EU Data Protection: is it right to be forgotten?

written by Eleanor Lavan on 07/02/2012

The European Parliament is considering amendments to the European Data Protection framework. Significant changes to the existing regime are being tabled, with the aim of increased harmonisation on tackling the issue across the EU. The BBA welcomes the intent of bringing data protection rules up to date, provided the interests of customers are also protected.

Law-makers began to ask questions about the suitability of existing data protection legislation as a result of the rise of the internet and the explosion of social media use. The original Data Protection Directive was instituted in 1995, long before ‘to Google’ and ‘to tweet’ were officiated into the Oxford English Dictionary (2006 and 2011 respectively).

Helpful areas of the new proposals include measures such as ‘home country data privacy supervision’: one supervisory authority will be able to make decisions regarding the activities of a pan-European organisation. Establishing one supervisory headquarters will cut right through red tape currently constricting the everyday operations of companies.

However, financial services firms have some reservations regarding other amendments, in particular ensuring the individual’s right to be forgotten.

Enforcing such a right will require the erasure of personal data on request of the citizen. There are clear and legitimate reasons why banks should be exempt from such an absolute requirement: obviously, it is essentially important that they can retain records of those customers who have got into financial difficulty, committed fraud or been declared bankrupt in the past.

Reviewers of the Directive are committed to balancing the necessary burdens on companies with any potential advantages to EU citizens. The Parliament recognises that there is no point burdening businesses if there is no tangible benefit to the customer, or if protection is counter-intuitively diminished by blanket implementation. Any changes need to be reasonable and practicable, and not just for banks. This legislation will impact companies of all kinds, and compliance is going to be challenging, especially for new businesses. Smaller companies in any industry may suffer under the pressure and resulting cost of dealing with the legislative paperwork.

What is more, if the proposals are instituted, any breach of data protection could result in fines of up to two per cent of a firm’s global turnover. Such hefty penalties would seem disproportionate to businesses with significant operations outside the EU: two per cent of turnover could well figure several billion euros for them.

Opponents in the Commission have already singled out the right to be forgotten as a ‘heavy and at times unreasonable burden’ on controllers. What has to be remembered is that banks operating in the UK are already well-regulated by checks of both internal and national design. There are excellent processes - efficient and effective - in place to ensure that the highest levels of data protection for the customer.