The EU’s Right to be Forgotten as Applied to Cloud Computing in the Context of Online Privacy Issues- Conference "Getting around the cloud(s) - Technical and legal issues on Cloud services”

Authors: Francesco Lazzeri


The core of this study concerns the implementation of Art. 17 of the EU Proposal for a General Data Protection regulation, introducing a «right to be forgotten and to erasure», in light of the essential features of cloud computing services.

In a wider perspective, the fundamental issues underlying this problem can be summed up as follows: how can personal information be deleted from the Internet? And, most important: when is it admittable to do so?

As a matter of fact, both these questions can be specified by inquiring on whether full erasure is materially and technically possible and on which conditions and legal boundaries such an action should face.

It has emerged that Art. 17, believed by many to be inappropriate already with reference to the expression «right to be forgotten», is not adequate to provide a satisfying response in terms of transparent regulation and efficient protection of relevant interests.

A practical paradox arises: in fact, those very characteristics of the web that make it so appealing and economically profitable prove themself as one of the main obstacles when it comes to effectively deleting information. The Internet, it has been said, has indeed an eternal memory.

Besides the pratical issues of removing copies and links from the web, the article focuses on the legal framework protecting the interest of data subject to the erasure of personal information.

Under this aspect, a convincing evaluation of the currently applicable data protection rules comes from the Advocat General’s Opinion in a recent case (Google vs. Spain, C-131/12), on which the Court of Justice has only recently rendered its judgment, of which the article gives a first evaluation.

The AG has concluded that individuals cannot derive a general «right to be forgotten» from Directive 95/46. The following decision by the Court — mostly in light of artt. 7 and 8 of the Charter of Fundamental Rights of the European Union — while establishing that search engines must delete “inadequate, irrelevant or no longer relevant” data from their results, made clear that in order for “delisting” to be conceded, the proper balance has to be stricken by the search engine itself between fundamental rights and public interest in continued ability to access information, thus making the implementation of such a right unsystematic and potentially arbitrary.

In contrast, a first glance at the Proposal for a General Data Protection Regulation may suggest that a major overhaul has been performed. However, when looked at more closely, Art. 17 do not seem to represent a substantial change. In fact, the hypothesis enabling erasure can be brought back to the cases of (a) data retention in contrast with the law and of (b) supervening lack of reasons legitimating data processing.

The Author’s opinon is that the real innovation, if any, consists in the role acknowledged to consent, which, according to Art. 7 of the Proposal, can be now withdrawn «at any time».

It is not easy to understand how some of the grounds for erasure will adapt to the cloud dimension.

There is a major problem to be highlighted as prejudicial to the implementation of Art. 17 in the context of cloud computing services: the most critical aspect about this provision is (first) defining and (then) identifying the subjects involved. That means, understanding who is the controller and who is the processor in each situation, as well as their relationship with the data subject.

Compared to par. 1, the second paragraph of Art. 17 is more appreciable in the sense that it is implicitly devised with a view to the structure of the Internet and of Internet services: therefore, it is probably the more interesting when dealing with cloud computing. Even so, it is hard to understand how it can be implemented, for two main reasons which are

(a) First, if we agree with Art. 29 WP’s opinion, we should identify the controller with the cloud client; but this solution ignores the fact that the user usually does not have a range of technical tools comparable to the one of the provider. In contrast, qualifying the cloud provider as the data controller would lead to a better allocation of responsibility.

(b) Secondly, it is unclear what will happen once third parties have been informed of the data subject’s request to obtain erasure. Par. 2 remains silent on the point, but it is easy to realize that similar situations may be very frequent (if not the most frequent).

In addition, in order to understand the scope and limits of a «right to be forgotten» in the current information age, the Author tries to pick up the relevant clues laid down by the Court of Justice in relation to cases involving ISP, on the assumption that the cloud provider can be intended as such.

In this regard, the Proposal could play a key role in promoting privacy-oriented technologies, especially by means of the implementation of two principles: privacy by default and minimization of data collection.

In conclusion, if Art. 17 entried into force as it is now, a number of problem would arise concerning its true scope; in particular, how cloud computing services could comply with that provision remains a riddle. What’s more, the relevant issues of user-generated content and continue to be substantially unaddressed.

Keywords: cloud computing - web 2.0 - right to be forgotten in the EU - right to be forgotten in Italy - droit à l'oubli - technical issues in implementing right to erasure - Data Protection Directive - Proposal for a General Data Protection Regulation (GDPR) - art. 17 - Co