Recht om vergeten te worden Bart van der Sloot Instituut voor Informatierecht Universiteit van Amsterdam

Privacy – Europees Verdrag voor de Rechten van de Mens - Raad van Europa (1950) ARTIKEL 8: Recht op eerbiediging van privé-, familie- en gezinsleven 1. Een ieder heeft recht op respect voor zijn privé leven, zijn familie- en gezinsleven, zijn woning en zijn correspondentie. 2. Geen inmenging van enig openbaar gezag is toegestaan in de uitoefening van dit recht, dan voor zover bij de wet is voorzien en in een democratische samenleving noodzakelijk is in het belang van de nationale veiligheid, de openbare veiligheid of het economisch welzijn van het land, het voorkomen van wanordelijkheden en strafbare feiten, de bescherming van de gezondheid of de goede zeden of voor de bescherming van de rechten en vrijheden van anderen.

Privacy en gegevensbescherming – Handvest van de Grondrechten - Europese Unie (2000) Artikel 7 – Recht op privacy Eenieder heeft recht op eerbiediging van zijn privé-leven, zijn familie- en gezinsleven, zijn woning en zijn communicatie. Artikel 8 - Bescherming van persoonsgegevens 1. Eenieder heeft recht op bescherming van de hem betreffende persoonsgegevens. 2. Deze gegevens moeten eerlijk worden verwerkt, voor bepaalde doeleinden en met toestemmingvan de betrokkene of op basis van een andere gerechtvaardigde grondslag waarin de wet voorziet.Eenieder heeft recht op toegang tot de over hem verzamelde gegevens en op rectificatie daarvan. 3. Een onafhankelijke autoriteit ziet toe op de naleving van deze regels.

Privacy en Gegevensbescherming Domein Relaties Achtergrond Doel/aard Privacy Gaat hoofdzakelijk om de privésfeer Gaat voornamelijk om verticale verhoudingen Opkomst van natiestaten Eerst controle op het gebruik van macht & zorgplichten Nu steeds meer individuele rechten Data Protection Gaat om zowel de privé- als de publieke sfeer Gaat voornamelijk om horizontale verhoudingen Technologische ontwikkelingen Controle op het gebruik van macht & zorgplichten

Gegevensbescherming Richtlijn bescherming persoonsgegevens (EU) Wet bescherming persoonsgegevens (NL) Van toepassing als: Persoonsgegevens Verwerkt Verantwoordelijke Territorialiteit

Excepties Artikel 3 Werkingssfeer 2. De bepalingen van deze richtlijn zijn niet van toepassing op de verwerking van persoonsgegevens: - die met het oog op de uitoefening van niet binnen de werkingssfeer van het Gemeenschapsrecht vallende activiteiten geschiedt zoals die bedoeld in de titels V en VI van het Verdrag betreffende de Europese Unie en in ieder geval verwerkingen die betrekking hebben op de openbare veiligheid, defensie, de veiligheid van de Staat (waaronder de economie van de Staat, wanneer deze verwerkingen in verband staan met vraagstukken van Staatsveiligheid), en de activiteiten van de Staat op strafrechtelijk gebied; - die door een natuurlijk persoon in activiteiten met uitsluitend persoonlijke of huishoudelijke doeleinden wordt verricht. Artikel 9 Verwerking van persoonsgegevens en vrijheid van meningsuiting De Lid-Staten voorzien voor de verwerking van persoonsgegevens voor uitsluitend journalistieke of voor artistieke of literaire doeleinden in uitzonderingen op en afwijkingen van de bepalingen van dit hoofdstuk en van de hoofdstukken IV en VI uitsluitend voor zover deze nodig blijken om het recht op persoonlijke levenssfeer te verzoenen met de regels betreffende de vrijheid van meningsuiting.

Materiële bepalingen 1. Plichten van de verwerker 2. Rechten van het data subject 3. Handhaving

Artikel 12 - Recht van toegang De Lid-Staten waarborgen elke betrokkene het recht van de voor de verwerking verantwoordelijke te verkrijgen: a) [] b) naar gelang van het geval, de rectificatie, de uitwissing of de afscherming van de gegevens waarvan de verwerking niet overeenstemt met de bepalingen van deze richtlijn, met name op grond van het onvolledige of onjuiste karakter van de gegevens; c) kennisgeving aan derden aan wie de gegevens zijn verstrekt, van elke rectificatie, uitwissing of afscherming, uitgevoerd overeenkomstig punt b), tenzij zulks onmogelijk blijkt of onevenredig veel moeite kost

Artikel 14 Recht van verzet van de betrokkene De Lid-Staten kennen de betrokkene het recht toe: a) zich ten minste in de gevallen, bedoeld in artikel 7, onder e) en f), te allen tijde om zwaarwegende en gerechtvaardigde redenen die verband houden met zijn bijzondere situatie ertegen te verzetten dat hem betreffende gegevens het voorwerp van een verwerking vormen, behoudens andersluidende bepalingen in de nationale wetgeving. In geval van gerechtvaardigd verzet mag de door de voor de verwerking verantwoordelijke persoon verrichte verwerking niet langer op deze gegevens betrekking hebben; b) zich te verzetten, op verzoek en kosteloos, tegen de voorgenomen verwerking van hem betreffende persoonsgegevens door de voor de verwerking verantwoordelijke persoon met het oog op direct marketing, of te worden ingelicht voordat persoonsgegevens voor de eerste keer aan derden worden verstrekt of voor rekening van derden worden gebruikt voor direct marketing en het recht uitdrukkelijk ter kennis gebracht te krijgen dat hij of zij zich kosteloos kan verzetten tegen deze verstrekking of dit gebruik van gegevens.

