Oblivion, Erasure and Forgetting in the Digital Age

In light of the recent European Court of Justice ruling (ECJ C-131/12, Google Spain v Spanish Data Protection Agency),the “right to be forgotten” has once again gained worldwide media attention. Already in 2012, whenthe European Commission proposed aright to be forgotten,this proposal received broad public interest and was debated intensively. Under certain conditions, individuals should thereby be able todelete personal data concerning them. More recently – in light of the European Parliament’s approval of the LIBE Committee’samendments onMarch 14, 2014 – the concept seems tobe close to its final form.Although it remains, for the most part,unchanged from the previously circulated drafts, it has beenre-labelled as a“right of erasure”. This article argues that, despite its catchy terminology, the right to be forgotten can be understood as a generic term, bringing together existing legal provisions: the substantial right of oblivion and the rather procedural right to erasure derived from data protection. Hereinafter, the article presents an analysis of selected national legal frameworks and corresponding case law, accounting for data protection, privacy, and general tort law as well as defamation law. This comparative analysis grasps the practical challenges which the attempt to strengthen individual control and informational self-determination faces. Consequently, it is argued that narrowing the focus on the data protection law amendments neglects the elaborate balancing of conflicting interests in European legal tradition. It is shown thatthe attemptto implement oblivion, erasure and forgetting in the digital age is a complex undertaking.

GERMANY: Creating New Property Rights on the Basis of General Legal Concepts - Without Limits?

In two cases recently decided by two different senates of the German Federal Supreme Court (Bundesgerichtshof, BGH), the following issue was raised: To what extent can the filming of sports events organized by someone else, on the one hand, and the photographing of someone else’s physical property, on the other hand, be legally controlled by the organizer of the sports event and the owner of the property respectively? In its “Hartplatzhelden.de” decision, the first senate of the Federal Supreme Court concluded that the act of filming sports events does not constitute an act of unfair competition as such, and hence is allowed even without the consent of the organizer of the sports event in question. However, the fifth senate, in its “Prussian gardens and parks” decision, held that photographing someone else’s property is subject to the consent of the owner of the grounds, provided the photographs are taken from a spot situated on the owner’s property. In spite of their different outcomes, the two cases do not necessarily contradict each other. Rather, read together, they may well lead to an unwanted – and unjustified – extension of exclusive protection, thus creating a new “organizer’s” IP right.

Personal Data and Encryption in the European General Data Protection Regulation

Encryption of personal data is widely regarded as a privacy preserving technology which could potentially play a key role for the compliance of innovative IT technology within the European data protection law framework. Therefore, in this paper, we examine the new EU General Data Protection Regulation’s relevant provisions regarding encryption – such as those for anonymisation and pseudonymisation – and assess whether encryption can serve as an anonymisation technique, which can lead to the non-applicability of the GDPR. However, the provisions of the GDPR regarding the material scope of the Regulation still leave space for legal uncertainty when determining whether a data subject is identifiable or not. Therefore, we inter alia assess the Opinion of the Advocate General of the European Court of Justice (ECJ) regarding a preliminary ruling on the interpretation of the dispute concerning whether a dynamic IP address can be considered as personal data, which may put an end to the dispute whether an absolute or a relative approach has to be used for the assessment of the identifiability of data subjects. Furthermore, we outline the issue of whether the anonymisation process itself constitutes a further processing of personal data which needs to have a legal basis in the GDPR. Finally, we give an overview of relevant encryption techniques and examine their impact upon the GDPR’s material scope.