Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

EU Regulation: Reding Says Right to be Forgotten Must Be Balanced; EP Committee Calls for Enhanced Extraterritoriality

In a June 18 speech in Luxembourg, European Commissioner for Justice Viviane Reding discussed the much-maligned proposal for a "right to be forgotten" in the recently proposed EU Data Protection Regulation, admitting that "you cannot enforce an absolute right to be forgotten on the internet."  She stressed that the right to forgotten "like the general right to privacy . . . needs to be reconciled with other rights which are also protected by the EU’s Charter of Fundamental Rights."  Reding attempted to reassure businesses that the new Regulation would ease their overall compliance burden, citing (again) the €2.3 billion per year in estimated savings.  (The source of this calculation has always been a mystery to us.)  Commissioner Reding said she views the European proposal as "setting the agenda of the political debate across the globe," leaving no doubt as to the global thought leadership ambitions of the Commission. 

Meanwhile, the European Parliament’s Economic and Social Committee recommended in a May 23 opinion that Member States be able to go farther than the Regulation, and that the Regulation should be treated as a floor and not a cap.  This would of course defeat the harmonization objective sought by the Commission.  The EP Committee also objected to the amount of authority that the Regulation would delegate to the Commission, citing possible illegality under Article 290 of the EU Treaty.  The Committee recommended expanding the territorial scope of the Regulation, so that EU law would apply, for example, to "pharmaceutical companies based outside Europe which wish to have access to clinical data of data subjects resident in the EU for the purposes of clinical tests."  The Committee also recommended that special data protection provisions target search engines and social networks, that consumer class actions be included in the legislation, that BCRs require employee consultation, and that the 250-employee threshold that exempts small and medium-sized enterprises from certain data protection obligations be lowered.