Digital Forgetting in the Age of Social Media: Establishing a Comprehensive Right to Cyber-Oblivion

Ioannis Iglezakis
Assistant Professor, Aristotle University of Thessaloniki
Abstract:
In the age of social media where it is almost impossible to escape your past on the Internet, the right to be forgotten enhances the ability of the individual to control the use of his or her personal data. Such a right has been recognized by the CJEU in the Google Spain case as far as search engines are concerned. With the adoption of the Data Protection Regulation by the EU it will form part of the EU legal framework in data protection.

Keywords: Data protection, digital forgetting, right to be forgotten, right to oblivion

1. Introduction

In the age of social media it is almost impossible to escape your past on the Internet, since every status update or photograph, and every tweet may be copied and/or reposted by other users or saved in Internet archives, such as the wayback machine1, and in cached pages2 or even – in case of photographs stored in the cloud – leaked online after an attack by hackers; as a result personal information may be available online, even if it has been deleted in its initial place (Mitrou/Karyda, 2012).

To address the issue of the Web that never forgets, jurists have proposed the introduction of a new digital right, a right to delete personal information from the Net (Mayer-Schönberger, 2009). This right draws its origin from the French and Italian law which recognize the right to oblivion that allows a convicted criminal who has served his time and been rehabilitated to object to the publication of his conviction and confinement.

In the digital world this right acquires a new substance; it is conceived as a right to delete personal information published in the web by data subjects, particularly in social networking sites. Some authors also consider this not as a legal right, but as a value or interest worthy or protection or as a policy goal to be achieved through law or through other regulatory mechanisms (Koops, 2011, Rouvroy, 2008).

The right to be forgotten in enshrined in Article 17 of the Draft Regulation on Data Protection (‘General Data Protection Regulation’, GDPR), which was presented in 2012 by the EU Commission and its adoption is still pending.

The introduction of this right has been the subject of much debate, for it is being criticized as a threat to free speech on the Internet (see, e.g. Rosen, 2012, Fleischer, 2011). Viviane Reding, Vice-President of the EU Commission describes this right as a modest expansion of existing data privacy rights. The Court of Justice of the EU with its decision of 13 May 2014 in the Google Spain case (C-131/12) confirmed this view, interpreting the provisions of Directive 95/46/EEC in such a way as to include a right ‘to be forgotten’ on the Net.4
2. Outline of the right to be forgotten

The provision of Article 17 GDPR basically includes a right to erasure of data that requires the controller to delete personal data and preclude any further dissemination of this data, but also to oblige third parties, e.g. search engines, etc., to delete any links to, or copies or replication of that data.5

In the initial Draft it was mentioned that this right has particular relevance when the individual made data available as a child. Although this provision was deleted after the vote in the Libe Committee, it is still a fact that a right to erasure of information has particular reference in cases where the information posted by young people in social media becomes obsolete when this person grows old. In more general, embarrassing information may be the subject of a right to digital forgetting that may protect against the negative use of information relating to the past (Costa, Poullet, 2012).

 This applies in five instances, which derive from data protection principles: a) where data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) where the data subject withdraws consent on which the processing is based or when the storage period consented to has expired and there is no other legal ground for the processing of the data; c) where the data subject objects to the processing of personal data; d) where a court or regulatory authority base in the Union has ruled as final and absolute that the data concerned must be erased; or e) where the data has been unlawfully processed.

The right to be forgotten which is enshrined in the GDPR is not conceived as an absolute right; thus, a number of exceptions restrict its ambit, the most important being the freedom of expression and information. There is consensus that such a right cannot amount to a right of erasure of history and turn our modern society into a society of ‘lotus eaters’ (Iglezakis, 2014), which would be the case if the Internet was programmed to forget, e.g. if Internet content was programmed to auto-expire (Fleischer, 2011). Consequently, the erasure cannot take place where the retention of the personal data is necessary for exercising the right to freedom of expression.
3. The current EU legal framework and the Google Spain of the CJEU

Authors have taken the view that the existing legal framework in the EU, i.e. the Data Protection Directive (DPD)6 does not establish a comprehensive right to effectively control the use of personal data with a view to erase them, but some provisions provide a legal basis for a limited recognition of the right to be forgotten (Ausloos, 2012).

