European ministers are moving in favour of a watered down version of the so-called "right to be forgotten" rules, following discussions on the drafting of the Data Protection Regulation on Friday.
A ruling by the European Court of Justice in May ordered Google to remove links from its search results that went to outdated or irrelevant information.
It has generated huge interest from users asking for information to be effectively de-linked (135,000 requests at last count).
However, even though this right is included in the draft of the new law, most ministers argued for the final inclusion to be a watered-down version of the ECJ ruling.
The UK argued there must be a balance between freedom of expression and the right to be forgotten, and that can only be decided on a case-by-case basis. The Netherlands agreed, and said that it was best left to the courts.
The UK, Germany, the Netherlands and the Czechs all agreed that they want a broader wording than the court ruling gave, and said there was no need to copy the ECJ text into the new law.
Germany's representatives argued that freedom of expression has better protection under current laws. Meanwhile, Estonia argued the Data Protection Regulation wasn't the right place to try to regulate free speech.
Austria said there must be some sort of control as questions of privacy and free speech should not be left to Google.
However, the Council’s legal service intervened to point out that the ECJ ruling effectively said the right to be forgotten trumps free speech, despite national ministers arguing for balance.
In fact, to some extent, the ECJ ruling is treaty law, and the Council can’t really draw up a regulation that goes against that.
Christian Wiese Svanberg a privacy lawyer at Copenhagen-based Plesner law firm, said it was likely some wording about member states having a judicial process would probably make it into the final law. “There are already so many provisions using words like “necessary” and “proportionate” that it should be possible to give member states some room for maneuver, the lawyer said.
However, he added that one area where there is a lot of member state opposition is the application of the right to be forgotten to the public sector. “If they left that out, and just applied it to private companies, a compromise would be reached much sooner,” he said.
As it is, it seems unlikely that the final law will emerge until 2016, despite national leaders promising the regulation by the end of 2015 (at a meeting back in October 2013).
“Things are definitely moving,” said Svanberg, “but based on my experience, they will not reach a position in Council before early 2015. Then they must negotiate with the European Parliament and the Commission. Realistically, that only leaves nine working months to the end of 2015 and although in principle a deal could be reached, it wouldn’t be pretty! More likely they will take their time and come up with something in 2016.”
According to insiders, one of the reasons things are now moving ahead is the recent change in personnel. The former Justice Commissioner Viviane Reding, who proposed the regulation, was unpopular and some members of the council deliberately stalled just to annoy her.
More personnel changes are also on the cards with a new European Commission due to be installed in November. What sort of bearing that will have on negotiations remains to be seen.
Other issues that have been stumbling blocks for the regulation include the “one-stop-shop” principle — a single national data protection authority responsible for all those companies with a head office on its territory. This would put Ireland’s data protection authority in charge of tech giants such as Google and Facebook, something Germany, in particular is not happy about.
However, a so-called “consistency mechanism” might solve this problem, explained Svanberg. “Essentially a souped-up A29 working party or overarching European data protection authority might have the power to hand down binding rulings.”
A second area where there may be room for negotiation is the Data Protection Directive. The Data Protection Regulation, which will have to be implemented word for word by member states, applies to private companies. The directive, however, only applies to law enforcement bodies. Many national governments basically want the directive killed, and it’s possible that the European Parliament will give way on the directive in order to get the regulation passed.
As it stands, the new regulation will apply to non-EU companies as well as European ones if they process EU citizens’ personal data obtained from selling or marketing goods and services to EU citizens. Proposed penalties for non-compliance are a fine of 5 per cent of a company’s annual revenue, or up to €100m. ®