NEW DATA PROTECTION CONCEPTS

It was earlier argued that ever-developing technology has caused a shift on the weight from the privacy to self-determination in the data protection framework.

This issue is now further elaborated through some new data protection concepts, namely the right to be forgotten and data portability. It is necessary to examine these concepts to form a solid picture of the shift from privacy to self-determination. These concepts illustrate excellently how self-determination is gaining more importance in the European legal framework for data protection. They all present new elements in the European data protection framework. The new provisions related to profiling, for example, also reflect the same tendency. However, for the purposes of this thesis, deeper analysis of the two above-mentioned concepts should be enough.

Furthermore, it will later be argued that self-determination should be perceived differently in the social media context vis-à-vis public sector processing. For this purpose, it is essential to examine some of the concepts that reflect the said progress in detail.

3.4.1 RIGHT TO BE FORGOTTEN

Ever-developing technology has created pressure to launch new data protection concepts, the right to be forgotten being one of them.⁵³³ The right to be forgotten was taken into a more formal sphere with the GDPR.⁵³⁴ While it had been previously mentioned in seminars and in academic articles⁵³⁵, the Commission took it to a new level by first introducing it in its Communication and thereafter naming one of the articles accordingly in its proposal for the GDPR.⁵³⁶ The core idea of the right to be

533 The question of whether right to be forgotten is diverging from the right to protection of personal data and turning into its own right with underlying principles is excluded from this discussion.

534 See Commission Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) COM(2012) 11 final (25.1.2012) and Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1–88).

535 For example, Jeroen Terstegge, Corporate Privacy Officer/ Senior Counsel, Digital Europe at a Data Protection conference in Brussels 19 May 2009.

536 Communication from the Commission to the European Parliament, The Council, the Economic and Social Committee and the Committee of Regions, A comprehensive approach on personal data protection in the

forgotten might not be novel, but the new circumstances, such as social media and different online applications, have taken it to a new level.

The right to be forgotten is drawn from existing elements in the European data protection framework, such as the data subject’s right to have his or her data erased and the data subject’s right to have his or her personal data rectified.

However, the core idea underneath the right to be forgotten is fresh one, and caused by technological developments. The right to be forgotten is closely tied with developments in our societal structure following on from technological development.

This evolution has been described as a move from village culture to the global village, and during this journey there has been a short stop at city culture⁵³⁷. In villages, people knew each other well; the accomplishments achieved, and the pranks played in childhood and youth remained in the collective memory of the village and had an impact on the individual’s role and status in the village. Life in city culture was more anonymous; someone could easily move from one role to another and even have quite radical changes in lifestyle without having the past following him or her.

Now, we have arrived at the third stage of this progress, the global village. Besides the features of the classic village society, the new element in this societal structure is the global dimension. This has been created through the online world and the internet, where the things one has done and said might take on a life of their own and have more or less eternal life cycle.

I see that the new societal structures can be seen as one reason for the intense debate that the right to be forgotten frequently causes.⁵³⁸ Another reason for the heated debate is unrealistic expectations linked with the right to be forgotten. When personal data has been released on the internet, it cannot be entirely erased. The possibility of copies circulating around is not purely hypothetical. Even innovations targetted at creating short lifespans for messages cannot realize the right to be forgotten. An example of this is a relatively new social media forum, Snapchat.

Ten-year-old children very quickly learned to take screen captures of messages sent in snapchat and thus, the lifespan of the data very quickly became eternal again.

European Union, COM 2010 (609) final; Commission Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) COM(2012) 11 final (25.1.2012); Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1–88).

537 For example, Jeroen Terstegge, Corporate Privacy Officer/ Senior Counsel, Digital Europe at a Data Protection conference in Brussels 19 May 2009.

538 See for example The Guardian, “We need to talk about the right to be forgotten”, by David Drummond, available on the internet <https://www.theguardian.com/commentisfree/2014/jul/10/right-to-be-forgotten-european-ruling-google-debate> [last visited 9.4.2017]; Eric Posner, “Debate about the Right to be Forgotten, March 13 2015, available on the internet < http://ericposner.com/debate-about-the-right-to-be-forgotten/

> [last visited 9.4.2017]; K. Brimsted, “The Right to be forgotten: can legislation put the data genie back in the bottle?” in Privacy and Data Protection 4 (2011).

Some have underlined that the ultimate rationale behind the right to be forgotten had traditionally been the protection of the individual’s dignity by giving them tools to control the sensitive information relating to them.⁵³⁹ Personal data does not need to be sensitive when the data subject wishes to apply his right to be forgotten.⁵⁴⁰ However, it seems easy to agree that protecting one’s dignity is a central element in right to be forgotten. Once this connection is established, its relation to self-determination must also be acknowledged. While the right to be forgotten clearly derives from self-determination, it also reflects the underlying values of privacy.

