The following is the eleventh article in a series of articles delving into the GDPR, intended to give an overview of the main aspects of the provisions it introduced, retained and updated in the data privacy law regime of the European Union, and its legislative implementation in Malta. The previous article may be viewed by visiting https://azzopardilegal.eu/the-gdpr-the-new-right-to-erasure-part-v/

____________________________________

In the previous part of this article we concluded our brief consideration of the right to object to processing as a basis to demand the right to be forgotten, or right to erasure as per Article 17(1)(c) of the GDPR. In this part, we shall briefly consider the exercise of the right to erasure according to Article 17(1)(d) of the GDPR. For reference, this provides as follows:

“1.   The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(omissis)

(d) the personal data have been unlawfully processed;”

In reality this ground appears to be a broad ground and “unlawfully processed” could account for many scenarios. In view of that wording, questions as to interpretations arise as to the nature of what qualifies as “unlawfully processed”.

To give a theoretical example, consider a general data processing operation and the various obligations imposed on the controller and, or processor. Now consider that one particular obligation was not properly complied with, let us say the right to be informed in full prior to personal data processing as per Article 13 GDPR (we shall deal with this in separate articles), like for example on the identity of the controller for that data processing. The obligations involved are numerous, so would one failing be deemed to qualify under “unlawfully processed” and thus give rise to the possible exercise of the right of erasure under Article 17(1)(d) GDPR? The answer to that appears to be in the affirmative, in line with the general ethos and teleological interpretation of GDPR provisions. In view of most data processing practices around us, this is a good ground to explore should somebody seek to exercise the right to erasure.

Indeed, this ground is currently subject to a few preliminary references to the Court of Justice of the European Union and on which the latter would have to pronounce itself. However, such preliminary references are generally very specific, and could possibly leave the door wide open for interpretation even if the CJEU pronounces itself on them. On the other hand, the European Data Protection Board, in its Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1) Version 2.0 adopted on the 7^th July 2020, had this to say:

“35. The notion of unlawful processing shall first be interpreted in view of Article 6 GDPR dedicated to lawfulness of processing. Other principles established under the GDPR (such as principles of Article 5 GDPR or of other provisions of Chapter II) may serve such interpretation.

36. This notion shall secondly be interpreted broadly, as the infringement of a legal provision other than the GDPR. Such interpretation must be conducted objectively by Supervisory Authorities, according to national laws or to a court decision. For instance, a delisting request shall be granted in the event where the listing of personal information has been expressly prohibited by a court order.”

Article 6 GDPR, and I would add Article 9 GDPR, provide the legal basis for the lawful processing of all personal data. Therefore, primarily, anything found to be in violation thereof would be deemed unlawful processing and in turn activate the right to be forgotten under Article 17(1)(d) GDPR. Paragraph 36 above seems to imply that any non-compliance with the GDPR would qualify as “unlawful processing”. It also goes even further by stressing the role of the Supervisory Authority, in Malta being the Information and Data Protection Commissioner, and also national laws and judicial authorities. The corollary would be that the possible breach of any national law affecting the data processing process could activate the right to be forgotten under Article 17(1)(d) GDPR.

The above would seem to be another possibility, and it compounds in the idea that data processing must be performed at all times in perfect compliance with all applicable law, or else the personal data involved is prone to be erased at the request of the data subject. With that being said, and with a lack of higher-level judicial pronouncements on the matter, the above interpretation is solely the current position of the author and it should be stressed that it does not purport to be legal advice, nor should it be taken as such.

The post The GDPR – The new right to erasure – Part VI appeared first on Arthur Azzopardi & Associates.

The following is the ninth article in a series of articles delving into the GDPR, intended to give an overview of the main aspects of the provisions it introduced, retained and updated in the data privacy law regime of the European Union, and its legislative implementation in Malta. 

____________________________________

We were considering the right to object in this article on the right to erasure as we are tackling the grounds for the successful exercise of the latter right. We had ended the previous part of this article, with the statement that “It is the data controller which has to demonstrate the applicability of the same limitations to the right to erasure…” 

The “limitations” refer to the requirement under Article 21(1) GDPR for the controller to stop the processing of personal data unless he “demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.”

