EU proposes 'right to be forgotten' by internet firms

Image caption, Viviane Reding said that individuals must be given control over their information

A new law promising internet users the "right to be forgotten" will be proposed by the European Commission on Wednesday.

It says people will be able to ask for data about them to be deleted and firms will have to comply unless there are "legitimate" grounds to retain it.

The move is part of a wide-ranging overhaul of the commission's 1995 Data Protection Directive.

Some tech firms have expressed concern about the reach of the new bill.

Details of the revised law were unveiled by the Justice Commissioner, Viviane Reding, at the Digital Life Design (DLD) conference in Munich.

A spokesman for the commissioner clarified that the action was designed to help teenagers and young adults manage their online reputations.

"These rules are particularly aimed at young people as they are not always as aware as they could be about the consequence of putting photos and other information on social network websites, or about the various privacy settings available," said Matthew Newman.

He noted that this could cause problems later if the users had no way of deleting embarrassing material when applying for jobs. However, he stressed that it would not give them the right to ask for material such as their police or medical records to be deleted.

Although the existing directive already contains the principle of "data minimisation", Mr Newman said that the new law would reinforce the idea by declaring it "a right".

Data loss alerts

Other measures in the bill include an obligation on all firms to notify users and the authorities about data lost through hacking attacks or other breaches "as soon as possible".

Ms Reding said that she would expect that under normal circumstances this would mean within 24 hours.

The commissioner said that firms would have to explicitly seek people's permission to use data about them and could not proceed on the basis of "assumed" consent in situations where approval was required.

Her proposed law says that internet users must also be notified when their data is collected, and be told for what purpose it is being processed and for how long it will be stored.

The bill also suggests people must be given easier access to the data held on them, and should have the right to move it to another provider in addition to the right to have it deleted.

However, the commissioner said that she recognised there were some circumstances under which this right would not apply.

"The archives of a newspaper are a good example. It is clear that the right to be forgotten cannot amount to a right of the total erasure of history,".

If approved the law would create a pan-EU set of data privacy rules for the first time. These would also apply to overseas companies active in the 27-member bloc, even if they handled the data on servers based in other parts of the world.

The commissioner suggested that this would simplify regulations and reduce the administrative burden on firms, saving them around 2.3bn euros ($3bn; 拢1.9bn) a year.

Penalties

However, Microsoft Europe's chief operating officer, Ron Zink, was quoted by the Financial Times as saying that the proposals.

Facebook also signalled that it wanted more information about the scope of the data that the EU thought users should be able to control.

But it added: "We welcome vice-president Reding's view that good regulation should encourage job creation and economic growth rather than hindering it, and look forward to seeing how the EU Data Protection Directive develops in order to deliver these two goals while safeguarding the rights of internet users."

Google and Yahoo said that they were not able to provide statements at this time.

Firms that failed to abide by the proposed new rules could be fined as much as 1% of their global revenues, according to a draft document obtained by the Reuters news agency. The FT had reported in December that the sum could be as much as 5%.

The new rules will need to be approved by the EU's member states and ratified by the European Parliament. As a result it could take two or more years for the new directive to come into effect.