA PROTECTION REGULATION Position on the Right to be Forgotten Allegro Group calls for a legislative text on the “right to be forgotten” (RTBF) that will both protect data subjects in practice, and avoid unnecessary burdens on data controllers.
Underlying principle The balancing of the RTBF with freedom of expression is essential. If the balance tips too far towards data protection, there is a real risk of censorship that is incompatible with the open society that Europe values. Allegro Group believes that EU data protection law should provide for the broad definition of “freedom of expression and information” guaranteed by the Charter of Fundamental Rights, rather than the narrow “artistic, literary or journalistic expression” included in Article 80 of the draft Regulation. A RTBF should be balanced, not only against the full range of expression (including, for example, political expression), but also against the freedom of information and indeed other fundamental rights and freedoms, such as property rights, the right to education, the right to conduct a business, equality rights, and even consumer rights.
Big picture consequences Allegro Group is pleased that the Council is considering the interaction of legal bases with the RTBF provisions, and encourages legislators to do the same with other provisions, notably those relating to classes of data (especially “pseudonymous data”). We also note that an essential element of implementing a RTBF must be authentication of the data subject. Without this, there is a risk of personal data being deleted by unauthorised individuals, which could expose intermediaries to claims and counter-claims by adverse parties. Moreover authentication of a data subject, while it may be necessary in order to apply the RTBF, is itself an act of processing of personal data and carries the same potential risks to privacy as other acts of processing. Allegro Group urges legislators to take account of specific characteristics of different classes of personal data, which may require special treatment or re-identification, in the case of “pseudonymous” data. The Council Note refers to a possible approach to implementing the RTBF in search results as a “right to obscuring”, which would push the search results at issue so far down the rankings that it would be extremely unlikely that they are found. While some form of a “right to obscuring” could conceivably be acceptable, Allegro Group does not believe that it should be allowed to interfere with the ranking algorithms that search engines use.
Unfeasibility for data controllers In its current form, the RTBF is exceedingly complex to implement, and promises to pose significant burdens to data controllers. Legislators must take into clear consideration the issue of process and practicality. As it stands, a series of tests needs to be carried out in response to each RTBF request, and the responsibility for each is unclear:
Are the data in question personal data? Is the data subject sufficiently authenticated? Were the personal data published unlawfully? What was the legal basis for processing the data? Is the processing still necessary for its original purpose? Is the right to data protection outweighed by other rights?
Legislators need to consider carefully whether the data controller is the right party to take these decisions. Further, making controllers (publishers) responsible for what other controllers have done with published data is impractical and disproportionate. Process Allegro Group welcomes the suggestion in the Council Note that data subjects should be obliged to follow a hierarchy, or order, in terms of data controllers they address with RTBF requests. We recommend that data subjects address their requests first to the publishers of the data, and only thereafter to search engines or other parties who provide access to the source material. Removal at source will always be more effective than blocking access. It is of critical importance that legislators ensure consistency between the processes used for addressing illegal content under the e-Commerce Directive and personal data that are the subject of a RTBF request under the draft Regulation. In practice, the same individuals within organisations deal with compliance for both types of take down request. Reducing complexity will make it easier and faster to comply with both types of obligation, improve legal certainty, and contribute to greater transparency for consumers and data subjects. Proliferation of processes (e.g. one for IPR infringements, one for speech offences, one for personal data, one for child abuse images, etc.) is in nobody’s interests. Jurisprudence The ECJ judgment is useful primarily in terms of clarifying the correct application of the 1995 Directive but should not be seen as the definitive statement of what a RTBF ought to look like. Indeed, experience in compliance with the judgment will inevitably shed light on the practical, legal, and privacy challenges associated with it. EU legislators should feel free to make fundamental reassessments of existing law.