As we have previously pointed out, the right to erasure under Article 17(1)(c) is grounded in the right to object exercisable as herein referred.

Considering the above and our previous discussion, the situation is one in which the data controller has to stop the processing upon receiving a request by the data subject for the exercise of the right to object, if only to assess the same request. Therefore, the stop is basically immediate yet temporary at first. The previously referred European Data Protection Guidelines have this to say (N.B. They refer to the exercise of the right to erasure, based on the right to object, which in practice could be made concomittantly by the data subject):

“30. The GDPR therefore changes the burden of proof, providing a presumption in favour of the data subject by obliging on the contrary the controller to demonstrate “compelling legitimate grounds for the processing” (Article 21.1). As a result, when a search engine provider receives a request to delist based on the data subject’s particular situation, it must now erase the personal data, pursuant to Article 17.1.c GDPR, unless it can demonstrate “overriding legitimate grounds” for the listing of the specific search result, which read in conjunction with Article 21.1 are “compelling legitimate grounds (…) which override the interests, rights and freedoms of the data subject”. The search engine provider can establish any “overriding legitimate grounds”, including any exemption provided for under Article 17.3 GDPR. Nonetheless, if the search engine provider fails to demonstrate the existence of overriding legitimate grounds, the data subject is entitled to obtain the delisting pursuant to Article 17.1.c GDPR.

As a matter of fact, delisting requests now imply to make the balance between the reasons related to the particular situation of the data subject and the compelling legitimate grounds of the search engine provider. The balance between the protection of privacy and the interests of Internet users in accessing to the information as ruled by the CJEU in the Costeja judgement can be relevant to conduct such assessment, as well as the balance operated by the European Court of Human Rights (ECHR) in press matters.”

It is essential to remember that Article 21(1), and therefore Article 17(1)(c), are dependant on the fact that the data processing must have as its legal basis Article 6(1)(e) or 6(1)(f) GDPR, as we have referred in a previous part. This is important to stress, as the right to object does not apply to all data processing, in fact it refers to the limited scenarios involving Articles 6(1)(e) and 6(1)(f).

On the other hand data processing can happen on the basis of numerous legal bases found under Articles 6 and 9 GDPR, without prejudice to other data processing falling outside of the scope of the GDPR itself. Consequentially, the right to erasure as grounded on the right to object, for data processing falling within the scope of the GDPR, is likewise limited. With that said, we attempted to provide a limited theoretical overview, but the exercise of rights require particular professional attention to the case, its facts and the law in specific detail.

Moving away from the right to object and Article 17(1)(c) GDPR, in the next part we shall consider other grounds for the exercise of the right to erasure.

The post The GDPR – The new right to erasure – Part V appeared first on Arthur Azzopardi & Associates.

The following is the ninth article in a series of articles delving into the GDPR, intended to give an overview of the main aspects of the provisions it introduced, retained and updated in the data privacy law regime of the European Union, and its legislative implementation in Malta. 

____________________________________

In this part of this article, we shall continue the analysis of the right to erasure and its grounding in the right to object (as per Articles 17(1)(c) and 21 GDPR).

While a data controller can call upon the right to erasure to be based in at least one of the six main grounds for its exercise, one of the grounds available to the data subject is the exercise of the right to object.

When the ground called upon by the data subject is the right to object, one has to consider when the data subject can exercise such a right to object, being: (i) when the legal basis for processing are Articles 6(1)(e) or 6(1)(f) GDPR as per Article 21(1) GDPR; and (ii) in cases involving direct marketing as per Article 21(2) GDPR. It apparently follows that the exercise of the right to erasure as grounded on the right to object is further limited to the provisions of Article 21(1) and 21(2) GDPR, being the grounds for the exercise of the right to object itself.

Article 21(2) is the more direct and straighforward of the lot and basically gives an absolute right to object in cases of direct marketing. In such cases objecting to data processing and, if desired, making a request for erasure should prove comparatively straightforward and successful. That is, assuming there are no other grounds for the data processing or applicable restrictions to the right to object or the right to erasure.

However, Article 21(1) GDPR requires more discussion, as it is conditional on the legal bases for data processing as provided by Article 6(1)(e) and 6(1)(f) GDPR. A reminder of these legal bases for data processing is fit:

“(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

N.B. The proviso to Article 6(1) GDPR makes it clear that Article 6(1)(f) cannot be used by public authorities in the performance of their tasks.

