supervisory authorities or national courts 41. This indeed makes it seem as if the right is being“ privatised” 42.
Though the right to be forgotten may no doubt contribute to enabling individuals to defend their privacy( and, by the same token, their reputation and, ultimately, dignity), it hardly responds to the challenges of big data with their pervasiveness and actual lack of transparency. In reality, it can be said that, requiring a pre-existent data subject’ s request to exercise his / her rights, spares a great deal of effort to the operators helping to pave the way for the massive gathering of information enabled by big data mining. Moreover, the supervisory authorities are expected to intervene merely afterward, following denial of the subject’ s appeal by the operator of the search engine 43.
The above overview renders the reliance of the new data protection regime on self-regulation fairly clear. Efficiency considerations underlay the move towards a risk-based approach to data protection( Lynskey, 2015, p. 84). Definitely, the strengthening of autonomy and control by operators over the processing of personal data, including for the assessment of the risks arising therefrom for the rights and freedoms of data subjects may be understood in connection with the EU legislator’ s explicit intent, when revising the DPD, to reduce administrative burdens on the operators by substituting the obligation of notification of data processing and the preliminary control by the data protection authority, decreed by the DPD, with measures to be carried out by the controllers themselves 44. The Vice-President of the EC stated in this connection,“ This reform will greatly simplify the regulatory environment and will substantially reduce the administrative burden. We need to drastically cut red tape, do away with all the notification obligations and requirements that are excessively bureaucratic, unnecessary and ineffective 45. Such“ indiscriminate general notification obligations”“ did not in all cases contribute to improving the protection of personal data” and should therefore be abolished. This is an odd argument, though, considering that data protection authorities have commonly been judged as having been up to their supervisory responsibilities( European Union Agency for Fundamental Rights, 2010). Moreover, the assumption that risk-based approaches and self-regulation promise to be more effective than public control under the DPD appears, at this stage, little more than wishful thinking 46.
41 Following the Court’ s ruling, other search engines, such as Bing, have also made available“ right to be
forgotten” forms for European users( Gerry Berova, 2014, p. 478; Ribeiro, 2014).
42 On account of the potentially harmful ambiguity of this decision, the Article 29 Data Protection Working
Party issued guidelines setting non-exhaustive criteria to be followed by the supervisory authorities when search engines deny a subject’ s request to remove certain links to information affecting their privacy.( Article 29 Data Protection Working Party,“ Guidelines on the implementation of the Court of Justice of the European Union Judgment on‘ Google Spain and Inc V. Agencia Española de Protección de Datos( AEPD) and Mario Costeja González” C-131 / 12”, adopted on 26 November 2014, p. 3. Available at: < http:// ec. europa. eu / justice / dataprotection / article-29 / documentation / opinion-recommendation / files / 2014 / wp225 _ en. pdf)>( last accessed 18.03.2016).
43 Article 29 Data Protection Working Party, Guidelines …, p. 11-12.
44 Whereas 70 GDPR.
45 Viviane Reding, at BBA( British Bankers ' Association) Data Protection and Privacy Conference, London, 20
June 2011.
46 Whereas 70 GDPR.
57