The Court of Justice of the European Union (CJEU), on the other hand, found that the provisions of the Directive can serve as a legal basis for the right to be forgotten vis-à-vis search engine providers. In its decision on May 13 2014, in case C-131/12 (Google Spain SL, Google Inc. v. Agencia Espanola de Proteccion de Datos, Mario Costeja Gonzalez), it ruled that the ‘right to be forgotten’ is rooted in the provisions of Directive 95/46/EEC (Alsenoy et al., 2013).

In this case it was held that an Internet search engine operator is responsible for the processing that it carries out of personal data appearing on web pages published by third parties, i.e., content providers. The Court ruled that the data subject may request the removal of links, which are displayed in the list of results after a search on the basis of a person’s name.

In more particular, in response to the question whether the directive enables the data subject to request that links to web pages be removed from such a list of results on the grounds that he wishes the information appearing on those pages relating to him personally to be ‘forgotten’ after a certain time, the Court held that, if it is found, following a request by the data subject, that the inclusion of those links in the list is, at this point in time, incompatible with the directive, the links and information in the list of results must be erased.

The Court stressed out that even initially lawful processing of accurate data may, in the course of time, become incompatible with the directive where the data appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.

It also added that it should in particular be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results that is displayed following a search made on the basis of his name. If that is the case, the links to web pages containing that information must be removed from that list of results, unless there are particular reasons, such as the role played by the data subject in public life, justifying a preponderant interest of the public in having access to the information when such a search is made.

This decision has had significant repercussions; it was criticized by Wikipedia founder Jimmy Wales who called it ‘astonishing’ and free speech advocates at the Index on Censorship said this ruling “should send chills down the spine of everyone in the European Union who believes in the crucial importance of free expression and freedom of information”.7 Google received immediately after the decision was issued takedown requests, some of which are indeed ambiguous, such as the request of an ex-politician seeking re-election to have links to an article about his behavior in office removed and a man convicted of possessing child abuse images to have pages about his conviction wiped and a doctor asking negative reviews to be removed from search results.8

In order to cope with the flood of takedown requests Google launched a service to allow Europeans to ask for personal data to be removed; it created a a webform through which people can submit their requests for the erasure of links to information regarding them.9 This solution was criticized by EU regulators, since it restricted the removal of Internet links to European sites only and it notified the owners of websites that have been removed from search results when it proceeds to such removal.10
4. Perspectives
The CJEU ruling find direct application on search engines and concerns the right of the individual to erasure links to names of data subjects by a list of results displayed after a search is made on the made of his name. However, the court recognized that the data subject has to the right to object to the processing of personal data published on the Internet. As a result, data subject may invoke this ruling when filing takedown requests against content providers. It remains to be seen whether the right to be forgotten would acquire a more general scope of application even before the adoption of the Data Protection Regulation.


