General Data Protection Regulation (GDPR) was one of the most anticipated privacy law developments implemented by the European Union, which came into effect in 2018. The legal instrument was to improve the legal situation of EU citizens (data subjects) by filling the loopholes created by the Data Protection Directive 1995. To achieve that, the Regulation has codified a set of rights available for data subjects to be enforceable against data controllers. One of them is the ‘right to be forgotten’ under Article 17 that now allows EU citizens to request (any) company to have (any) data relating to them erased.
The core of the discussion in my dissertation derives from the fact that Article 17 is not an absolute right. There is a set of exceptions that provides data controllers with sufficient reasons to deny the erasure of an individual’s data when the latter asks for it. Consequently, those exceptions are considered as a significant weakness of the Article 17 right, as they put power into the hands of the controllers.
In my dissertation, I attempted to determine the scope of the right under Article 17, taking into consideration the four exceptions provided under paragraph 3 of the provision. In short, the paragraph states that the right will not be enforceable when the processing of personal data is necessary for compliance with a Member State’s law and the processing is in public interest; or when the data processed are medical data, or the processing is for research purposes; or the processing is crucial in establishing a legal claim. My work aims to show that the restrictions of the application of the right do not necessarily guarantee the effective protection of personal data for EU citizens.
Firstly, the analysis shows that the wording of Article 17(3) expects each Member State to decide on the national level when the ‘right to be forgotten’ will and will not be available for individuals. Ironically, the more regulated the entities within a country, the harder it will be for an individual from that country to enforce the right against data controllers. Also, more importantly, because of the discretion given to the Member States, GDPR misses the opportunity to create an integrated application of the right across the whole Union block. Consequently, it will lead to a lack of legal certainty with the enforceability of the right, and different treatment of similar cases across the Union.
Further investigation shows that the second big limitation to the enforceability of the ‘right to be forgotten’ is research. GDPR allows companies to reject data subjects’ requests if the processing of their data is necessary for improvements of services of that company. My dissertation suggests that the EU legislators had recognised the power of personal data in innovation processes. Hence, providing a special exception of processing personal data for research purposes is to avoid preventing innovation from happening in areas crucial for Member States’ economies.
On the other hand, the other two exceptions to Article 17 right seem to be more precise and narrow. My dissertation shows that both of them provide a better understanding of individuals and data controller when the former will not be able to enforce their rights. Firstly, GDPR makes it sufficiently clear that doctors, who for GDPR purposes become data controllers of patient’s medical data, are (almost always) excluded from the possible circle of subjects that need to deal with Article 17 claims. Consequently, patients will not be able to have their medical data erased. That is justified, however, by the fact that permanent erasure of medical records is not in the best interest of patients, as an incomplete health-record could result in wrong treatment. Secondly, GDPR does not allow individuals to have their data erased if they are involved in ongoing legal proceedings with the data controller itself. By far the most restrictive ground, this will not allow data controllers to rely on it unless the parties are indeed involved in a legal dispute.
It can, therefore, be said that the right to erasure under Article 17 might not provide individuals with sufficient protection, and the impression that they are in control of their data might be fallacious. Two limitations seem to be vague and far-reaching, and as such, they will allow those in charge of individuals’ data to reject a limitless number of claims. For those reasons, my dissertation concludes that the decision of whether the Article 17 right will be enforceable or not, lies heavily in favour of the controllers, not EU citizens themselves.