Right to be forgotten It is questionable whether the Commission can regulate all request for data deletion in all case as it has propose, especially if the information is not made public by the owner.
But are destroy at the request of the holder or the data subject, and even if a data subject only dispose of its information by means of deletion. The proposal does not distinguish between public and private data.
It considers the data subject the only one who can impose deletion. Moreover, it places the Commission in the position of the “legal supervisory authority” responsible for supervising decision taken in individual case by the data controller.
In addition, the proposal lacks clarity regarding whether the request for data deletion must be made public in order to determine the nature of the reasons behind it consequently.
It is not possible to know if the removal of certain data is reasonable in each particular case, or is simply being used as a convenient pretext for giving the controller a pretext for deleting certain data.
The lack of a well-founded legal basis to delete data means that the Commission would have to assess the reason for the removal of the information and then determine whether the deletion is legally valid.
The propose law will also create new risks of data misuse and abuse, including by allowing data subjects to ask for any type of data to be deleted. According to the proposal.
The absence of transparency and difficulty distinguishing between public and private data could pose risks for EU citizens, particularly when data controllers retain data regardless of whether they have a legal basis for the retention.
For instance, if a data controller has no legal basis to retain data for future planning purposes or for internal business purposes and the data remains stored, a number of scenarios can take place.
The data subject could have an adverse effect on his business activity or reputation, in particular if he will suffer legal consequences in the future from the hosting of data in breach of his privacy rights;
The controller could use the data for a third party purpose or send it to a third party for the purpose of performing the activities for which the data was originally collected.
The controller could use the data for a foreign jurisdiction that is incompatible with the data protection provisions of the General Data Protection Regulation.
Misuse Third Party
The data could be misuse by a third party for reasons unrelate to the citizen’s right to privacy, and the risk of abuse remains unresolve.
In any case, the data subject will not know whether the data subject or a third party has use the data, or if it has delete in his name
It remains unclear whether, as envisage by the proposal, the propose remedies are proportionate and effective against the scale of the administrative burdens and risk associate with data deletion.
Because they are limit to automate deletion, whereas all the case which may pose a risk to a data subject’s privacy are not automate.
Moreover, the law lacks clarity concerning the issue of the identity of the data subject, the interests to which the deletion relates, and its possible link to the identity of another data subject.
For instance, the notification procedure for the deletion of information is not defined in the law, and the Commission admits that notification procedures are rarely followed.
Moreover, there is no precise statement regarding what is meant by a “legal basis” for the deletion, or what actions a data subject may take to protect his right to data protection.
Any possibility of ensuring better data protection for EU citizens by requiring controllers to notify data subjects of the deletion of his or her personal information would further depend on whether data controllers are required to notify data subjects of the deletion as well.
Such notification procedures should not only be clearly defined in the law but also sufficiently strict to ensure the successful removal of data without undue delays or unauthorized retention.
Data Processing Safeguard
Moreover, the proposed law does not make it mandatory for data controllers to notify individuals of the deletion of their personal data if it is automate. Without precise data processing safeguards.
The EU would be creating the risk of third parties performing these automated deletions of personal data (e.g., advertisers using optical character recognition software).
The deletion of personal data should be subject to a well-defined and strictly implemented procedure, which should not require the notification of the individual concerned.
The proposal would allow the controller to decide whether or not to inform the individual concern about the deletion, in case of algorithmic procedures, without the basis of a formalize procedure.
Further, the proposal lacks a clear assessment of the effects of notifications, whether automated or not. The fact that the new directive addresses the elimination of personal data,
But not their replacement with a new set of personal data, implies that the proposed law is insufficient to provide the same level of data protection rights and obligations as provided for in the GDPR and GDPRs.
A new legal basis for other reasons for deleting personal data would have to be defined in the law. In the case of anonymization, the proposed law does not specify how a directive may be implemented.
In particular, while the actual method of processing may be under the control of the controller, the method of anonymization may be implemented by the controller Click here.
Or the automated method to anonymize may be governed by a standard method or procedure specified by the directive, or the controller’s internal rules or procedures.
Anonymize Personal Data
For instance, as said, all processing that seeks to anonymize personal data should be carried out using a method, standard or procedure specified in the directive and approved by the Commission.
However, while the intended method may be prescribed in the directive, it does not necessarily mean that the method will be implemented in practice. For instance, while the Directive contains a default rule of using an appropriate “bulk method,” it may be up to the controller to set the criteria or method. This may lead to an unnecessary delay in verifying that all processing is carried out in accordance with the data processing objectives defined in the regulation.
This also applies in case of anonymization. For instance, the two examples above illustrate how anonymization may still leave a number of identifiable data points remaining in the mass data sets.
More Articles : Social Commerce And E-Commerce