The above seems to be provide quite a restrictive scenario, and on paper it is. However, the GDPR broadened the application of the right to object significantly in relation to Article 21(1) GDPR, and this further opens up the possibilities to exercise the right to erasure. Indeed, in the previous part of this series we have already referred to the GDPR novelty related to the inversion of the burden of proof in favour of the data subject, in the sense that the right to erasure as grounded in the right to object now does not require the data subject to prove that he has “compelling legitimate grounds relating to his particular situation”. The latter was a requirement to exercise the right to object under the previous law. The GDPR broadens the same right to object further by rewording the requirement to “grounds relating to his or her particular situation”. This alone allows for a broader application of the new GPPR right to erasure.

It must be added that if request to exercise a right to erasure falls within the GDPR parameters discussed above, then such a request is to be acceded by the controller unless the latter “demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims”. It is the data controller which has to demonstrate the applicability of the same limitations to the right to erasure, and it is probable that a restrictive interpretation of the same would be applied by the competent adjudicators. This is an aspect best left for future discussion.

____________________________________

Disclaimer: This article is not to be considered as legal advice, and is not to be acted on as such. Should you require further information or legal assistance, please do not hesitate to contact Dr Edric Micallef Figallo on edric@azzopardilegal.eu.

The post The New Right to Erasure – Part IV appeared first on Arthur Azzopardi & Associates.

The following is the eighth article in a series of articles delving into the GDPR, intended to give an overview of the main aspects of the provisions it introduced, retained and updated in the data privacy law regime of the European Union, and its legislative implementation in Malta. The previous article may be viewed here.

In continuing from where we left off in the previous part, we shall start dealing with the right to erasure applicable according to Article 17(1)(c) GDPR, which provides that:

“1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2).”

In a previous part to this article we have already made reference to the “without undue delay” requirement, which applies to the right to erasure generally. However, different grounds for the right to erasure might require different considerations, affecting the degree of delay for the data subject.

Of interest for this particular ground is that on the 7th July 2020 the European Data Protection Board (EDPB) has adopted guidelines entitled Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1). These guidelines also refer to previous, albeit applicable, guidelines by the Article 29 Working Party entitled Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12, WP 225, 26 November 2014. While both guidelines refer to internet search engines specifically, the principles contained are generally applicable when it comes to the ground under Article 17(1)(c).

Importantly, the ground under Article 17(1)(c) is conditional on the right to object to data processing under Article 21(1) and 21(2) GDPR. Article 21(2) practically provides the right to object in all cases in which the purposes of the data processing are for direct marketing. This does not require much thought thereon, but Article 21(1) provides more intricate legal considerations which are much more case dependant. It is best to quote said provision in its entirety, with emphasis added:

“1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.”

As referred in the first guidelines referred above, in general “the right to object affords stronger safeguards to data subjects since it does not restrict the grounds according to which data subjects may request delisting” as does the right to erasure. The right to erasure according to Article 17(1)(c) is grounded on the right to object and thus this broad right to object opens up an apparently restrictive right to erasure. Said guidelines further indicate a GDPR novelty which could be practically significant since under the previous EU Directive:

“the data subject had to base his or her request “on compelling legitimate grounds relating to his [or her] particular situation”. In respect of the GDPR, a data subject can object to a processing “on grounds relating to his or her particular situation”. He or she thus no longer has to demonstrate “compelling legitimate grounds”.

30. The GDPR therefore changes the burden of proof, providing a presumption in favour of the data subject by obliging on the contrary the controller to demonstrate “compelling legitimate grounds for the processing” (Article 21.1).”

In the following part in this series, we shall continue the analysis of this ground for the right to erasure and the conditions related thereto and its grounding in the right to object.

____________________________________

Disclaimer: This article is not to be considered as legal advice, and is not to be acted on as such. Should you require further information or legal assistance, please do not hesitate to contact Dr Edric Micallef Figallo on edric@azzopardilegal.eu.

The post The GDPR – The New Right To Erasure – Part III appeared first on Arthur Azzopardi & Associates.