When the data subject wishes to have some data erased, it seems natural to claim that this is done precisely for the purposes of protecting privacy. In other words, in the right to be forgotten both privacy and self-determination are clearly apparent.⁵⁴¹

The right to be forgotten lived through some changes during the GDPR negotiations. The Commission also took a more moderate tone in relation to the right to be forgotten and underlined that it is not, after all, a new right.⁵⁴² It was also questioned whether the right to be forgotten actually brings any added value to the existing legal framework.⁵⁴³ I see that it does. The new element that it brings to the existing legal framework is the weight and recognition it sets on data subjects’

rights in the cloud environment. The new societal environment certainly sets some expectations for reframing the data protection regime. Maybe the new problems that emerged in the data protection framework were not entirely solved, but at least they were duly recognized.

539 K. Brimsted, “The Right to be forgotten: can legislation put the data genie back in the bottle?” in Privacy and Data Protection 4 (2011).

540 Article 17 of the GDPR.

541 During the negotiation process in the Council and European Parliament, the Commission’s original proposal for the right to be forgotten lived through some changes. The data controller will for example not be held liable for information which is processed by third parties. In other words, the Commission’s proposal was very much stripped of its innovative elements targetted at challenges created in the cloud environment, and was left with the skeleton which exists already in the Data Protection Directive. See for example Communication from the Commission to the European Parliament, The Council, the Economic and Social Committee and the Committee of Regions, A comprehensive approach on personal data protection in the European Union, COM 2010 (609) final; Commission Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) COM(2012) 11 final (25.1.2012); Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1–88).

542 See for example Viviane Reding, Vice-President of the European Commission, EU Justice Commissioner, SPEECH/12/26, The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age, available on the internet < http://europa.eu/rapid/press-release_

SPEECH-12-26_fi.htm > [last visited 3.7.2017] and Financial Times, Brussels welcomes Google ‘right to be forgotten’ measure, May 30, 2014, available on the internet <https://www.ft.com/content/bc116b3e-e810-11e3-9cb3-00144feabdc0?mhq5j=e1> [last visited 3.7.2017].

543 K. Brimsted, “The Right to be forgotten: can legislation put the data genie back in the bottle?” in Privacy and Data Protection 4 (2011).

3.4.2 DATA PORTABILITY

Data portability is one of the new data protection concepts introduced by the GDPR.

Together with the right to be forgotten and some of the other novelty elements in the Commission’s proposal⁵⁴⁴, data portability reflects the underlying idea of self-determination. The core idea is that the data subject would have control over the personal data, which he has earlier submitted to the controller in cases where the data processing is based on consent or contract. Besides strengthening control over one’s own personal data, this right provides the data subject with the right to have his personal data in an electronic and commonly-used format. In other words, the data subject could transfer his personal data from one system to another.⁵⁴⁵ The controller could not prevent this by invoking different electronic systems and claiming it is not technologically feasible.

The basic elements of this right did exist in the earlier data protection framework.

Based on the provisions laid down in the Data Protection Directive and Data Protection Regulation, the data subject had the right of access to his personal data.

Together with the right to obtain a copy of his personal data, these rights create the basis for data portability.⁵⁴⁶ However, data portability would take this right much further. The core idea behind data portability is the data subject’s right to transfer his or her personal data from one system to another.⁵⁴⁷ Previously, the data subject was indeed able to request his information, for example from Facebook based on the rights drawn from the Data Protection Directive, but the outcome might have been some hundred pages of paper.⁵⁴⁸ After the entry into force of the GDPR, the data subject can get information in a format which allows him to reuse this data.

It seems justified to enhance the data subject’s control over their personal data when data processing takes place for example on social media. The whole content of the site is created by the data subject, while the controller or processor simply provides the structure and forum to present this content.

I argue that at least two significant elements regarding data portability must be distinguished when data protection is assessed in relation to transparency legislation.

First, data portability applies to situations where the data subject is the active party himself and legitimizing the data processing derives from the data subject’s self-determination. In this respect, it ought to be noted that public sector processing is largely excluded from the scope of this right. This is apparent in the wording of the said right but could also be derived from the first paragraph of the said Article.

544 See for example Article 20 on the right to data portability and strengthened rules on the consent.

545 Commission’s proposal Article 18.

546 Directive 46/95, Articles 10–12, Regulation 45/2001, Articles 10–13.

547 Commission proposal Article 18.

548 See for example Case C-362/14 Schrems, ECLI:EU:C:2015:650.

Processing of personal data in the public sector hardly ever takes place based on contract or the data subject’s consent.⁵⁴⁹ Second, when the data subject provides his or her personal data for processing on a voluntary basis and for sharing on social media, the underlying principle of privacy diverges from this right. When the data subject shares the information with hundreds of people, who cannot all be known to him, it seems justified to argue that it is rather the control over his data which is significant for the data subject. In other words, underlining the importance of self-determination is justified when the processing of personal data takes place in the internet environment, or in the cloud as it is put in this decade.