Ioannis Iglezakis
Assistant Professor, Aristotle University of Thessaloniki
Abstract:
In the age of social media where it is almost impossible to escape your past on the Internet, the right to be forgotten enhances the ability of the individual to control the use of his or her personal data. Such a right has been recognized by the CJEU in the Google Spain case as far as search engines are concerned. With the adoption of the Data Protection Regulation by the EU it will form part of the EU legal framework in data protection.
Keywords: Data protection, digital forgetting, right to be forgotten, right to oblivion
1. Introduction
In the age of social media it is almost impossible to escape your past on the Internet, since every status update or photograph, and every tweet may be copied and/or reposted by other users or saved in Internet archives, such as the wayback machine1, and in cached pages2 or even – in case of photographs stored in the cloud – leaked online after an attack by hackers; as a result personal information may be available online, even if it has been deleted in its initial place (Mitrou/Karyda, 2012).
To address the issue of the Web that never forgets, jurists have proposed the introduction of a new digital right, a right to delete personal information from the Net (Mayer-Schönberger, 2009). This right draws its origin from the French and Italian law which recognize the right to oblivion that allows a convicted criminal who has served his time and been rehabilitated to object to the publication of his conviction and confinement.
In the digital world this right acquires a new substance; it is conceived as a right to delete personal information published in the web by data subjects, particularly in social networking sites. Some authors also consider this not as a legal right, but as a value or interest worthy or protection or as a policy goal to be achieved through law or through other regulatory mechanisms (Koops, 2011, Rouvroy, 2008).
The right to be forgotten in enshrined in Article 17 of the Draft Regulation on Data Protection (‘General Data Protection Regulation’, GDPR), which was presented in 2012 by the EU Commission and its adoption is still pending.
The introduction of this right has been the subject of much debate, for it is being criticized as a threat to free speech on the Internet (see, e.g. Rosen, 2012, Fleischer, 2011). Viviane Reding, Vice-President of the EU Commission describes this right as a modest expansion of existing data privacy rights. The Court of Justice of the EU with its decision of 13 May 2014 in the Google Spain case (C-131/12) confirmed this view, interpreting the provisions of Directive 95/46/EEC in such a way as to include a right ‘to be forgotten’ on the Net.4
2. Outline of the right to be forgotten
The provision of Article 17 GDPR basically includes a right to erasure of data that requires the controller to delete personal data and preclude any further dissemination of this data, but also to oblige third parties, e.g. search engines, etc., to delete any links to, or copies or replication of that data.5
In the initial Draft it was mentioned that this right has particular relevance when the individual made data available as a child. Although this provision was deleted after the vote in the Libe Committee, it is still a fact that a right to erasure of information has particular reference in cases where the information posted by young people in social media becomes obsolete when this person grows old. In more general, embarrassing information may be the subject of a right to digital forgetting that may protect against the negative use of information relating to the past (Costa, Poullet, 2012).
This applies in five instances, which derive from data protection principles: a) where data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) where the data subject withdraws consent on which the processing is based or when the storage period consented to has expired and there is no other legal ground for the processing of the data; c) where the data subject objects to the processing of personal data; d) where a court or regulatory authority base in the Union has ruled as final and absolute that the data concerned must be erased; or e) where the data has been unlawfully processed.
The right to be forgotten which is enshrined in the GDPR is not conceived as an absolute right; thus, a number of exceptions restrict its ambit, the most important being the freedom of expression and information. There is consensus that such a right cannot amount to a right of erasure of history and turn our modern society into a society of ‘lotus eaters’ (Iglezakis, 2014), which would be the case if the Internet was programmed to forget, e.g. if Internet content was programmed to auto-expire (Fleischer, 2011). Consequently, the erasure cannot take place where the retention of the personal data is necessary for exercising the right to freedom of expression.
3. The current EU legal framework and the Google Spain of the CJEU
Authors have taken the view that the existing legal framework in the EU, i.e. the Data Protection Directive (DPD)6 does not establish a comprehensive right to effectively control the use of personal data with a view to erase them, but some provisions provide a legal basis for a limited recognition of the right to be forgotten (Ausloos, 2012).