REFERENCES:
Alsenoy, B., Van/Kuczerawy, A./Ausloos, J., Search engines after Google Spain: internet@liberty or privacy@peril?, ICRI working paper 15/2013, online available at: https://www.law.kuleuven.be/icri/  and http://ssrn.com/link/ICRI-RES.html
Ausloos, J., The ‘Right to be Forgotten’ Worth remembering?, (2012)  Computer Law & Security Review 28, pp. 143-152.
Costa, L./Poullet, Y., Privacy and the regulation of 2012, (2012) Computer Law & Security Review 28, pp. 254-262.
Fleischer, P., Foggy Thinking About the Right to Oblivion, Privacy…? (Mar. 9, 2011), online available at: http://peterfleischer.blogspot.com/2011/03/foggy-thinking-about-right-to-oblivion.html.
Iglezakis, I., The right to digital oblivion and its restrictions (2014), Sakkoulas ed. (in Greek).
Koops, B.–J., Forgetting Footprints, Shunning Shadows. A Critical Analysis of the “Right to Forgotten” in Big Data Practice, (2011) scripted vol. 8, Issue 3, Dec. 2011.
Mayer-Schönberger, V., Delete: The Virtue of Forgetting in the Digital Age (2009), Princeton University Press.
Mitrou, L./Karyda, M., EU’s Data Protection Reform and the Right to be Forgotten: A Legal Response to a Technological Challenge? (February 5, 2012). 5th International Conference of Information Law and Ethics 2012, Corfu-Greece, June 29-30, 2012, online available at SSRN: http://ssrn.com/abstract=2165245
Rosen, J., Free Speech, Privacy, and the Web that Never Forgets, (2011) 9 J. on Telecomm. and High Tech. L. 345.
Rosen, J., The Right to Be Forgotten, 64 Stan. L. Rev. Online 88, February 13, 2012, online available at: http://www.stanfordlawreview.org/sites/default/files/online/topics/64-SLRO-88.pdf
Rouvroy, A., Reinventer l’art d’oublier et de se faire oublier dans la de l’information? version augmentée, (2008) online available at: http://works.bepress.com/antoinette_rouvroy/5/ 
ENDNOTES:
1.       https://archive.org/web/
4.       Court of Justice of the European Union, case C-131/12 – Google Spain SL, Google Inc. v. Agencia Espanola de Proteccion de Datos, Mario Costeja Gonzalez.
6.       Directive 1995/46/EC.
7.       D. Lee, Google ruling ‘astonishing’, says Wikipedia founder Wales, http://www.bbc.com/news/technology-27407017
8.       J. Wakefield, Politician and paedophile ask Google to ‘be forgotten’, http://www.bbc.com/news/technology-27423527
9.       ”Google launches ‘right to be forgotten’ webform for removal requests”, theguardian, Friday 30 May, 2014, www.theguardian.com
10.   See J. Fioretti, Google under fire from regulators on Eu privacy ruling, Reuters, July 24, 2014.

Γερμανικό Ακυρωτικό: Η υπηρεσία αναζήτησης εικόνων της Google μπορεί να παρουσιάζει φωτογραφίες σε σμίκρυνση

Μια καθαρή νίκη πέτυχε η υπηρεσία αναζήτησης Google και οι εν γένει μηχανές αναζήτησης, καθώς με πρόσφατη απόφαση του Γερμανικού Ακυρωτικού κρίθηκε ότι μπορούν να παρουσιάζουν στα αποτελέσματά τους προεπισκοπήσεις των εικόνων στις οποίες παραπέμπουν με συνδέσμους και η ενέργεια αυτή δεν παραβιάζει το δίκαιο πνευματικής ιδιοκτησίας.

Η υπόθεση που έτυχε αντιμετώπισης από το BGH αφορούσε την αγωγή μιας καλλιτέχνιδος, η οποία στράφηκε κατά της Google, επικαλούμενη την παραβίαση των δικαιωμάτων πνευματικής ιδιοκτησίας επί των έργων της, για το λόγο ότι μετά από αναζήτηση στη μηχανή αναζήτησης της Google εμφανίζονταν αποσπάσματα των έργων της (μικρές φωτογραφίες). Σύμφωνα με την ενάγουσα, παρ’ ότι γινόταν παραπομπή στην ιστοσελίδα της από την Google, η τελευταία δεν είχε το δικαίωμα να δημιουργήσει φωτογραφίες με τα έργα της, να τις σμικρύνει και να τις παρουσιάζει ως προεπισκόπηση στην αναζήτηση εικόνων.

Ωστόσο, το Ανώτατο Ακυρωτικό Δικαστήριο της Γερμανίας στην απόφαση της 29ης Απριλίου 2010 – I ZR 69/08, έκρινε ότι η παραπάνω εταιρία δεν έχει παραβιάσει δικαιώματα πνευματικής ιδιοκτησίας με την απεικόνιση προστατευόμενων έργων στη μηχανή αναζήτησής της. Σύμφωνα με το Δικαστήριο από τη συμπεριφορά της ενάγουσας προκύπτει ότι ήταν σύμφωνη με την παρουσίαση των έργων της από μηχανές αναζήτησης, καθώς δεν είχε φράξει την ιστοσελίδα, ώστε να μην μπορεί να προβάλλεται από μηχανές αναζήτησης, τροποποιώντας κατάλληλα τον κώδικα της ιστοσελίδας.