**** About the Allegro Group The Allegro Group is the leading Central and East European e---commerce company. From its Polish home in Poznán, the group has expanded to cover close to a score of European countries, including 7 EU Member States. It operates e--- marketplaces, e- retail sites, e-- classifieds sites, online comparison shopping businesses, and a global online payments business. Contact: Chris Sherwood, Head of Public Policy for the Allegro Group: +32 491077509; [email protected]
Underlying principle The balancing of the RTBF with freedom of expression is essential. If the balance tips too far towards data protection, there is a real risk of censorship that is incompatible with the open society that Europe values. Allegro Group believes that EU data protection law should provide for the broad definition of “freedom of expression and information” guaranteed by the Charter of Fundamental Rights, rather than the narrow “artistic, literary or journalistic expression” included in Article 80 of the draft Regulation. A RTBF should be balanced, not only against the full range of expression (including, for example, political expression), but also against the freedom of information and indeed other fundamental rights and freedoms, such as property rights, the right to education, the right to conduct a business, equality rights, and even consumer rights.
Big picture consequences Allegro Group is pleased that the Council is considering the interaction of legal bases with the RTBF provisions, and encourages legislators to do the same with other provisions, notably those relating to classes of data (especially “pseudonymous data”). We also note that an essential element of implementing a RTBF must be authentication of the data subject. Without this, there is a risk of personal data being deleted by unauthorised individuals, which could expose intermediaries to claims and counter-claims by adverse parties. Moreover authentication of a data subject, while it may be necessary in order to apply the RTBF, is itself an act of processing of personal data and carries the same potential risks to privacy as other acts of processing. Allegro Group urges legislators to take account of specific characteristics of different classes of personal data, which may require special treatment or re-identification, in the case of “pseudonymous” data. The Council Note refers to a possible approach to implementing the RTBF in search results as a “right to obscuring”, which would push the search results at issue so far down the rankings that it would be extremely unlikely that they are found. While some form of a “right to obscuring” could conceivably be acceptable, Allegro Group does not believe that it should be allowed to interfere with the ranking algorithms that search engines use.
Unfeasibility for data controllers In its current form, the RTBF is exceedingly complex to implement, and promises to pose significant burdens to data controllers. Legislators must take into clear consideration the issue of process and practicality. As it stands, a series of tests needs to be carried out in response to each RTBF request, and the responsibility for each is unclear:
Are the data in question personal data? Is the data subject sufficiently authenticated? Were the personal data published unlawfully? What was the legal basis for processing the data? Is the processing still necessary for its original purpose? Is the right to data protection outweighed by other rights?
Legislators need to consider carefully whether the data controller is the right party to take these decisions. Further, making controllers (publishers) responsible for what other controllers have done with published data is impractical and disproportionate. Process Allegro Group welcomes the suggestion in the Council Note that data subjects should be obliged to follow a hierarchy, or order, in terms of data controllers they address with RTBF requests. We recommend that data subjects address their requests first to the publishers of the data, and only thereafter to search engines or other parties who provide access to the source material. Removal at source will always be more effective than blocking access. It is of critical importance that legislators ensure consistency between the processes used for addressing illegal content under the e-Commerce Directive and personal data that are the subject of a RTBF request under the draft Regulation. In practice, the same individuals within organisations deal with compliance for both types of take down request. Reducing complexity will make it easier and faster to comply with both types of obligation, improve legal certainty, and contribute to greater transparency for consumers and data subjects. Proliferation of processes (e.g. one for IPR infringements, one for speech offences, one for personal data, one for child abuse images, etc.) is in nobody’s interests. Jurisprudence The ECJ judgment is useful primarily in terms of clarifying the correct application of the 1995 Directive but should not be seen as the definitive statement of what a RTBF ought to look like. Indeed, experience in compliance with the judgment will inevitably shed light on the practical, legal, and privacy challenges associated with it. EU legislators should feel free to make fundamental reassessments of existing law.
**** About the Allegro Group The Allegro Group is the leading Central and East European e---commerce company. From its Polish home in Poznán, the group has expanded to cover close to a score of European countries, including 7 EU Member States. It operates e--- marketplaces, e- retail sites, e-- classifieds sites, online comparison shopping businesses, and a global online payments business. Contact: Chris Sherwood, Head of Public Policy for the Allegro Group: +32 491077509; [email protected]