The Court of Justice of the European Union (CJEU), on the other hand, found that the provisions of the Directive can serve as a legal basis for the right to be forgotten vis-à-vis search engine providers. In its decision on May 13 2014, in case C-131/12 (Google Spain SL, Google Inc. v. Agencia Espanola de Proteccion de Datos, Mario Costeja Gonzalez), it ruled that the ‘right to be forgotten’ is rooted in the provisions of Directive 95/46/EEC (Alsenoy et al., 2013).
In this case it was held that an Internet search engine operator is responsible for the processing that it carries out of personal data appearing on web pages published by third parties, i.e., content providers. The Court ruled that the data subject may request the removal of links, which are displayed in the list of results after a search on the basis of a person’s name.
In more particular, in response to the question whether the directive enables the data subject to request that links to web pages be removed from such a list of results on the grounds that he wishes the information appearing on those pages relating to him personally to be ‘forgotten’ after a certain time, the Court held that, if it is found, following a request by the data subject, that the inclusion of those links in the list is, at this point in time, incompatible with the directive, the links and information in the list of results must be erased.
The Court stressed out that even initially lawful processing of accurate data may, in the course of time, become incompatible with the directive where the data appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.
It also added that it should in particular be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results that is displayed following a search made on the basis of his name. If that is the case, the links to web pages containing that information must be removed from that list of results, unless there are particular reasons, such as the role played by the data subject in public life, justifying a preponderant interest of the public in having access to the information when such a search is made.
This decision has had significant repercussions; it was criticized by Wikipedia founder Jimmy Wales who called it ‘astonishing’ and free speech advocates at the Index on Censorship said this ruling “should send chills down the spine of everyone in the European Union who believes in the crucial importance of free expression and freedom of information”.7 Google received immediately after the decision was issued takedown requests, some of which are indeed ambiguous, such as the request of an ex-politician seeking re-election to have links to an article about his behavior in office removed and a man convicted of possessing child abuse images to have pages about his conviction wiped and a doctor asking negative reviews to be removed from search results.8
In order to cope with the flood of takedown requests Google launched a service to allow Europeans to ask for personal data to be removed; it created a a webform through which people can submit their requests for the erasure of links to information regarding them.9 This solution was criticized by EU regulators, since it restricted the removal of Internet links to European sites only and it notified the owners of websites that have been removed from search results when it proceeds to such removal.10
4. Perspectives
The CJEU ruling find direct application on search engines and concerns the right of the individual to erasure links to names of data subjects by a list of results displayed after a search is made on the made of his name. However, the court recognized that the data subject has to the right to object to the processing of personal data published on the Internet. As a result, data subject may invoke this ruling when filing takedown requests against content providers. It remains to be seen whether the right to be forgotten would acquire a more general scope of application even before the adoption of the Data Protection Regulation.
REFERENCES:
Ausloos, J., The ‘Right to be Forgotten’ Worth remembering?, (2012) Computer Law & Security Review 28, pp. 143-152.
Costa, L./Poullet, Y., Privacy and the regulation of 2012, (2012) Computer Law & Security Review 28, pp. 254-262.
Iglezakis, I., The right to digital oblivion and its restrictions (2014), Sakkoulas ed. (in Greek).
Koops, B.–J., Forgetting Footprints, Shunning Shadows. A Critical Analysis of the “Right to Forgotten” in Big Data Practice, (2011) scripted vol. 8, Issue 3, Dec. 2011.
Mayer-Schönberger, V., Delete: The Virtue of Forgetting in the Digital Age (2009), Princeton University Press.
Mitrou, L./Karyda, M., EU’s Data Protection Reform and the Right to be Forgotten: A Legal Response to a Technological Challenge? (February 5, 2012). 5th International Conference of Information Law and Ethics 2012, Corfu-Greece, June 29-30, 2012, online available at SSRN: http://ssrn.com/abstract=2165245
Rosen, J., Free Speech, Privacy, and the Web that Never Forgets, (2011) 9 J. on Telecomm. and High Tech. L. 345.
ENDNOTES:
4. Court of Justice of the European Union, case C-131/12 – Google Spain SL, Google Inc. v. Agencia Espanola de Proteccion de Datos, Mario Costeja Gonzalez.
6. Directive 1995/46/EC.
9. ”Google launches ‘right to be forgotten’ webform for removal requests”, theguardian, Friday 30 May, 2014, www.theguardian.com
10. See J. Fioretti, Google under fire from regulators on Eu privacy ruling, Reuters, July 24, 2014.