Since June 2016, the UK has been in a state of uncertainty. Leading up to the EU referendum, commentators debated on the impact of the UK leaving Europe from the strength of the economy, access to the single market and immigration, experts all weighed in with their say.
An issue that was less talked about on national news but was heavily debated from tech and industry insiders was how Brexit would impact the General Data Protection Regulation (GDPR) which encompasses a number of data protection laws including Google’s ‘Right to be Forgotten’.
The European Commission first spoke of changes to the EU Data Protection law in early 2012 and, after years of debate, the proposal has now been confirmed with the GDPR coming into effect in May 2018. The latest regulation will have a significant impact on EU privacy and data protection in various crucial areas as the it puts into place new regulations on any company that handles the data of EU citizens, no matter where the business is located. However, with the UK potentially leaving Europe how will this impact the GDPR and a user’s right to erasure?
What is the right to be forgotten?
The right to be forgotten, also known as right to erasure, outlines an individual’s right to request their personal information be deleted or removed. In the past this regulation has been used to remove a user’s name that is attached to a page that contains false, misleading or outdated information. For example, if an article wrote about somebody committing a crime and later found to be innocent, that person could make it so the article doesn’t appear when the user’s name is searched on Google.
However, unlike many data protection regulations, the right to be forgotten isn’t as simple. In its current state, Google must analyse each individual request from a user to have their data removed and find a balance between fairness to the user against the wider public interest and freedom of expression.
In 2015, Google was inundated with requests from over 280,000 users requesting for their information to be removed. Resulting in the removal of over 600,000 links, this volume of requests led many to ask if there needed to be an update to the regulations to clarify the criteria.
Google must analyse each individual request from a user to have their data removed
In an updated draft of the Under the new GDPR regulation, they have tried to clarify the circumstances in which the right can be exercised but the balancing against other rights and obligations is still needed. The new draft states that erasure must be implemented “without delay” but the controller must also consider other rights and interests including “the public interest in the availability of the data”
There has been some scrutiny surrounding the ‘right to be forgotten’ with commentators pointing out it could have a negative impact on freedom of expression and access to information online; highlighting that it could be used to suppress information which it was not intended for.
However, under the new GDPR, users will have be able to have their requests for their data to be erased processed much quicker by an internet company that collects and stores information for internal use such as profiling and direct marketing. This will essentially mean the removal process is a lot quicker which is clearly great news for users but not as great for the websites and companies.
Without a doubt, June’s Brexit vote will have some impact on how the GDPR will work within the UK. Most UK businesses that trade within Europe will still need to comply with the regulations regardless but beyond that remains relatively unknown.
The UK is currently in an interesting position whether it wants to follow through with the European GDPR, implement its own or a mix of both. With Article 50 reportedly being activated in early 2017, and therefore beginning the two-year process of leaving the EU, this means that the UK will still remain part of Europe when the GDPR first comes into effect.
With this the UK will have to abide by its ‘right to be forgotten’ regulation and it will be down to our politicians to decide how many EU-influenced laws we retain once we have left. At this time it seems that the GDPR will be implemented in the UK but whether this means we end up following all the regulations in full, including the ‘right to be forgotten’, remains to be seen.