By Dr. Edric Micallef Figallo – Associate
The following is the eleventh article in a series of articles delving into the GDPR, intended to give an overview of the main aspects of the provisions it introduced, retained and updated in the data privacy law regime of the European Union, and its legislative implementation in Malta. The previous article may be viewed by visiting https://abalegal.eu/the-gdpr-the-new-right-to-erasure-part-v/
____________________________________
In the previous part of this article we concluded our brief consideration of the right to object to processing as a basis to demand the right to be forgotten, or right to erasure as per Article 17(1)(c) of the GDPR. In this part, we shall briefly consider the exercise of the right to erasure according to Article 17(1)(d) of the GDPR. For reference, this provides as follows:
“1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(omissis)
(d) the personal data have been unlawfully processed;”
In reality this ground appears to be a broad ground and “unlawfully processed” could account for many scenarios. In view of that wording, questions as to interpretations arise as to the nature of what qualifies as “unlawfully processed”.
To give a theoretical example, consider a general data processing operation and the various obligations imposed on the controller and, or processor. Now consider that one particular obligation was not properly complied with, let us say the right to be informed in full prior to personal data processing as per Article 13 GDPR (we shall deal with this in separate articles), like for example on the identity of the controller for that data processing. The obligations involved are numerous, so would one failing be deemed to qualify under “unlawfully processed” and thus give rise to the possible exercise of the right of erasure under Article 17(1)(d) GDPR? The answer to that appears to be in the affirmative, in line with the general ethos and teleological interpretation of GDPR provisions. In view of most data processing practices around us, this is a good ground to explore should somebody seek to exercise the right to erasure.
Indeed, this ground is currently subject to a few preliminary references to the Court of Justice of the European Union and on which the latter would have to pronounce itself. However, such preliminary references are generally very specific, and could possibly leave the door wide open for interpretation even if the CJEU pronounces itself on them. On the other hand, the European Data Protection Board, in its Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1) Version 2.0 adopted on the 7th July 2020, had this to say:
“35. The notion of unlawful processing shall first be interpreted in view of Article 6 GDPR dedicated to lawfulness of processing. Other principles established under the GDPR (such as principles of Article 5 GDPR or of other provisions of Chapter II) may serve such interpretation.
- This notion shall secondly be interpreted broadly, as the infringement of a legal provision other than the GDPR. Such interpretation must be conducted objectively by Supervisory Authorities, according to national laws or to a court decision. For instance, a delisting request shall be granted in the event where the listing of personal information has been expressly prohibited by a court order.”
Article 6 GDPR, and I would add Article 9 GDPR, provide the legal basis for the lawful processing of all personal data. Therefore, primarily, anything found to be in violation thereof would be deemed unlawful processing and in turn activate the right to be forgotten under Article 17(1)(d) GDPR. Paragraph 36 above seems to imply that any non-compliance with the GDPR would qualify as “unlawful processing”. It also goes even further by stressing the role of the Supervisory Authority, in Malta being the Information and Data Protection Commissioner, and also national laws and judicial authorities. The corollary would be that the possible breach of any national law affecting the data processing process could activate the right to be forgotten under Article 17(1)(d) GDPR.
The above would seem to be another possibility, and it compounds in the idea that data processing must be performed at all times in perfect compliance with all applicable law, or else the personal data involved is prone to be erased at the request of the data subject. With that being said, and with a lack of higher-level judicial pronouncements on the matter, the above interpretation is solely the current position of the author and it should be stressed that it does not purport to be legal advice, nor should it be taken as such.