Algemene Verordening Gegevensbescherming 1. Plichten van de verwerker uitgebreid 2. Rechten van het data subject uitgebreid 3. Handhaving uitgebreid + geharmoniseerd

Leaked proposal - Article 15 Right to be forgotten and to erasure 1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data where: (a) the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed; or (b) the data subject withdraws consent on which the processing is based according to Article 5(1)(a), or when the storage period consented to has expired; or (c) the data subject objects to the processing of personal data pursuant to Article 17; or (d) their processing otherwise does not comply with this Regulation. This right shall apply especially in relation to personal data which are made available by the data subject while he or she was a child. 2. Where the controller referred to in paragraph 1 has made the data public, it shall in particular ensure the erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service which allows or facilitates the search of or access to this personal data. 3. The controller shall carry out the erasure without delay, except to the extent that the retention of the personal data is necessary: (a) for exercising the right of freedom of expression in accordance with Article 79; or (b) for historical, statistical and scientific research purposes in accordance with Article 83; or (c) for compliance with a legal obligation to retain the data by Union or Member State law to which the controller is subject; this law shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued; or (d) in the cases referred to in paragraph 4.   4. Instead of erasure, the controller shall restrict processing of personal data where: (a) their accuracy is contested by the data subject, for a period enabling the controller to verify the accuracy of the data; (b) the controller no longer needs them for the accomplishment of its task but they have to be maintained for purposes of proof; (c) the processing is unlawful and the data subject opposes their erasure and requests the restriction of their use instead; (d) the data subject requests to transmit the personal data into another automated processing system in accordance with Article 16(2). 5. Personal data referred to in paragraph 4 may, with the exception of storage, only be processed for purposes of proof, or with the data subject's consent, or for the protection of the rights of another natural or legal person or for an objective of public interest. 6. Where processing of personal data is restricted pursuant to paragraph 4, the controller shall inform the data subject before lifting the restriction on processing. 7. The controller shall implement mechanisms to ensure that the time limits established for the erasure of personal data and for a periodic review of the need for the storage of the data are observed. 8. Where the erasure is carried out, the controller shall not otherwise process such personal data. 9. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying: (a) the criteria and requirements for the application of paragraph 1 for specific sectors and in specific data processing situations; (b) the criteria for deleting public Internet links, copies or replications of personal data from publicly available communication service as referred to in paragraph 2; (c) the criteria and conditions as regards personal data identified for the purpose of restricting its processing as referred to in paragraph 4.

Commission Proposal: Article 17 Right to be forgotten and to erasure 1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies: (a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data; (c) the data subject objects to the processing of personal data pursuant to Article 19; (d) the processing of the data does not comply with this Regulation for other reasons.   2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication. 3. The controller shall carry out the erasure without delay, except to the extent that the retention of the personal data is necessary: (a) for exercising the right of freedom of expression in accordance with Article 80; (b) for reasons of public interest in the area of public health in accordance with Article 81; (c) for historical, statistical and scientific research purposes in accordance with Article 83; (d) for compliance with a legal obligation to retain the personal data by Union or Member State law to which the controller is subject; Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued; (e) in the cases referred to in paragraph 4. 4. Instead of erasure, the controller shall restrict processing of personal data where: (a) their accuracy is contested by the data subject, for a period enabling the controller to verify the accuracy of the data; (b) the controller no longer needs the personal data for the accomplishment of its task but they have to be maintained for purposes of proof; (c) the processing is unlawful and the data subject opposes their erasure and requests the restriction of their use instead; (d) the data subject requests to transmit the personal data into another automated processing system in accordance with Article 18(2). 5. Personal data referred to in paragraph 4 may, with the exception of storage, only be processed for purposes of proof, or with the data subject's consent, or for the protection of the rights of another natural or legal person or for an objective of public interest.   6. Where processing of personal data is restricted pursuant to paragraph 4, the controller shall inform the data subject before lifting the restriction on processing. 7. The controller shall implement mechanisms to ensure that the time limits established for the erasure of personal data and/or for a periodic review of the need for the storage of the data are observed.   8. Where the erasure is carried out, the controller shall not otherwise process such personal data. 9. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying: (a) the criteria and requirements for the application of paragraph 1 for specific sectors and in specific data processing situations; (b) the conditions for deleting links, copies or replications of personal data from publicly available communication services as referred to in paragraph 2; (c) the criteria and conditions for restricting the processing of personal data referred to in paragraph 4.

