Google exec questions Reding's 'Right to be forgotten' pledge
Says certain aspects of article 17 are 'unworkable'
Marisa Jimenez, who was speaking at the Computer, Privacy and Data Protection (CPDP) conference in the Belgian capital today, expressed concern about some of the passages written under article 17 of the proposed regulation.
Reding's so-called "right to be forgotten" on the internet plans have, in part, been welcomed by Google, Jimenez claimed.
But she noted that the current text submitted by the European Commission is incredibly complex and thereby open to any number of interpretations by data protection authorities and companies that could be expected to comply with the rules, if passed by the European Parliament in their current form.
Here's what Reding's proposed regulation currently states on the "right to be forgotten":
Article 17 provides the data subject's right to be forgotten and to erasure. It further elaborates and specifies the right of erasure provided for in Article 12(b) of Directive 95/46/EC and provides the conditions of the right to be forgotten, including the obligation of the controller which has made the personal data public to inform third parties on the data subject's request to erase any links to, or copy or replication of that personal data. It also integrates the right to have the processing restricted in certain cases, avoiding the ambiguous terminology 'blocking'.
Rosa Barcelo, a privacy and data protection specialist working for the Commission who was also present on the CPDP panel, pointed out that Reding's plans had already been relaxed from a "full obligation" on the part of an individual business and its handling of user data to a "best effort" requirement.
Google's Jimenez said that the overall "objective" of the "right to be forgotten" article was a "positive" one and added that the first part of that proposal that gives users the ability to object to their data being held was a good one. "Google agrees with that," she said. "In fact, we already do that.
"The question comes when deleting data placed on a third party that has very little control of what's been done with that data... Some of the scenarios enter well, others are rather unworkable. The way it is drafted is very unclear. It's a right, but written in a very technical way and not everyone will understand it in the same way when they read it."
The Google counsel said that she hoped that aspect of article 17 would be "clarified as we move forward in the legislative process".
Two other corporate representatives on the same panel - Christoph Luykx from Intel and Mikko Niva from Nokia - touched on industry concerns about shifting more personal information policing over to data controllers.
"We are a little bit wary about this administrative burden that now seems to be surfacing," Niva said. He reckoned that a standardised assessment was simplistic and warned there was a "risk of slowing down products to market."
He claimed the tech industry was better placed to define the "best methodologies."
Jimenez chimed in by saying she "agreed completely" with the Nokia exec's concerns.
"While the goal [of rewriting the EC's data protection legislation] was good, the question is... have these rules become another layer of compliance required?" Google's EU law specialist asked, before adding that "further thought" was needed.
Nokia's Niva added that he believed the requirement for a business to notify a DPA about a data breach within 24 hours was "a very tough deadline". He said that no one wanted "a regime where all kinds of fairly meaningless breaches are reported to the public and DPAs". He said that there should be thresholds built into the planned regulation "to make it sensible".
The panel also briefly touched on the notion of "privacy by design", which has formed part of Reding's recent agenda.
"I think that many of the elements of 'privacy by design' are in the new law," noted Jimenez. "The question is when you have a recipe you might have the ingredients but you have to know how much of what to put in to get the end result. The law cannot work out the quantities," she added. "The law cannot tell you how to do it."
The confab finished with something of a flourish from Barcelo, who turned to Jimenez and co and said privacy was "very relevant". To her it's an "economic asset" for businesses. She concluded: "There's lots of excitement about this in Parliament, a lot of fun." ®
Sponsored: Becoming a Pragmatic Security Leader