The proposed “right to be forgotten” under the new EU Data Protection Regulation was discussed at the Media Law Resource Centre (MLRC) conference in London on 23 September 2013. Nick Graham, Co-Chair of the Dentons Privacy and Security practice, co-facilitated the discussion with Jan Philipp Albrecht (Member of the European Parliament and chief rapporteur for the new Regulation) and James Leaton Gray, Head of Information Policy and Compliance at the BBC.
The MLRC debate also covered the recent Google Spain case, where an individual wanted Google to remove certain information relating to the individual from its search engine. That case was decided in Google's favour. But the issue remains: media and content providers may have to strike a balance between the rights of the individual to "be forgotten” and the rights of others to “freedom of expression”. Jan Philipp Albrecht took the view that this need to strike a balance is not a new development. The challenge for media and content providers is how to strike the right balance in practice. Many commentators believe that this is something that should be dealt with at a legislative level and not by the media on a case-by-case basis as requests for data deletion are received. James Leaton Gray also commented that the precise use of language is critical in defining and applying the exemption.
The panel also discussed whether Article 80 of the new Regulation (providing the exemption in relation to freedom of expression) should specifically call out “journalism”. Interestingly, this was the original approach taken by the European drafting but new amendments have been proposed to broaden Article 80 exemption so it covers freedom of expression in general (not specifically relating to journalism). Some members of the audience believed that, while it is difficult to define journalism as such, there would be value in calling this out specifically to assist media companies in applying the freedom of expression exemption from the right to be forgotten.
Nick Graham also outlined the key proposals under the new Data Protection Regulation. The new Regulation will operate as a single law applicable to all 28 EU member states. The Regulation will apply on an extra-territorial basis (so US companies will be caught when they offer goods or services to EU residents or monitor their behaviour (e.g. via cookies or online behavioural advertising)). There are also proposals to introduce a new “principle of accountability”, under which companies will need to put policies and procedures in place to ensure compliance and audit their effectiveness on a regular basis. Any company with more than 250 staff will also have to appoint a Data Protection Officer (or Chief Privacy Officer). There are also proposals to introduce breach notification rules requiring disclosure of data breaches to regulators within a short period of time (24-72 hours). Finally, there will be big penalties for failure to comply including fines of up to 2 per cent of worldwide turnover for certain breaches.