Parliament Proposal: Article 17 Right to erasure 1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, and to obtain from third parties the erasure of any links to, or copy or replication of, that data where one of the following grounds applies:  (a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data; (c) the data subject objects to the processing of personal data pursuant to Article 19; (ca) a court or regulatory authority based in the Union has ruled as final and absolute that the data concerned must be erased; (d) the data has been unlawfully processed. 1a. The application of paragraph 1 shall be dependent upon the ability of the controller to verify that the person requesting the erasure is the data subject.   2. Where the controller referred to in paragraph 1 has made the personal data public without a justification based on Article 6(1), it shall take all reasonable steps to have the data erased, including by third parties, without prejudice to Article 77. The controller shall inform the data subject, where possible, of the action taken by the relevant third parties. 3. The controller and, where applicable, the third party shall carry out the erasure without delay, except to the extent that the retention of the personal data is necessary: (a) for exercising the right of freedom of expression in accordance with Article 80; (b) for reasons of public interest in the area of public health in accordance with Article 81; (c) for historical, statistical and scientific research purposes in accordance with Article 83; (d) for compliance with a legal obligation to retain the personal data by Union or Member State law to which the controller is subject; Member State laws shall meet an objective of public interest, respect the right to the protection of personal data and be proportionate to the legitimate aim pursued; (e) in the cases referred to in paragraph 4. 4. Instead of erasure, the controller shall restrict processing of personal data in such a way that it is not subject to the normal data access and processing operations and can not be changed anymore, where: (a) their accuracy is contested by the data subject, for a period enabling the controller to verify the accuracy of the data; (b) the controller no longer needs the personal data for the accomplishment of its task but they have to be maintained for purposes of proof; (c) the processing is unlawful and the data subject opposes their erasure and requests the restriction of their use instead; (ca) a court or regulatory authority based in the Union has ruled as final and absolute that the data concerned must be restricted; (d) the data subject requests to transmit the personal data into another automated processing system in accordance with paragraphs 2a of Article 15; (da) the particular type of storage technology does not allow for erasure and has been installed before the entry into force of this Regulation. 5. Personal data referred to in paragraph 4 may, with the exception of storage, only be processed for purposes of proof, or with the data subject's consent, or for the protection of the rights of another natural or legal person or for an objective of public interest. 6. Where processing of personal data is restricted pursuant to paragraph 4, the controller shall inform the data subject before lifting the restriction on processing. 8. Where the erasure is carried out, the controller shall not otherwise process such personal data. 8a. The controller shall implement mechanisms to ensure that the time limits established for the erasure of personal data and/or for a periodic review of the need for the storage of the data are observed. 9. The Commission shall be empowered to adopt, after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying: (a) the criteria and requirements for the application of paragraph 1 for specific sectors and in specific data processing situations; (b) the conditions for deleting links, copies or replications of personal data from publicly available communication services as referred to in paragraph 2; (c) the criteria and conditions for restricting the processing of personal data referred to in paragraph 4.

Google/Spain ‘Furthermore, the processing by the publisher of a web page consisting in the publication of information relating to an individual may, in some circumstances, be carried out ‘solely for journalistic purposes’ and thus benefit, by virtue of Article 9 of Directive 95/46, from derogations from the requirements laid down by the directive, whereas that does not appear to be so in the case of the processing carried out by the operator of a search engine.’ Google/Spain, r.o. 85.

Google/Spain Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.

Europees Hof voor de Rechten van de Mens - Węgrynowski en Smolczewski/Polen ‘The Court accepts that it is not the role of judicial authorities to engage in rewriting history by ordering the removal from the public domain of all traces of publications which have in the past been found, by final judicial decisions, to amount to unjustified attacks on individual reputations. Furthermore, it is relevant for the assessment of the case that the legitimate interest of the public in access to the public Internet archives of the press is protected under Article 10 of the Convention.’

Rechtbank Amsterdam 18-09-2014 ‘Zoekmachine Google Search hoeft de gegevens van een veroordeelde man niet te verwijderen. Dat heeft de voorzieningenrechter bepaald. De man wilde dat Google verschillende links die verwijzen naar websites (waarop informatie staat over de veroordeling van de man in 2012 voor een ernstig misdrijf) zou verwijderen. De man baseerde zich daarbij op de Wet bescherming persoonsgegevens en een uitspraak van het Hof van Justitie van de EU. Volgens het Costeja-arrest van dat Hof kan men zich alleen verzetten tegen het tonen van zoekresultaten die ‘irrelevant” ‘buitensporig’ of ‘onnodig diffamerend’ zijn. De voorzieningenrechter oordeelt dat negatieve publiciteit als gevolg van een ernstig misdrijf in zijn algemeenheid juist blijvend relevante informatie over een persoon is. Dat de zoekresultaten verwijzen naar berichten die ‘buitensporig’ of ‘onnodig diffamerend’ zijn, heeft de man onvoldoende onderbouwd.’