Answer given by Mrs Reding on behalf of the Commission
On 25 January 2012, the Commission adopted its proposals for the EU data protection reform and submitted them to the European Parliament and to the Council. Inter alia, the proposed regulation establishes an explicit ‘right to be forgotten’.
The principle underpinning the right to be forgotten exists in EU data protection law since 1995: once personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, they must — as a general rule — be deleted, and any further dissemination be abstained from.
The obligations to be imposed on data processors by the right to be forgotten are the deletion of data held by the controller and the requirement for a controller to abstain from further dissemination (see Art. 17(1)). Both these obligations are technically feasible and in practice very good results are already being achieved.
In addition the proposed Regulation takes into account the reality of the Internet which permits massive linking and dissemination of data. In particular, Art. 17(2) specifies that controllers are not required to erase all public data themselves, but are required to take all reasonable steps including technical measures to inform third parties which are processing the data, that a data subject requires them to erase any links to, or copy or replication of personal data.
It is the task of the independent data protection supervisory authorities to monitor and ensure the application of the data protection rights and obligations. The Reform proposal strengthens the independence and the powers of these data protection authorities, inter alia by ensuring that they can apply administrative sanctions, including in case of violations of the right to be forgotten.