Ωστόσο, το Δικαστήριο τονίζει ότι υπάρχουν περιπτώσεις όπου δεν ισχύουν τα παραπάνω και συγκεκριμένα, όταν τις φωτογραφίες έχουν δημοσιεύσει στο Διαδίκτυο τρίτοι, χωρίς δικαίωμα. Σε τέτοιες περιπτώσεις, όπως κρίθηκε με απόφαση του ΔΕΚ (απόφαση της 23.3.2010 – υπόθεση C-236/08 έως C-238/08 – Google France/Louis Vuitton), η Google μπορεί να ευθύνεται, σύμφωνα με τις διατάξεις της οδηγίας 2000/31, εφόσον είχε λάβει γνώση της παράνομης συμπεριφοράς.

Όπως γίνεται σαφές στην παραπάνω απόφαση του γερμανικού Ακυρωτικού, η έννοια της συναίνεσης μετά από κάθε δημοσιοποίηση περιεχομένου στο Διαδικτύου, διαστέλλεται αρκετά και για αυτό, η εν λόγω κρίση δεν μπορεί να έχει γενική ισχύ και σε άλλα επιμέρους ζητήματα που πρέπει να κρίνονται ad hoc.

Σφάλματα στη λειτουργία της μηχανής αναζήτησης Google

Ακόμα και οι καλύτεροι δεν αποφεύγουν τα λάθη στον προγραμματισμό (bugs)! Το Σάββατο η υπηρεσία αναζήτησης της Google δεν λειτουργούσε σωστά, αφού σε κάθε αναζήτηση εμφανιζόταν το μήνυμα ότι “τα αποτελέσματα μπορεί να βλάψουν τον υπολογιστή σας” (“may harm your computer”).

Η εταιρία ισχυρίζεται ότι δεν γνωρίζει την αιτία του σφάλματος, το οποίο έχει ήδη διορθωθεί.

Διάλογος μεταξύ της Google και της επιτροπής του άρθρου 29 για ζητήματα προστασίας δεδομένων

Σε προηγούμενη ανάρτηση, σημειώσαμε τα ζητήματα προστασίας δεδομένων σε σχέση με τις μηχανές αναζήτησης. Η αντίδραση της Google στη γνωμοδότηση της επιτροπής του άρθρου 29 ήταν να ανακοινώσει συγκεκριμένες δράσεις.

Ειδικότερα, η εταιρία Google απάντησε στις 8.09.2008 δηλώνοντας το ενδιαφέρον της για τη λύση των ζητημάτων προστασίας προσωπικών δεδομένων.

Συγκεκριμένα, δήλωσε ότι θα προβεί σε δύο κινήσεις: α) την ανωνυμοποίηση των διευθύνσεων ΙΡ που συνδέονται με τις αναζητήσεις των χρηστών, μετά από 9 μήνες, αντί για 18 μήνες και β) την εισαγωγή συνδέσμου στην αρχική σελίδα της Google που θα παραπέμπει στην πολιτική προστασίας δεδομένων της εταιρίας.

Η Επιτροπή του άρθρου 29 δια του προέδρου της, Alex TÜRK, δήλωσε ικανοποίηση σε σχέση με τις αλλαγές αυτές. Ωστόσο, παραμένουν μια σειρά προβλήματα, όπως είναι η θεώρηση της εταιρίας ότι το ευρωπαϊκό δίκαιο προστασίας δεδομένων δεν βρίσκει εφαρμογή, η διατήρηση δεδομένων των χρηστών πέραν των 6 μηνών, η μη βελτίωση των μηχανισμών ανωνυμοποίησης, το ότι η Google δεν θεωρεί τις διευθύνσεις ΙΡ ως προσωπικά δεδομένα και δεν παρέχει δικαιώματα στους χρήστες, τέλος, δε το γεγονός ότι δεν προσφεύγει σε διαφανή αναζήτηση συγκατάθεσης.